• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Red Hat Update for Kernel
March 18, 2019
Rewterz Threat Advisory – WordPress Comment Cross-Site Request Forgery Vulnerability
March 19, 2019

Rewterz Threat Alert – Malware Campaign Associated With EmpireMonkey Group

March 18, 2019

Severity

Medium

Analysis Summary

A malware campaign has been detected that seems to be associated with the threat actor tracked as “EmpireMonkey”.

This group uses PowerShell Empire Framework as the initial tool to gain foothold in the targeted entities. Additionally, in multiple earlier malware samples attributed to this actor, they distinctly used variants of the word “monkey” in the Macro functions embedded within their documents.

When the document is opened, the VBA/Macros copies a legitimate wscript.exe executable into the %APPDATA% directory as “cutil.exe” and uses it to execute the following Malicious JavaScript file…

The Malicious JavaScript has several obfuscation layers:

  • Base64 Encoding
  • RC4 Encryption (Passphrase = kjzppaa)
  • After obfuscation, the resulting Malicious JavaScript appears to use code from SharpShooter’s AMSIKiller Module to bypass AMSI.

Impact

EmpireMonkey

IP(s) / Hostname(s) www[.]finanstilsynet-dk[.]org
185[.]117[.]75[.]81
31.220.1[.]151
Ports 443
URLs hxxps://www[.]finanstilsynet-dk[.]org/litigations/report-122.doc
Hxxps[:]//185.117[.]75[.]81/news/today[.]jsp
Filename report-122.doc
logs.txt
Email Address u.poulsen[@]finanstilsynet-dk[.]org
Malware Hash (MD5/SHA1/SH256) e5483b77fbcf61bf29e73521464c520f
30b570a1d5a0151cbeec969f56f9f5c14fa22b31
415473af14e994163f88b5f9dd48770c444a619691209cff52469925b09b2a8e
13a1c33bf895cd58e5742088a1aa6276
ddfe514da9e68cd0a5f5687f91471448962e489a1f342f6ff499839475cc52a6

Remediation

Block the threat indicators at their respective controls.

Do not download email attachments coming from unknonw or untrusted sources.

Always scan downloaded files before execution.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.