Rewterz Threat Advisory – CVE-2019-1889 – Cisco Application Policy Infrastructure Controller REST API
January 17, 2020Rewterz Threat Alert – APT 21 Targeting Pakistan
January 17, 2020Severity
High
Analysis summary
An email campaign that was identified distributing the GandCrab ransomware worldwide. The email attempts deceive a potential victim into believing that it is a legitimate message from the Center for Disease Control, stating that there is a flu outbreak. The subject line for the emails was: “Flu pandemic warning.” The infection process begins once a victim opens the attachment. It is a Microsoft Word document titled “Flu pandemic warning.doc”. It is important to note that the malware, in order to be successfully installed, requires the victim to enable macros. As is customary with other ransomware, it aims to lock a victim’s files, and demand that a ransom be paid. At this time, there is not a decryption tool available to unlock a victim’s files.
Impact
File encryption
Indicators of Compromise
Email Subject
Flu pandemic warning[.]doc
From Email
- viktoria@akk-actg[.]com
- florian@jesseandjoannabelizewedding[.]com
- niko@sf-dns[.]net
- peter@eatpraynope[.]com
MD5
- fae8e6b098eb9ecce2611f1dffc8f7b9
- 27fa5f1ef590ee5e503c3d15f210dab7
SHA-256
- a1ca75dfdcc8038650c27cbd4f7b3edc2cf5915cd75567c9bd2407ea0d099eba
- 73a994e9fa2804afceaf1286e4aba8522eb3c555b85766b03f03106118165736
SHA1
- 7971cd39eee59bf64cc2dfd7610d6f529eafd9df
- 6069666610d09085dc7926cde3d242427e67b167
URL
- https[:]//www[.]kakaocorp[.]link/static/tmp/eshe[.]png
- http[:]//www[.]kakaocorp[.]link/
- http[:]//205[.]185[.]125[.]109/samanta[.]exe
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.