Request a Demo
Rewterz
Rewterz Threat Alert – APT Group Lazarus – IOCs
June 22, 2020
Rewterz
Rewterz Threat Alert – Formbook Malware
June 22, 2020

Rewterz Threat Alert – Nefilim/Nephilim Ransomware Campaign

Severity

High

Analysis Summary

Threat actors are accessing organisations’ networks through remote access systems such as remote desktop protocol (RDP) and virtual private networks (VPN), as a way to create ransomware attack opportunities. They are gaining access through weak passwords, organisations not using multi-factor authentication as an extra layer of security, or a remote access system that isn’t patched. Once an attacker gains a foothold through the remote access system, they then use tools such as mimikatz, psexec, and Cobalt Strike to elevate privileges, move laterally across a network, and establish persistence on the network. The attacker can identify the need of information and extract the desired information and encrypt files.

Impact

  • Gain access in the network
  • Lateral movement across the network.
  • Exposure of sensitive information
  • File encryption

Indicators of Compromise

MD5

  • 053ec539c138afb99054bd362bb3ed71
  • 26c35850483c877ee23f476b38d58deb
  • 70e4b9b7a83473687e5784489d556c87
  • dfd4dbfd7cbd6179fc371e5f887f189c
  • 659c4b68f2027905def1af9249feebb3
  • 5ff20e2b723edb2d0fb27df4fc2c4468
  • 0790a7e0a842e1de70de194054fa11b3
  • 3beb3d466bcc0977ec2dd66d72ab6bb3
  • 80cfda61942eb4e71f286297a1158f48
  • 8f90539c405672016c0dec7ac3574eea
  • dc88265c361d73540a31c19583271fb0
  • ddc50d4ae0674d854a845b3eb32508c3

SHA-256

  • b227fa0485e34511627a8a4a7d3f1abb6231517be62d022916273b7a51b80a17
  • b8066b7ec376bc5928d78693d236dbf47414571df05f818a43fb5f52136e8f2e
  • 7a73032ece59af3316c4a64490344ee111e4cb06aaf00b4a96c10adfdd655599
  • fcc2921020690a58c60eba35df885e575669e9803212f7791d7e1956f9bf8020
  • 8be1c54a1a4d07c84b7454e789a26f04a30ca09933b41475423167e232abea2b
  • 3080b45bab3f804a297ec6d8f407ae762782fa092164f8ed4e106b1ee7e24953
  • 5ab834f599c6ad35fcd0a168d93c52c399c6de7d1c20f33e25cb1fdb25aec9c6
  • d4492a9eb36f87a9b3156b59052ebaf10e264d5d1ce4c015a6b0d205614e58e3
  • 35a0bced28fd345f3ebfb37b6f9a20cc3ab36ab168e079498f3adb25b41e156f
  • 08c7dfde13ade4b13350ae290616d7c2f4a87cbeac9a3886e90a175ee40fb641
  • 3bac058dbea51f52ce154fed0325fd835f35c1cd521462ce048b41c9b099e1e5
  • 353ee5805bc5c7a98fb5d522b15743055484dc47144535628d102a4098532cd5
  • 52e25bdd600695cfed0d4ee3aca4f121bfebf0de889593e6ba06282845cf39ea
  • 7de8ca88e240fb905fc2e8fd5db6c5af82d8e21556f0ae36d055f623128c3377

SHA1

  • d87847810db8af546698e47653452dcd089c113e
  • bd59d7c734ca2f9cbaf7f12bc851f7dce94955d4
  • bbcb2354ef001f476025635741a6caa00818cbe7
  • f246984193c927414e543d936d1fb643a2dff77b
  • e53d4b589f5c5ef6afd23299550f70c69bc2fe1c
  • c61f2cdb0faf31120e33e023b7b923b01bc97fbf
  • 6c9ae388fa5d723a458de0d2bea3eb63bc921af7
  • 2483dc7273b8004ecc0403fbb25d8972470c4ee4
  • 0d339d08a546591aab246f3cf799f3e2aaee3889
  • 4595cdd47b63a4ae256ed22590311f388bc7a2d8
  • 1f594456d88591d3a88e1cdd4e93c6c4e59b746c
  • 9770fb41be1af0e8c9e1a69b8f92f2a3a5ca9b1a
  • e99460b4e8759909d3bd4e385d7e3f9b67aa1242
  • e94089137a41fd95c790f88cc9b57c2b4d5625ba

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your existing environment.
  • Keep your software patched.
  • Enable multi factor authentication (MFA).