Rewterz Threat Alert – 3rd Party Tools and Windows 10 Apps Killed by Clop Ransomware
January 8, 2020Rewterz Threat Alert – NetWire RAT Delivered via IMG Attachment
January 8, 2020Rewterz Threat Alert – 3rd Party Tools and Windows 10 Apps Killed by Clop Ransomware
January 8, 2020Rewterz Threat Alert – NetWire RAT Delivered via IMG Attachment
January 8, 2020Severity
High
Analysis Summary
SideWinder is a threat group that has existed since 2012, targeting military entities’ Windows machines. It is widely known to have targeted various military entities in different regions. Recently, three malicious apps were discovered by Trend micro which were working in corelation to target a victim’s device and collect user’s information.One of the three apps is called Camero, and it exploits a vulnerability that exists in Binder, which is the main Inter-Process Communication system in Android. It was documented that this is the first known active attack in the wild that uses the use-after-free vulnerability. The three apps were disguised as photography and file manager tools. In terms of installation, SideWinder installs the payload app in two stages. First, it downloads a DEX file in Android format from its command and control server.
Impact
Exposure of sensitive information
Indicators of Compromise
SHA-256
- ec4d6bf06dd3f94f4555d75c6daaf540dee15b18d62cc004e774e996c703cb34
- a60fc4e5328dc75dad238d46a2867ef7207b8c6fb73e8bd001b323b16f02ba00
- 0daefb3d05e4455b590da122255121079e83d48763509b0688e0079ab5d48886
- 441d98dff3919ed24af7699be658d06ae8dfd6a12e4129a385754e6218bc24fa
- ac82f7e4831907972465477eebafc5a488c6bb4d460575cd3889226c390ef8d5
- ee679afb897213a3fd09be43806a7e5263563e86ad255fd500562918205226b8
- 135cb239966835fefbb346165b140f584848c00c4b6a724ce122de7d999a3251
- a265c32ed1ad47370d56cbd287066896d6a0c46c80a0d9573d2bb915d198ae42
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Always install applications from play store from verified accounts.