• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Chase Themed Phishing Campaign
March 8, 2019
Rewterz Threat Alert – SLUB Backdoor Uses GitHub, Communicates via Slack
March 8, 2019

Rewterz Threat Alert – Multiple Malware Campaigns – IoCs

March 8, 2019

Severity

Medium

Analysis Summary

A malicious Microsoft Word document was retrieved from a campaign which contains Visual Basic for Applications (VBA) macros that download and execute a malicious payload. The payload was identified as a variant of the Emotet Banking Trojan.

Another file retrieved from a different malware campaign is a .NET executable that contains a large bitmap resource. The resource is decoded into a keylogger and two password-stealing programs. The dropped file is a text file that contains the path to the .NET executable.

Indicators of Compromise

IP(s) / Hostname(s) 109.129.2[.]50
115.71.233[.]127
115.93.16[.]173
117.247.233[.]82
118.69.35[.]66
121.74.198[.]58
122.176.109[.]10
123.136.174[.]52
147.83.156[.]162
148.243.206[.]110
173.255.196[.]209
178.254.31[.]162
178.62.37[.]188
181.119.30[.]25
183.82.112[.]154
183.82.120[.]85
186.4.165[.]50
186.90.227[.]239
187.144.76[.]174
189.149.3[.]197
189.194.250[.]74
189.230.124[.]74
190.0.1[.]30
190.109.223[.]50
190.147.100[.]8
190.228.72[.]180
190.94.79[.]239
196.209.233[.]234
198.74.58[.]47
2.50.183[.]165
203.99.177[.]144
211.115.111[.]19
211.248.17[.]209
217.13.106[.]160
217.165.2[.]29
218.90.156[.]188
27.147.163[.]188
27.96.91[.]73
45.123.3[.]54
5.230.147[.]179
58.65.178[.]100
62.75.191[.]231
67.205.149[.]117
69.195.223[.]154
69.198.17[.]7
75.99.13[.]124
83.222.124[.]62
91.98.29[.]206
93.109.229[.]250
95.141.175[.]240
98.142.208[.]27
192.99.212[.]64
URLs eirak[.]co
intraelectronics[.]com
kantova[.]com
linkingphase[.]com
motoruitjes[.]nl
radwomenbusinessowners[.]com
Filename 833.exe
US691260150692912.doc
DOC-80179.doc
emotet_e2_096e1cca4006f4c5cb050ba25b7f637cb498b80f3ed05895d0735ea75255823f_2019-01-16__185002.exe_
Mina.exe
Windows_Update.exe
Malware Hash (MD5/SHA1/SH256) 8fbc86605f0a433a82e9d1a0b19c3051
096e1cca4006f4c5cb050ba25b7f637cb498b80f3ed05895d0735ea75255823f
4f034492bc4d152f98c083ba3d9a1c24b3062a2917c89551857c4d310e481c9c
13370bd1e38381613def999e97a28c08840fbf4f9178f3b31f8db76644ad5a45

Remediation

  • Block the threat indicators at their respective controls.
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Scan all software downloaded from the Internet prior to executing.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.