March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2019-10955 – Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers
April 24, 2019Rewterz Threat Advisory – Oracle Linux update for kernel Denial of Service Vulnerabilities
April 25, 2019Rewterz Threat Advisory – CVE-2019-10955 – Rockwell Automation MicroLogix 1400 and CompactLogix 5370 Controllers
April 24, 2019Rewterz Threat Advisory – Oracle Linux update for kernel Denial of Service Vulnerabilities
April 25, 2019
Severity
Medium
Analysis Summary
Following Malspam campaigns have been observed:
- One Microsoft Word document was reported containing a PowerShell script that downloads a payload. The payload collects system information and sends it to a command-and-control (C2).
- Some other emails were reported, which seemingly have a link with the Cobalt Group.
- Another phishing email was reported which leads to malicious bot communications.
- A phishing email that appears to have come from Fedmont Federal Credit Union with the subject, “FW- New Delivery Web PO #84720[1][13]” was also reported.
- An Emotet Malspam campaign has been observed. Indicators of Compromise have been retrieved and are given in the alert.
Impact
- Emotet
- Malware Infection
Indicators of Compromise
IP(s) / Hostname(s)
- 108.188.116[.]179
- 133.242.156[.]30
- 138.201.140[.]110
- 147.135.210[.]39
- 167.114.210[.]191
- 167.99.57[.]70
- 173.255.196[.]209
- 178.152.64[.]225
- 186.113.255[.]229
- 187.189.195[.]208
- 190.51.51[.]93
- 190.97.219[.]241
- 195.8.208[.]243
- 200.113.185[.]229
- 200.50.185[.]54
- 201.212.49[.]246
- 201.220.152[.]101
- 201.236.95[.]82
- 203.143.86[.]111
- 208.78.100[.]202
- 212.122.71[.]196
- 217.13.106[.]160
- 24.243.101[.]134
- 31.167.109[.]122
- 38.131.14[.]154
- 45.55.188[.]248
- 47.180.177[.]96
- 5.230.147[.]179
- 50.31.0[.]160
- 51.38.185[.]70
- 58.171.215[.]214
- 62.75.187[.]192
- 64.13.225[.]150
- 69.198.17[.]7
- 70.57.82[.]196
- 72.206.89[.]66
- 72.214.54[.]39
- 73.183.131[.]231
- 83.222.124[.]62
- 85.104.59[.]244
- 87.106.139[.]101
- 87.106.210[.]123
- 89.211.201[.]179
- 94.76.200[.]114
URLs
- 8501sanl[.]com
- northpolls[.]com
- nownowsales[.]com
- oukaimeden[.]org
- pearlywhites[.]co[.]in
Filename
- 81541312341528.doc
- 7Ag.exe
- dism
Email Subject
- Agreement paragraphs
- FW: New Delivery Web PO #84720[124]
- FW- New Delivery Web PO #84720[1][13]
- Payroll
- March Statement – Payroll
Malware Hash (MD5/SHA1/SH256)
- 406c1f0b376f8f2f8c0e5988bfbd90d07dacdbfd76cc62d5c522a846384d25e1
- d58ca69e03c4f1e840867f1f6c5a2a927164393698bfde6fbb4f1112e7dfd1d9
Remediation
- Scan for the threat indicators and block at their respective controls, if found.
- Do not click on links or documents attached in unexpected emails.