March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Phishing Campaign Initiated by State Sponsored Groups
April 23, 2020Rewterz Threat Advisory – ICS: Sierra Wireless AirLink ALEOS
April 24, 2020Rewterz Threat Alert – Phishing Campaign Initiated by State Sponsored Groups
April 23, 2020Rewterz Threat Advisory – ICS: Sierra Wireless AirLink ALEOS
April 24, 2020
Severity
Medium
Analysis Summary
A targeted email, with the subject line “Coronavirus (2019-nCoV)”, containing a document file was delivered to different users. Opening the document begins a template injection used for loading the template. Within the document, malicious macros execute a VBScript, assuming macros are enabled by the user. The C2 server being unavailable at the time of analysis made gathering additional payloads impossible. However, from the samples gathered, the Exif data is consistent and contains ID, Language Code, System ID, Author, and Code page. Most of the code is written in Cyrillic, indicating Russian origin. The malware drops hardcoded macros and executes a script.exe within the %USERPROFILE% directory. The actual VBS file is titled PlayList.vbs. This file contains obfuscated code that is executed after decryption. This particular technique is different than previous Gamaredon campaigns.
Impact
- System information discovery
- Exposure of sensitive data
Indicators of Compromise
Email Subject
Coronavirus (2019-nCoV)
SHA-256
- 0d90fe36866ee30eb5e4fd98583bc2fdb5b7da37e42692f390ac5f807a13f057
- 036c2088cb48215f21d4f7d751d750b859d57018c04f6cadd45c0c4fee23a9f8
- 19d03a25af5b71e859561ff8ccc0a073acb9c61b987bdb28395339f72baf46b4
- 62cf22f840fffd8d8781e52b492b03b4efc835571b48823b07535d52b182e861
- 8310d39aa1cdd13ca82c769d61049310f8ddaea7cd2c3b940a8a3c248e5e7b06
- 84e0b1d94a43c87de55c000e3acae17f4493a57badda3b27146ad8ed0f90c93e
- 85267e52016b6124e4e42f8b52e68475174c8a2bdf0bc0b501e058e2d388a819
- b6a94f565d482906be7da4d801153eb4dab46d92f43be3e1d59ddd2c7f328109
- cc775e3cf1a64effa55570715b73413c3ea3a6b47764a998b1272b5be059c25b
- 00b761bce25594da4c760574d224589daf01086c5637042982767a13a2f61bea
- 250b09f87fe506fbc6cedf9dbfcb594f7795ed0e02f982b5837334f09e8a184b
- 4b3ae36b04d6aba70089cb2099e6bc1ba16d16ea24bbf09992f23260151b9faf
- 946405e2f26e1cc0bd22bc7e12d403da939f02e9c4d8ddd012f049cf4bf1fda9
- 9cd5fa89d579a664c28da16064057096a5703773cef0a079f228f21a4b7fd5d2
- c089ccd376c9a4d5e5bdd553181ab4821d2c26fefc299cce7a4f023a660484d5
- e888b5e657b41d45ef0b2ed939e27ff9ea3a11c46946e31372cf26d92361c012
- f577d2b97963b717981c01b535f257e03688ff4a918aa66352aa9cd31845b67d
- 17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5
- 29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923
- 315e297ac510f3f2a60176f9c12fcf92681bbad758135767ba805cdea830b9ee
- 3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a
- 3f40d4a0d0fe1eea58fa1c71308431b5c2ce6e381cacc7291e501f4eed57bfd2
- ab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d
- b78a3d21325d3db7470fbf1a6d254e23d349531fca4d7f458b33ca93c91e61cd
- c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.