Rewterz Threat Alert – MINEBRIDGE Targets Finance Sector

February 7, 2020

Severity

Medium

Analysis Summary

The financial services sector in the U.S. found itself under a barrage of cyberattacks last month, all bent on delivering a powerful backdoor called Minebridge. The attack chain employed a known method called “VBS Stomping” to avoid detection. the campaigns, aimed at enabling further malware infections and espionage efforts, were initiated via phishing emails with attached documents containing malicious macros. The emails were coming from fake domains that were geared to add legitimacy to the messages, resulting in a convincing theme running throughout the proceedings.

The Minebridge Payload

The ultimate goal of the document is to infect victims with the Minebridge backdoor. It’s a powerful piece of malware that gives attackers full control of the target environment. Its C2 commands include downloading and executing other malware, downloading arbitrary files, self-deletion and updating, process listing, shutting down and rebooting the system, executing arbitrary shell commands, process elevation, turning on/off TeamViewer’s microphone and gathering system information.

Impact

Complete takeover of the target environment

Indicators of Compromise

MD5

05432fc4145d56030f6dd6259020d16c
0be9911c5be7e6dfeaeca0a7277d432b
0dd556bf03ecb42bf87d5ea7ce8efafe
15edac65d5b5ed6c27a8ac983d5b97f6
1e9c836f997ddcbd13de35a0264cf9f1
21aa1066f102324ccc4697193be83741
22b7ddf4983d6e6d84a4978f96bc2a82
2333fbadeea558e57ac15e51d55b041c
2b9961f31e0015cbcb276d43b05e4434
2c3cb2132951b63036124dec06fd84a8
4de9d6073a63a26180a5d8dcaffb9e81
505ff4b9ef2b619305d7973869cd1d2b
52d6654fe3ac78661689237a149a710b
53e044cd7cea2a6239d8411b8befb4b7
5624c985228288c73317f2fa1be66f32
598940779363d9f4203fbfe158d6829b
60bdea2c493c812428a8db21b29dd402
681a77eba0734c0a17b02a81564ae73f
6b7d9268c7000c651473f33d088a16bd
6d6f50f7bba4ae0225e9754e9053edc0
6de77c1b4e8abaaf304b43162252f022
7004fadfa572d77e24b33d2458f023d1
71988460fd87b6bff8e8fc0f442c934b
722981703148fa78d41abbae8857f7a2
818f7af373d1ec865d6c1b7f59dc89e5
832052b0f806f44b92f6ef150573af81
836125ae2bed57be93a93d18e0c600e8
86d60bce47c9bb6017e3da26cab50dcf
8919458aec3dcc90563579a76835fc54
8d7e220af48fceee515eb5e56579a709
91b8ec04d8b96b90ea406c7b98cc0ad6
959eb0696c199cbf60ec8f12fcf0ea3c
95ec5e8d87111f7f6b2585992e460b52
9606cf0f12d6a00716984b5b4fa49d7d
9f7fed305c6638d0854de0f4563abd62
a11c0b9f3e7fedfe52b1fc0fc2d4f6d1
a47915a2684063003f09770ba92ccef2
a917b2ec0ac08b5cde3678487971232a
ad06205879edab65ed99ed7ff796bd09
ad910001cb57e84148ef014abc61fa73
b1ce55fca928cf66eaa9407246399d2c
b9249e9f1a92e6b3359c35a8f2a1e804
bd6880fb97faceecf193a745655d4301
be2597a842a7603d7eb990a2135dab5e
cf5470bfe947739e0b4527d8adb8486a
d593b7847ec5d18a7dba6c7b98d9aebf
d7ee4ffce21325dfe013b6764d0f8986
de4d7796006359d60c97a6e4977e4936
e0069cd3b5548f9fd8811adf4b24bf2e
e1ea93fa74d160c67a9ff748e5254fe0
ea15d7944c29f944814be14b25c2c2b1
f22a4abd5217fa01b56d064248ce0cc5
f3cb175e725af7f94533ecc3ff62fa12
f6533e09a334b9f28136711ea8e9afca
f7daaea04b7fe4251b6b8dabb832ee3a
fb1555210d04286c7bcb73ca57e8e430
01067c8e41dae72ce39b28d85bf923ee
1601137b84d9bebf21dcfb9ad1eaa69d
1c883a997cbf2a656869f6e69ffbd027
2ed49bd499c9962e115a66665a6944f6
3b948368fe1a296f5ed18b11194ce51c
4148281424ff3e85b215cd867746b20c
54f22fbc84f4d060fcbf23534a02e5f6
5a3d8348f04345f6687552e6b7469ac1
607d28ae6cf2adb87fcb7eac9f9e09ab
9ba3275ac0e65b9cd4d5afa0adf401b4
9becd2fd73aa4b36ad9cd0c95297d40b
9cce3c9516f0f15ce18f37d707931775
9faf9e0c5945876c8bad3c121c91ea15
a37e6eeb06729b6108649f21064b16ef
ab8dc4ba75aad317abb8ee38c8928db0
b8817253288b395cb33ffe36e0072dc9
cb5e5d29f844eb22fecaa45763750c27
cffda37453e1a1389840ed6ebaef1b0d
dc0e1e4ec757a777a4d4cc92a8d9ef33
e5c7e82670372e3cf8e8cab2c1e6bc17
f93062f6271f20649e61a09c501c6c92

SHA-256

182ccc7f2d703ad732ffee0e1d9ae4ae5cf6b8817cc33fd44f203d31868b1e97
65ead629a55e953b31668aac3bd373e229c45eb1871d8466f278f39ebcd5d26b
48f6810e50d08c2631f63aae307a7724dba830430f5edd4b90b4b6a5b3c3ca85
03ff2b3067aa73ecd8830b6b0ea4f7cfa1c7476452b26227fb433265e7206525
23da418912119a1358c9a1a4671ba60c396fff4c4de225fe6a225330147549a7
86d839e1d741445f194965eee60d18bd292bec73e4889089e6caf9877581db12
fc39cb08cae90c661e00718e2a0051b5de3dcb7cddde919b9ffd2d79bf923d1f
57671d5154e707da0ee6139485f45a50fa9221852ebb65781d45a2660da7d0cb
e41b89869c2b510c88acd1ed9fd4a6dfe89222a81c6c1241a69af3b7f812f712
b6dbb902125e7bf6f6701b654cbff4abaf2e853441cf34045ac19eff5ed8ce84
7b1d4774176976ffcb2075889557f91a43c05fb13f3bc262bbaec4d7a0a827e6
abb05ba50f45742025dd4ebff2310325783da00fb7bc885783e60a88c5157268
d6a0e62fe53116c9b5bccd2a584381e2ca86e35490d809ce1900603d5e6b53eb
6e76d648d446e6a70acdd491f04c52d17f9f0e1ef34890c6628c4f48725b47c8
99559a5f06b0279ed893d2799b735dae450a620f6cea2ea58426d8b67d598add
1358b0ccae9dbb493228dc94eb5722c8d34c12227a438766be83df8c1c92a621
383c86deed8797e0915acf3e0c1b6a4142c2c5ecb5d482517ed2ade4df6f36fd
0aaa66dc983179bffdb181079f3b786b6cd587c38c67ba68b560db0bd873278a
6e39ffecab4ca0bd7835a2e773ebfc3f6d909a0a680f898e55f85ed00728666d
ddf33eff293ffc268dfd0a33dddef97aefe9e010ec869dc22c221d197eb85740
8f50ddc1519e587597882a6bd0667653c36a8064b56ee5ff77665db2faf24710
cccd6b46f950caec5effdd07af339be78691974fec5f25d923932b35edb95c4a
8167d41ad30f5d451791878815e479965b2f5213231f26819ecaf4fcc774ab12
a3070ee10dd5bcd65a45b72848c926db2602e5297641452edff66e7133cdce9c
cbe4b73c0c95c207ccde9d9bd80f541cf90cad18ba5abc3fe66a811ead1601c2
e162a70a6e27fe23379d3a17a3a727d85a94b79416d81ec3b4ea80d329e96830
0fbde653bef4642626f2996a41a15a635eb52cd31eacce133d28301b902d67df
6c134908ad74dfa1468a1166e7d9244695f1ffeff68bfd4eec4b35820b542b8a
aad0537924bacddd0d5872f934723e765dbb182f2804c6f594f9b051937495ec
3eefa7072344e044c0a6abb0030f3f26065bf6a86bb50ea38473dd7ac73904fb
0520e68a4b73c3b41e566cf07be54e1f1cb59c59c303fe3390e0687f9af1a58a
ccb5f8734befd6ab218513e16a57679a8fb43b2732e19233ee920d379045e318
3f8e38ccf71f122b65fdc679db13e3de3bb4b4fc04b8ab6f955d02e0bca10fae
f4f062fd7b98365ed6db993b1da586dd43e5cdcc2f00a257086734daf88c9abb
6c5f72ddf0262838a921107520cdc12ba8e48dbafab4a66732a350095dd48e9f
d35ac29ea6e064b13d56f6a534022f253cf76b98e10a7ea1cbfa086eefd64f4b
7b16ce0d2443b2799e36e18f60fe0603df4383b1a392b0549c3f28159b1ca4d4
8578bff803098bf5ca0d752d0a81f07659688a32cbfc946728e5ab0403f5c4ba
d560f8717f4117d011f40c8880081d02d1455a41c93792e1600799d3e5ee9421
c9a6f7b0603779690c1d189850403f86608a3c5e1cd91e76fd31c4f119ae256b
c6214ec7909ce61d6ec3f46f5a7ec595d8cc8db48965c5baee8a346632cbe16d
0695e5e49a297c980b96f76bf10e5540de188d6a6a162e38f475418d72a50032
23840c587e4e9588b3d0795d4d76a4f3d4d5b2e665ce42dde0abcd1e0a2ba254
6288d3de1f1aa05fa0a5f0c8eb9880d077f034fc79fc20f87cbfcc522aa803cb
6357fdb8f62948d489080b61caf135e6aaba32dcdb7dc49b0efafef178b3b54f
5df3a6afb1a56fa076c6db716d5a050455158941ec962546a8799fc80ccfa573
92e94482dee75261c8ebdcbb7ace382a097cca11bcdc675bbe2d7b3f67525f84
ee8ba1c5329d928d542bfa06eec2c0a3e3b97dcc20382ddbc27bc420ceaeb677
6046d6aed3f4ee2564d6be540d46bcdc0bebce11a1ced4b9ddbfa1a41084411c
92c10ef23209e09abb17e41d67301f0e3f7d9e7ddfc7c1a66140c4986d72bee7
5898b41ca4f4777ad04d687f93548129ccb626d2f5e6e100b0a037c3d40a7444
858b4070f8b83aa43fd6a5189a8ed226ce767a64972db893e36550a25b20be94
5a5385df469459cd56f6eecbf4b41b8c75aa17220c773501eaec22731f3a41bb
9136c36ccd0be71725e8720a6cfdbdd38d7eea3998228c69ed4b52e78ba979c4
6abd90d718113482a5bcd36e35b4ea32c469f94fc2cfb9c1c98214efbf64c352
36da56815dc0c274fc8aacdfffbc4d5e500025ccd1147cad513d59b69ab955d

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders.