Rewterz Threat Advisory – CVE2019-1880 – Cisco Unified Computing System BIOS Signature Bypass Vulnerability

August 2, 2019

Rewterz Threat Alert – Amavaldo – A Latin American Banking Trojan Causing Financial Loss

August 5, 2019

Rewterz Threat Alert – SectorE02 Updates YTY Framework in New Targeted Campaign Against Pakistan Government

August 4, 2019

Severity

High

Analysis Summary

A spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.

SectorE02 is a threat actor which targets countries in South Asia, especially Pakistan, since at least 2012. Their arsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and mobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake individual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. This modularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module only does something simple and will not even work without certain previously dropped files. In this post, we will describe their lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.

Excel Spear Phishing

The excel file used by them had names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls, and Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of Pakistan.

At the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple decimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped executable, although more often one entire file is encoded as a zip archive containing two files – a batch script and executable which is then unzipped and executed.

Impact

Credential theft
Exposure of sensitive information

Indicators of Compromise

IP(s) / Hostname(s)

179[.]43[.]170[.]155
5[.]135[.]199[.]26

URLs

data-backup[.]online
servicejobs[.]life

Malware Hash (MD5/SHA1/SH256)

1f64ab4db42ad68b4b99120ef6e9d1409cf606d31d932c0d306bb11c8ddcb2b4
5a70d423fb336448fc7a71fbc3c7a4f0397bc7fa1ec32f7cc42824a432051c33
95ea070bbfca04fff58a7092d61527aad0474914ffd2501d96991faad1388c7a
fdcf3873df6f83336539c4997ce69fce459737c6d655f1972422f861437858a9
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
7703c3385894dd3468c468745c747bf5c75f37a9b1fcaf2a1d0f291ecb7abce6
aa1c8adc4b7d352e487842b1d3017f627230ff1057350aaca1ffeb4d6abae16a
a06a5b1d63ca67da90ba6cd9cbc00d6872707a1b49d44de26d6eb5ce7dd7d545
cc2c2694d0284153605a98c0e7493fb90aff0d78e7f03e37c80fb505fbf3f93f
6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
42775c20aa5b73b2eaecb5b107ce59d105f978660e6e43f53f804733ce3f7cbe
f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842
92b12010772166647f510ad91731e931d58bc077bfc9f9d39adc678cc00fb65d
1b46735d6b6aebefd5809274de1aaa56b5fac314b33c2fa51b001e07b4f7e4d7
57a9a17baaf61de5cffa8b2e2ec340a179e7e1cd70e046cbd832655c44bc7c1d
cd03ed9e4f3257836e11016294c8701baa12414b59f221e556cbed16a946b205
ce1df70e96b4780329d393ff7a37513aec222030e80606ee3ef99b306951d74d
9169dab8579d49253f72439f7572e0aabeb685c5ca63bf91fff81502764e79bb
5acfd1b49ae86ef66b94a3e0209a2d2a3592c31b57ccbaa4bb9540fcf3403574
08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a
62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7
13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4
b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384
8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1
d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa
f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5
f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37
d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the link/ attachments sent by unknown senders.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Critical PHP RCE Vulnerability Under Mass Exploitation in New Attacks

Multiple Adobe Products Vulnerabilities

Apple WebKit Zero-Day Actively Exploited in High-Profile Cyber Attacks

Threat Insights

About Us

Our Leadership

CSR

Connect with Us