• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Adversary Uses Phishing – Imitates Banking Portal
March 20, 2020
Rewterz Threat Alert – Mirai variant – Mukashi Targeting Zyxel Network-Attached Storage Devices
March 21, 2020

Rewterz Threat Alert – Koadic RAT – Multistage Malware Distributed through COVID’19 Document

March 20, 2020

Severity

Medium

Analysis Summary

The adversary spoofs a World Health Organisation email and pretends to provide recommendations to the victim:

image-1584701057.png

The shortened link redirects to a URL that serves a malicious Word document: 

isc-20200319-1.PNG

The two embedded documents are the same and are DOS batch files unknown on VT. When you look at the file, it is heavily obfuscated using Chinese characters: This script is a downloader and grabs another script via Powershell. The new script is obfuscated in the same way. Once launched, It changes system registry keys to affect system security. The script is also a downloader and grabs another stage via Powershell. This time, it’s a piece of Javascript code processed via mshta.exe. 

Impact

  • Unauthorized Remote Access
  • Data Manipulation
  • Credential Theft
  • System Takeover

Indicators of Compromise

Domain Name

  • googlechromeupdater[.]twilightparadox[.]com

Email Subject

  • CORONAVIRUS TRAVEL RECOMMENDATIONS

Filename

  • CORONAVIRUS[.]doc

MD5

  • 1eb8dd501af0415fd22f93590a561d5d

SHA-256

  • c3379e83cd3e8763f80010176905f147fcc126b5e7ad9faa585d5520386bd659
  • c8aace2ca96c6e308f374f4b2e425849ca94287aa8ea9768c5a24b38a2167d24

Source IP

  • 216[.]189[.]145[.]11

URL

  • hxxp[:]//216[.]189[.]145[.]11/RECOMMENDATIONS
  • http[:]//bit[.]ly/2W1eAvU
  • http[:]//216[.]189[.]145[.]11/auto[.]cfg[.]bat’
  • http[:]//GoogleChromeUpdater[.]twilightparadox[.]com[:]448/html

Remediation

  • Block the threat indicators at their respective controls.
  • Do not respond to Corona-related emails.
  • Do not download documents unless they are from a verified legitimate source.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.