Rewterz Threat Advisory – Red Hat Update for Kernel
March 18, 2019Rewterz Threat Advisory – WordPress Comment Cross-Site Request Forgery Vulnerability
March 19, 2019Severity
Medium
Analysis Summary
A malware campaign has been detected that seems to be associated with the threat actor tracked as “EmpireMonkey”.
This group uses PowerShell Empire Framework as the initial tool to gain foothold in the targeted entities. Additionally, in multiple earlier malware samples attributed to this actor, they distinctly used variants of the word “monkey” in the Macro functions embedded within their documents.
When the document is opened, the VBA/Macros copies a legitimate wscript.exe executable into the %APPDATA% directory as “cutil.exe” and uses it to execute the following Malicious JavaScript file…
The Malicious JavaScript has several obfuscation layers:
- Base64 Encoding
- RC4 Encryption (Passphrase = kjzppaa)
- After obfuscation, the resulting Malicious JavaScript appears to use code from SharpShooter’s AMSIKiller Module to bypass AMSI.
Impact
EmpireMonkey
| IP(s) / Hostname(s) | www[.]finanstilsynet-dk[.]org 185[.]117[.]75[.]81 31.220.1[.]151 |
| Ports | 443 |
| URLs | hxxps://www[.]finanstilsynet-dk[.]org/litigations/report-122.doc Hxxps[:]//185.117[.]75[.]81/news/today[.]jsp |
| Filename | report-122.doc logs.txt |
| Email Address | u.poulsen[@]finanstilsynet-dk[.]org |
| Malware Hash (MD5/SHA1/SH256) | e5483b77fbcf61bf29e73521464c520f 30b570a1d5a0151cbeec969f56f9f5c14fa22b31 415473af14e994163f88b5f9dd48770c444a619691209cff52469925b09b2a8e 13a1c33bf895cd58e5742088a1aa6276 ddfe514da9e68cd0a5f5687f91471448962e489a1f342f6ff499839475cc52a6 |
Remediation
Block the threat indicators at their respective controls.
Do not download email attachments coming from unknonw or untrusted sources.
Always scan downloaded files before execution.