Rewterz Threat Alert – GlobeImposter Ransomware Attacking Financial Services
June 27, 2019Rewterz Threat Advisory – IBM WebSphere Application Server Multiple Vulnerabilities
June 28, 2019Severity
High
Analysis Summary
- APT33 was noticed to send emails with embedded URLs for malicious (.doc) and (.hta) files.
- The main custom AutoIt backdoor gets downloaded post exploitation to start contacting their POWERTON C&C infrastructure.
- The (.doc) files are embedded with highly obfuscated macros.
- The (.hta) files are displaying a decoy document
Impact
Security Bypass
Indicators of Compromise
IP(s) / Hostname(s)
- 91[.]235[.]116[.]212
- 185[.]217[.]95[.]26
- 37[.]220[.]6[.]115
- 103[.]236[.]149[.]100
- 213[.]227[.]154[.]22
- 91[.]216[.]163[.]90
- 91[.]216[.]163[.]90
- 91[.]216[.]163[.]90
- 162[.]255[.]119[.]58
- 162[.]255[.]119[.]191
Filename
- Instruction.doc
- CEA.hta
- Version.exe
- Version.7z
Malware Hash (MD5/SHA1/SH256)
- 878827a207b86c8cfdba7c64e897198f
- a0567cb99e6ac9b17001c2a07e6f0ea4
- 3979c1c1751b6671af294bbffa161a22
- b5d943da309ff49a3c4f261046bc389b
- 16ecbf1e31675ee56ae315cecf198b33
- d922ac5490c9446472b2ce5ec6a09682
- 59c5ceb700bf6aedccf36042af379c0b
- 54fbb2c0756579b20b5b45e652adf412
- 3871aac486ba79215f2155f32d581dc2
- 2cd286711151efb61a15e2e11736d7d2
- c38069d0bc79acdc28af3820c1123e53
- 5a66480e100d4f14e12fceb60e91371d
- 4047e238bbcec147f8b97d849ef40ce5
- e2d60bb6e3e67591e13b6a8178d89736
- 974b999186ff434bee3ab6d61411731f
- 53ae59ed03fa5df3bf738bc0775a91d9
- 7f4f7e307a11f121d8659ca98bc8ba56
- bd80fcf5e70a0677ba94b3f7c011440e
- 4aca006b9afe85b1f11314b39ee270f7
- f5ac89d406e698e169ba34fea59a780e
- 99649d58c0d502b2dfada02124b1504c
- 4047e238bbcec147f8b97d849ef40ce5
- 46038aa5b21b940099b0db413fa62687
Remediation
- Scan these IOC’s in your existing environment.
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.