• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Cisco SD-WAN Solution Vulnerability
March 19, 2020
Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky
March 20, 2020

Rewterz Threat Alert – Plugx Delivered by Covid-Themed Documents

March 19, 2020

Severity

Medium

Analysis Summary

Attackers are launching thematic email campaigns using COVID fear to lure people into clicking malicious documents. APT27 has launched a similar campaign. The first stage is a fake PDF file. It looks like a real PDF, it has a hidden extension and a nice PDF icon, but it really isn’t a PDF, it’s actually a .lnk file, or in other words a “Microsoft Linking File”. Opening up the .lnk file there are two main sections: one is a kind of header where it is possible to observe commands, and the other section is a big encoded payload. Stage 1 carved Stage 2 from its body by extracting bytes and decoding them using base64 encoding. The new stage is a Microsoft compressed CAB file. Stage 1 executes the Javascript included in the CAB file. 9sOXN6Ltf0afe7.js performs an ActiveXObject call to WScript.Shell in order to execute Windows command lists. Once ”deobfuscated” and beautified the command line looks like (9sOXN6Ltf0afe7.js payload beautified). The attacker creates a folder that looks like a “file” by calling it cscript.exe trying to cheat the analyst. Then the attacker populates that folder with the needed files to follow the infection chain. 

Impact

  • Command Execution
  • Unauthorized Remote Access

Indicators of Compromise

Hostname

  • motivation[.]neighboring[.]site

MD5

  • 83d04f21515c7e6316f9cd0bb393a118
  • 21a51a834372ab11fba72fb865d6830e
  • fd648c3b7495abbe86b850587e2e5431

SHA-256

  • a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e
  • 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
  • 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124

URL

  • http[:]//motivation[.]neighboring[.]site/01/index[.]php

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download untrusted files attached in emails coming from unknown sources. 
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.