Rewterz Threat Advisory – Cisco SD-WAN Solution Vulnerability
March 19, 2020Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky
March 20, 2020Severity
Medium
Analysis Summary
| Attackers are launching thematic email campaigns using COVID fear to lure people into clicking malicious documents. APT27 has launched a similar campaign. The first stage is a fake PDF file. It looks like a real PDF, it has a hidden extension and a nice PDF icon, but it really isn’t a PDF, it’s actually a .lnk file, or in other words a “Microsoft Linking File”. Opening up the .lnk file there are two main sections: one is a kind of header where it is possible to observe commands, and the other section is a big encoded payload. Stage 1 carved Stage 2 from its body by extracting bytes and decoding them using base64 encoding. The new stage is a Microsoft compressed CAB file. Stage 1 executes the Javascript included in the CAB file. 9sOXN6Ltf0afe7.js performs an ActiveXObject call to WScript.Shell in order to execute Windows command lists. Once ”deobfuscated” and beautified the command line looks like (9sOXN6Ltf0afe7.js payload beautified). The attacker creates a folder that looks like a “file” by calling it cscript.exe trying to cheat the analyst. Then the attacker populates that folder with the needed files to follow the infection chain. |
Impact
- Command Execution
- Unauthorized Remote Access
Indicators of Compromise
Hostname
- motivation[.]neighboring[.]site
MD5
- 83d04f21515c7e6316f9cd0bb393a118
- 21a51a834372ab11fba72fb865d6830e
- fd648c3b7495abbe86b850587e2e5431
SHA-256
- a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e
- 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
- 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124
URL
- http[:]//motivation[.]neighboring[.]site/01/index[.]php
Remediation
- Block the threat indicators at their respective controls.
- Do not download untrusted files attached in emails coming from unknown sources.