Request a Demo
Rewterz
Rewterz Threat Alert – Leviathan APT Campaign
June 29, 2020
Rewterz
Rewterz Threat Advisory – CVE-2020-2021 – Palo Alto Authentication Bypass in SAML Authentication
June 29, 2020

Rewterz Threat Alert – GoldenSpy Malware

Severity

High

Analysis Summary

A newly discovered attack campaign infiltrated a UK-based technology company via tax payment software. The attackers could run Windows commands, create new users, move laterally and upload code to execute malware. The attackers could also potentially use the network access to exfiltrate data. GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. In addition, it uses an EXEProtector module that monitors for the deletion of either iteration of itself. If deleted, the malware will download and execute a new version. Reseearchers believes that this triple-layer protection makes it exceedingly difficult to remove this kind of file from an infected system.

Impact

  • Data exfiltration
  • Exposure of sensitive data   

Indicators of Compromise

MD5

  • edadf30df18e6a7ea190041cf3bd4a0b
  • f27d1590ba0aaad5d3c0831cf3e33df6
  • f136481347008770f882e63e76690ae0
  • 1ff67f9f87638321ee19bd79ce5820d4
  • e104c1deefaf379787677fcdc2ec3efc
  • 4fc56dd3b3875cda5708451f756426b3
  • b363e855f613233848a0a89216488bfb
  • 5002cc2fbcdd2f340e9258f74be8bd1d
  • 09b4079b039d13b47944e4cc7182f96f
  • 77b8787a1bcda6e18c42c1855d2f1fa0

SHA-256

  • 3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655
  • 39b914c8064becf3df1df39b0517bda05371e90b8b5fe15aad275faac634876f
  • a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be
  • 853ef8130b50e9fce5f7575afc04374de0232fa5fe6b7b4d97fda7bf17ec58c9
  • afe2bcd5cb2de6349329c42631bfbbdba46d672f6dc515a5bee63cb4265e49f8
  • 41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3
  • 2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190
  • 98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1
  • ffbeaa5947fc467fce27c765a4e8dc08e45c8ca13e583f5271b19e944e0cb8e3
  • f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe
  • 4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376
  • afcc4ccc4ac0f1eaded6fc2ea704f4e9650942fc317728150676de3af19fb72d
  • c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525
  • 77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078
  • 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7
  • b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f

SHA1

  • c897972dfd26a07591cabbeeeeeb1db18f2f21d4
  • f2c7f4d0c5dd576a421f521671c68ff9aac8288d
  • ecd85fe374fe85ff8dc1316cf700cba715e8b89b
  • b33c269642bf42b8c71988b9ddbe298e00b65ef1
  • 5c2064f8fa1dd0268e50a1c33f14a30694640d36
  • 2e82c32bbdcb941dd6534f600a2414d84bbd086d
  • 282cc1f9cfec1ae9d07a8a6add327977f405244f
  • 466a4dff21787949f94678be0c9b5c87e22a0bdc
  • a3f74d832da3e790a58d3b028256e83b63a752f7
  • 6b87a7dac518cb6614e1834d924a9a7827fdff5c

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.