

Rewterz Threat Alert – Leviathan APT Campaign
June 29, 2020
Rewterz Threat Advisory – CVE-2020-2021 – Palo Alto Authentication Bypass in SAML Authentication
June 29, 2020
Rewterz Threat Alert – Leviathan APT Campaign
June 29, 2020
Rewterz Threat Advisory – CVE-2020-2021 – Palo Alto Authentication Bypass in SAML Authentication
June 29, 2020Severity
High
Analysis Summary
A newly discovered attack campaign infiltrated a UK-based technology company via tax payment software. The attackers could run Windows commands, create new users, move laterally and upload code to execute malware. The attackers could also potentially use the network access to exfiltrate data. GoldenSpy installs two identical versions of itself, both as persistent autostart services. If either stops running, it will respawn its counterpart. In addition, it uses an EXEProtector module that monitors for the deletion of either iteration of itself. If deleted, the malware will download and execute a new version. Reseearchers believes that this triple-layer protection makes it exceedingly difficult to remove this kind of file from an infected system.
Impact
- Data exfiltration
- Exposure of sensitive data
Indicators of Compromise
MD5
- edadf30df18e6a7ea190041cf3bd4a0b
- f27d1590ba0aaad5d3c0831cf3e33df6
- f136481347008770f882e63e76690ae0
- 1ff67f9f87638321ee19bd79ce5820d4
- e104c1deefaf379787677fcdc2ec3efc
- 4fc56dd3b3875cda5708451f756426b3
- b363e855f613233848a0a89216488bfb
- 5002cc2fbcdd2f340e9258f74be8bd1d
- 09b4079b039d13b47944e4cc7182f96f
- 77b8787a1bcda6e18c42c1855d2f1fa0
SHA-256
- 3b8761d2e19bc5185f55cc2f575bbe54a45a52fc1c8650a60f1bd13e01e24655
- 39b914c8064becf3df1df39b0517bda05371e90b8b5fe15aad275faac634876f
- a6e9d6c145668c4fc6e6dbd3d1fe4bc394211d9c09d31c12730ceddf3e5056be
- 853ef8130b50e9fce5f7575afc04374de0232fa5fe6b7b4d97fda7bf17ec58c9
- afe2bcd5cb2de6349329c42631bfbbdba46d672f6dc515a5bee63cb4265e49f8
- 41103f32f247ba744a8fbe17deac4bd26aeba323f3161e44adc35f8dd81ce4d3
- 2f65238e7b3a8ddd719fb19a506cd1d964fc7b5cab6f3f4e95235c235cac2190
- 98b5320e7464fc69b12eb626b6336604efcbf6502adc38c77f6db41666da9dd1
- ffbeaa5947fc467fce27c765a4e8dc08e45c8ca13e583f5271b19e944e0cb8e3
- f21623311a947d8a9f2dd05c098f45c3ef12be3cbf79fb49659e5bfc1588cdfe
- 4f86175e5500be87cc95ea9fcaf565970e15a86b2aa3223f8ef8d25e72cec376
- afcc4ccc4ac0f1eaded6fc2ea704f4e9650942fc317728150676de3af19fb72d
- c5c5e59bb18bad1427714d0007b676e658d8e08faf5a0632ed88912f5816d525
- 77ee7b0a10f3c0ab08c1b1f88ceb0dd979e9c2fee17ac5fd14c9ce27002f6078
- 20932b2151de5f0dc5c1159fbc1d2d004f069bb04d32d66dc7fa5b7b9eac1aa7
- b67913449618756dcc815a242a270257cce4d5ae71911bb6716bdecc2f1c0c7f
SHA1
- c897972dfd26a07591cabbeeeeeb1db18f2f21d4
- f2c7f4d0c5dd576a421f521671c68ff9aac8288d
- ecd85fe374fe85ff8dc1316cf700cba715e8b89b
- b33c269642bf42b8c71988b9ddbe298e00b65ef1
- 5c2064f8fa1dd0268e50a1c33f14a30694640d36
- 2e82c32bbdcb941dd6534f600a2414d84bbd086d
- 282cc1f9cfec1ae9d07a8a6add327977f405244f
- 466a4dff21787949f94678be0c9b5c87e22a0bdc
- a3f74d832da3e790a58d3b028256e83b63a752f7
- 6b87a7dac518cb6614e1834d924a9a7827fdff5c
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.