Rewterz Threat Alert – Threat Indicators – Malspam: Loki Bot Malware
February 28, 2019Rewterz Threat Alert – Malspam Campaign Dropping Ursnif Banking Trojan and GandCrab Ransomware
February 28, 2019Rewterz Threat Alert – Threat Indicators – Malspam: Loki Bot Malware
February 28, 2019Rewterz Threat Alert – Malspam Campaign Dropping Ursnif Banking Trojan and GandCrab Ransomware
February 28, 2019Severity
Medium
Analysis Summary
In a SeedWorm malware campaign, variants of a backdoor program called LisfonService were seen in various stages of development. Some files were retrieved leveraging a PowerShell to download and run a program called ‘muddy’ on the system. Indicators of Compromise are attached.
Impact
Malware Infection
Indicators of Compromise
IP(s) / Hostname(s)
- 31.171.154[.]67
- 46.99.148[.]96
- 78.129.139[.]148
- 78.129.222[.]56
- 79.106.224[.]203
Filename
- svchosts.exe
- TestService.exe
- lisfon.exe
- lisfonservice.exe
- Win7LisfonService.exe
- LisfonService.exe
- Lisfon.exe
Extension
.exe
Malware Hash (MD5/SHA1/SH256)
- 51ac160f7d60a9ce642080af0425a446fb25b7067e06b3a9a8ec2f777836efd3
- 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
- 58972b27b7dc40494e715c2f39a1bcee4d8c18da6bcc3e22785496cca2cee1a0
- 6f8226d890350943a9ef4cc81598e0e953d8ba9746694c0b7e3d99e418701b39
- 9262bf6be648e1b15850a776fe4e393250d74afdf911e94ae07718f8ad4d1664
- b6078804dfdc3219ac8ba0f74473ff7ada00228ea0141d0be8e7cf227ff09186
- bf696397784b22f8e891dd0627dce731f288d14d4791ac5d0a906bc1cbe10de6
- c514c3f293f0cb4c23662a5ab962b158cb97580b03a22b82e21fa3b26d64809c
- f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e
Remediation
- Block the threat indicators where possible.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
- Scan all software downloaded from the Internet prior to executing.