• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Point-of-Sale Breach – Indicators of Compromise
June 28, 2019
Rewterz Threat Advisory – IBM Cognos TM1 Dojo Toolkit Script Insertion Vulnerability
July 1, 2019

Rewterz Threat Alert – Hidden Bee Malware Targeting Asia-Pacific Region

July 1, 2019

Severity

Medium

Analysis Summary

Hidden Bee was developed as a web browser hijacker in late 2017. By mid-2018, new malware samples included a crypto-miner module within unique file formats. The low detection rate led to over 500,000 infected systems in the Asia-Pacific region. The malware authors developed several unique file formats and filesystems, making it difficult to analyze with established toolkits, with a focus on dynamically loaded malware modules.

Impact

Execution of hidden bee malware exploit kit page

Indicators of Compromise

URLs

  • hxxp[:]//gatedailymirror[.]info/upd.pkg
  • hxxp[:]//gatedailymirror[.]info
  • hxxp[:]//redteamshop[.]info/upd.pkg
  • hxxp[:]//redteamshop[.]info
  • hxxp[:]//ask.thesupporthelp[.]com[:]443/mlf_plug.zip.sig
  • hxxp[:]//ask.thesupporthelp[.]com
  • hxxp[:]//thesupporthelp[.]com
  • hxxp[:]//data.supportithelp[.]com
  • hxxp[:]//supportithelp[.]com
  • hxxp[:]//setup.gohub[.]online[:]1108/setup.bin?id=128
  • hxxp[:]//setup.gohub[.]online

Malware Hash (MD5/SHA1/SH256)

  • 86bc95bb63e4c162d9542a113991d525
  • ec17286458aaa9e3a65dffe62cf5d2d1a026b77c
  • 087fd1f1932cdc1949b6bbbd56c7689636dd47043c2f0b6002c9afb979d0c1dd
  • 1e278657b76a6dfcf95f0b3f7c468307
  • cdca6dbeaa8e1d1fb62bff2c44d102eec16ed0e4
  • ccd77ac6fe0c49b4f71552274764ccddcba9994df33cc1240174bcab11b52313
  • b3eb576e02849218867caefaa0412ccd
  • 79d8cf39e0dbf06a63e4ff657affda87aac47eb7
  • 76b70f1dfd64958fca7ab3e18fffe6d551474c2b25aaa9515181dec6ae112895
  • 11310b509f8bf86daa5577758e9d1eb5
  • 66b63db1efc14c659e0d13ec21aabcc43df7e79e
  • c1a6df241239359731c671203925a8265cf82a0c8c20c94d57a6a1ed09dec289
  • d7516ad354a3be2299759cd21e161a04
  • e3961fa35a53a2c8933717b612e105e7b7e9c9a5
  • 52438e0150d2d0304abcd324194e390b99a27bf7357938a32da75b4470db2e22
  • 367db629beedf528adaa021bdb7c12de
  • c3bbd16465694354ac828d08a66a62b2b80753db
  • 9bb08a3ebacf37c3bcfcd1695fc972dd745c7861d40941f72a8b7f6487b2e212
  • 537523ee256824e371d0bc16298b3849
  • 4b41b541e3afe4563dd678a6b8a115678cb30aaf
  • d77cd484516d916fffb73e242badf026c7fbe385387656b991cdeca8d77efae2
  • 6177bc527853fe0f648efd17534dd28b
  • 33f2f8ec9ef8a76bc92e16839489cd0edeacb6ed
  • 04d62f3c9ab18370184a5aad9717434b5a8f71abadb92fcbc00b04d7dfa49a7d
  • 79e851622ac5298198c04034465017c0
  • 5986d241b90342722d055c6cafa4e6b06dd60766
  • 5d2fdf015b048612cf1c485571cb019ea55d3241436e23579915c30c52ae8ed4
  • a17645fac4bcb5253f36a654ea369bf9
  • 1211ebe09eede3fddc210991cb3bb4ddfdeee8d7
  • fe45f51d76c3c07c33432e6dac8b1964e6451f1b86e1668fd8aac9ee53de982c
  • fddfd292eaf33a490224ebe5371d3275
  • 36fb0c363fc6fc86a7b2e4860d5940b96e9b6912
  • 3a1c218de4d653dff06a68cfc12b958766dcb869450c9dd06928be819beb365c
  • 831d0b55ebeb5e9ae19732e18041aa54
  • 620264f45c4ef3b67e2769877715e1865d2c21ce
  • fd9edb6d9ac9674e797e51b3767e45a2eb23343c2ce88e64ef20d26f641064af

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.
  • Practice safe browsing – initial infection was due to numerous compromised adult websites.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.