Rewterz Threat Alert – Adversary Uses Phishing – Imitates Banking Portal
March 20, 2020Rewterz Threat Alert – Mirai variant – Mukashi Targeting Zyxel Network-Attached Storage Devices
March 21, 2020Severity
Medium
Analysis Summary
The adversary spoofs a World Health Organisation email and pretends to provide recommendations to the victim:
The shortened link redirects to a URL that serves a malicious Word document:
The two embedded documents are the same and are DOS batch files unknown on VT. When you look at the file, it is heavily obfuscated using Chinese characters: This script is a downloader and grabs another script via Powershell. The new script is obfuscated in the same way. Once launched, It changes system registry keys to affect system security. The script is also a downloader and grabs another stage via Powershell. This time, it’s a piece of Javascript code processed via mshta.exe.
Impact
- Unauthorized Remote Access
- Data Manipulation
- Credential Theft
- System Takeover
Indicators of Compromise
Domain Name
- googlechromeupdater[.]twilightparadox[.]com
Email Subject
- CORONAVIRUS TRAVEL RECOMMENDATIONS
Filename
- CORONAVIRUS[.]doc
MD5
- 1eb8dd501af0415fd22f93590a561d5d
SHA-256
- c3379e83cd3e8763f80010176905f147fcc126b5e7ad9faa585d5520386bd659
- c8aace2ca96c6e308f374f4b2e425849ca94287aa8ea9768c5a24b38a2167d24
Source IP
- 216[.]189[.]145[.]11
URL
- hxxp[:]//216[.]189[.]145[.]11/RECOMMENDATIONS
- http[:]//bit[.]ly/2W1eAvU
- http[:]//216[.]189[.]145[.]11/auto[.]cfg[.]bat’
- http[:]//GoogleChromeUpdater[.]twilightparadox[.]com[:]448/html
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to Corona-related emails.
- Do not download documents unless they are from a verified legitimate source.