April 19, 2024
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2018-10902 – IBM Security Guardium Linux Kernel Privilege Escalation Vulnerability
June 28, 2019Rewterz Threat Advisory – Industrial control Advantech WebAccess/SCADA Multiple Vulnerabilities
June 28, 2019Rewterz Threat Advisory – CVE-2018-10902 – IBM Security Guardium Linux Kernel Privilege Escalation Vulnerability
June 28, 2019Rewterz Threat Advisory – Industrial control Advantech WebAccess/SCADA Multiple Vulnerabilities
June 28, 2019
Severity
Medium
Analysis Summary
A potential victim receives an SMS text containing a malicious link to a fake website (pretending to be a popular ad service). The advertisements attempt to entice the victim into downloading an update for that app. If the victim falls prey to this scheme (allows installation to proceed), they will actually be downloading the banking Trojan. Once installed, the Trojan reaches out to its command and control server in order to receive commands.
Impact
Credential theft
Indicators of Compromise
IP(s) / Hostname(s)
- 100[.]51[.]100[.]00
- 108[.]62[.]118[.]131
- 172[.]81[.]134[.]165
- 172[.]86[.]120[.]207
- 185[.]212[.]128[.]152
- 185[.]212[.]128[.]192
- 185[.]61[.]000[.]108
- 185[.]61[.]138[.]108
- 185[.]61[.]138[.]37
- 188[.]209[.]52[.]101
- 5[.]206[.]225[.]57
URLs
- alr992[.]date
- avito-app[.]pw
- backfround2[.]pw
- background1[.]xyz
- blacksolider93[.]com
- blass9g087[.]com
- brekelter2[.]com
- broplar3hf[.]xyz
- buy-youla[.]ru
- cd78cg210xy0[.]com
- copsoiteess[.]com
- farmatefc93[.]org
- firstclinsop[.]com
- holebrhuhh3[.]com
- holebrhuhh45[.]com
- karambga3j[.]net
- le22999a[.]pw
- leboncoin-bk[.]top
- leboncoin-buy[.]pw
- leboncoin-cz[.]info
- leboncoin-f[.]pw
- leboncoin-jp[.]info
- leboncoin-kp[.]top
- leboncoin-ny[.]info
- leboncoin-ql[.]top
- leboncoin-tr[.]info
- myyoula[.]ru
- sell-avito[.]ru
- sell-youla[.]ru
- sentel8ju67[.]com
- subito-li[.]pw
- subitop[.]pw
- web-gumtree[.]com
- whitehousejosh[.]com
- whitekalgoy3[.]com
- youlaprotect[.]ru
Malware Hash (MD5/SHA1/SH256)
- 0497b6000a7a23e9e9b97472bc2d3799caf49cbbea1627ad4d87ae6e0b7e2a98
- 417fc112cd0610cc8c402742b0baab0a086b5c4164230009e11d34fdeee7d3fa
- 54594edbe9055517da2836199600f682dee07e6b405c6fe4b476627e8d184bfe
- 6e995d68c724f121d43ec2ff59bc4e536192360afa3beaec5646f01094f0b745
- bbc268ca63eeb27e424fec1b3976bab550da304de18e29faff94d9057b1fa25a
- dc3dd9d75120934333496d0a4100252b419ee8fcdab5d74cf343bcb0306c9811
- e3f77ff093f322e139940b33994c5a57ae010b66668668dc4945142a81bcc049
- ebd0a8043434edac261cb25b94f417188a5c0d62b5dd4033f156b890d150a4c5
- f51a27163cb0ddd08caa29d865b9f238848118ba2589626af711330481b352df
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about text/emails sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.