Request a Demo
Rewterz
Rewterz Threat Alert – Phishing Campaign Initiated by State Sponsored Groups
April 23, 2020
Rewterz
Rewterz Threat Advisory – ICS: Sierra Wireless AirLink ALEOS
April 24, 2020

Rewterz Threat Alert – Gamaredon APT Using COVID-19 Lures

Severity

Medium

Analysis Summary

A targeted email, with the subject line “Coronavirus (2019-nCoV)”, containing a document file was delivered to different users. Opening the document begins a template injection used for loading the template. Within the document, malicious macros execute a VBScript, assuming macros are enabled by the user. The C2 server being unavailable at the time of analysis made gathering additional payloads impossible. However, from the samples gathered, the Exif data is consistent and contains ID, Language Code, System ID, Author, and Code page. Most of the code is written in Cyrillic, indicating Russian origin. The malware drops hardcoded macros and executes a script.exe within the %USERPROFILE% directory. The actual VBS file is titled PlayList.vbs. This file contains obfuscated code that is executed after decryption. This particular technique is different than previous Gamaredon campaigns. 

figure-1-640x365.jpg

Impact

  • System information discovery
  • Exposure of sensitive data 

Indicators of Compromise

Email Subject

Coronavirus (2019-nCoV)

SHA-256

  • 0d90fe36866ee30eb5e4fd98583bc2fdb5b7da37e42692f390ac5f807a13f057
  • 036c2088cb48215f21d4f7d751d750b859d57018c04f6cadd45c0c4fee23a9f8
  • 19d03a25af5b71e859561ff8ccc0a073acb9c61b987bdb28395339f72baf46b4
  • 62cf22f840fffd8d8781e52b492b03b4efc835571b48823b07535d52b182e861
  • 8310d39aa1cdd13ca82c769d61049310f8ddaea7cd2c3b940a8a3c248e5e7b06
  • 84e0b1d94a43c87de55c000e3acae17f4493a57badda3b27146ad8ed0f90c93e
  • 85267e52016b6124e4e42f8b52e68475174c8a2bdf0bc0b501e058e2d388a819
  • b6a94f565d482906be7da4d801153eb4dab46d92f43be3e1d59ddd2c7f328109
  • cc775e3cf1a64effa55570715b73413c3ea3a6b47764a998b1272b5be059c25b
  • 00b761bce25594da4c760574d224589daf01086c5637042982767a13a2f61bea
  • 250b09f87fe506fbc6cedf9dbfcb594f7795ed0e02f982b5837334f09e8a184b
  • 4b3ae36b04d6aba70089cb2099e6bc1ba16d16ea24bbf09992f23260151b9faf
  • 946405e2f26e1cc0bd22bc7e12d403da939f02e9c4d8ddd012f049cf4bf1fda9
  • 9cd5fa89d579a664c28da16064057096a5703773cef0a079f228f21a4b7fd5d2
  • c089ccd376c9a4d5e5bdd553181ab4821d2c26fefc299cce7a4f023a660484d5
  • e888b5e657b41d45ef0b2ed939e27ff9ea3a11c46946e31372cf26d92361c012
  • f577d2b97963b717981c01b535f257e03688ff4a918aa66352aa9cd31845b67d
  • 17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5
  • 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
  • 315e297ac510f3f2a60176f9c12fcf92681bbad758135767ba805cdea830b9ee
  • 3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a
  • 3f40d4a0d0fe1eea58fa1c71308431b5c2ce6e381cacc7291e501f4eed57bfd2
  • ab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d
  • b78a3d21325d3db7470fbf1a6d254e23d349531fca4d7f458b33ca93c91e61cd
  • c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.