• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Phishing Campaign Initiated by State Sponsored Groups
April 23, 2020
Rewterz Threat Advisory – ICS: Sierra Wireless AirLink ALEOS
April 24, 2020

Rewterz Threat Alert – Gamaredon APT Using COVID-19 Lures

April 23, 2020

Severity

Medium

Analysis Summary

A targeted email, with the subject line “Coronavirus (2019-nCoV)”, containing a document file was delivered to different users. Opening the document begins a template injection used for loading the template. Within the document, malicious macros execute a VBScript, assuming macros are enabled by the user. The C2 server being unavailable at the time of analysis made gathering additional payloads impossible. However, from the samples gathered, the Exif data is consistent and contains ID, Language Code, System ID, Author, and Code page. Most of the code is written in Cyrillic, indicating Russian origin. The malware drops hardcoded macros and executes a script.exe within the %USERPROFILE% directory. The actual VBS file is titled PlayList.vbs. This file contains obfuscated code that is executed after decryption. This particular technique is different than previous Gamaredon campaigns. 

figure-1-640x365.jpg

Impact

  • System information discovery
  • Exposure of sensitive data 

Indicators of Compromise

Email Subject

Coronavirus (2019-nCoV)

SHA-256

  • 0d90fe36866ee30eb5e4fd98583bc2fdb5b7da37e42692f390ac5f807a13f057
  • 036c2088cb48215f21d4f7d751d750b859d57018c04f6cadd45c0c4fee23a9f8
  • 19d03a25af5b71e859561ff8ccc0a073acb9c61b987bdb28395339f72baf46b4
  • 62cf22f840fffd8d8781e52b492b03b4efc835571b48823b07535d52b182e861
  • 8310d39aa1cdd13ca82c769d61049310f8ddaea7cd2c3b940a8a3c248e5e7b06
  • 84e0b1d94a43c87de55c000e3acae17f4493a57badda3b27146ad8ed0f90c93e
  • 85267e52016b6124e4e42f8b52e68475174c8a2bdf0bc0b501e058e2d388a819
  • b6a94f565d482906be7da4d801153eb4dab46d92f43be3e1d59ddd2c7f328109
  • cc775e3cf1a64effa55570715b73413c3ea3a6b47764a998b1272b5be059c25b
  • 00b761bce25594da4c760574d224589daf01086c5637042982767a13a2f61bea
  • 250b09f87fe506fbc6cedf9dbfcb594f7795ed0e02f982b5837334f09e8a184b
  • 4b3ae36b04d6aba70089cb2099e6bc1ba16d16ea24bbf09992f23260151b9faf
  • 946405e2f26e1cc0bd22bc7e12d403da939f02e9c4d8ddd012f049cf4bf1fda9
  • 9cd5fa89d579a664c28da16064057096a5703773cef0a079f228f21a4b7fd5d2
  • c089ccd376c9a4d5e5bdd553181ab4821d2c26fefc299cce7a4f023a660484d5
  • e888b5e657b41d45ef0b2ed939e27ff9ea3a11c46946e31372cf26d92361c012
  • f577d2b97963b717981c01b535f257e03688ff4a918aa66352aa9cd31845b67d
  • 17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5
  • 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
  • 315e297ac510f3f2a60176f9c12fcf92681bbad758135767ba805cdea830b9ee
  • 3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a
  • 3f40d4a0d0fe1eea58fa1c71308431b5c2ce6e381cacc7291e501f4eed57bfd2
  • ab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d
  • b78a3d21325d3db7470fbf1a6d254e23d349531fca4d7f458b33ca93c91e61cd
  • c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.