Rewterz

Rewterz Threat Advisory – Multiple Google Chrome Security Vulnerabilities

June 4, 2020
Rewterz

Rewterz Threat Advisory – CVE-2020-3227 – Cisco IOx for IOS XE Software Privilege Escalation Vulnerability

June 4, 2020

Rewterz Threat Alert – URSNIF and GOZI Delivery via Excel Macro 4.0

Severity

High

Analysis Summary

Beginning in January 2020, a campaign was detected that employed advanced obfuscation to evade detection. Using Microsoft Excel hidden sheets, the malicious document is unable to be seen by many detection engines. Speculation is the documents are delivered via social engineering emails. Asking victims to enable editing and content allows the macros contained on the hidden sheets to execute a WinAPI function to download the next stage malware.

Excel%204%20Macro%20maldoc%20campaign-1.png

The macro worksheet is heavily obfuscated and will start with a number of “RUN” commands that eventually ends with several interesting commands such as “CALL” and “EXEC”.

The macro utilizes the Win32 API function to download the next stage.

Impact

  • Information theft
  • Exposure of sensitive data

Indicators of Compromise

SHA1

  • F0fa0bccb67b0c01f238a5eca9c46b9faa0bd6a7
  • 1d6f74390e8a00e28975ec5181fe18aab956e5b3
  • 4cca909d440e7ce3626922db54872fba43b51855
  • 3115d21f0bc774996e7eb925c8badfe8172ae781
  • 1669b5553ef576c558bc6a49482a9c32d218641c
  • Aa64141ae3d4706eddeccdacbbef413f173f26b6
  • 7b6cabda9cfb7b23af2211d2a11ef9a504479a16
  • 7ec3f150ca07ff1a67487eb7e74e17eaa15a1144
  • F8aef0dac089067ca9024423eca9042f8b1ac845
  • 164dff79a7afe7a74d8ff06a564e81d36df29286
  • Fef9ab8c1df75fbcdb717d23a7f0f3a3a8512f16
  • 24c898ad6e3107474cb3bfbe606aa8f562a6f76a
  • B0d168485f482d4685c3d9f034171be457fd7b31
  • C33ee864fc398ee9ae1f7994f1aa84101cd6a421
  • 3479d044d78dc9a309e1b6ccd533e601235dbde5
  • C33ee864fc398ee9ae1f7994f1aa84101cd6a421
  • 3479d044d78dc9a309e1b6ccd533e601235dbde5
  • 66b9c31b5ab8deccd4c3711515d8021232c1a9af
  • 7848de9c2e505e418ae0b0f7d7fc9fae9f371197
  • 6b0d60b336972892667e71e415e3c21407307dc1
  • Afa0c9be4f05629e773c4304bbabeab2fd5befc8
  • B0734e1b869db25b66c5f03ed50133519c222284
  • A7b2badc79cc494eba7a0da8e13df49d226c4409
  • C8c3be4745ad3b0d88c4a8566ac0c780c0ce17f6
  • 2404a7c358629dca3839cef3ea18c5b30c778adc

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.