March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Latest IOC’s – TrickBot
April 22, 2020Rewterz Threat Alert – AgentTesla – IOCs
April 22, 2020Rewterz Threat Alert – Latest IOC’s – TrickBot
April 22, 2020Rewterz Threat Alert – AgentTesla – IOCs
April 22, 2020
Severity
High
Analysis Summary
A new active sample is detected that is being linked to the Advanced Persistent Threat group from North Korea, called Lazarus or Hidden Cobra. The sample leverages template injection to execute malicious macro and drop a backdoor to a target system, meant to control the target computer remotely. It’s likely delivered via an office file detected as a Trojan dropper. Common attack methods of this group include exploiting zero-days, spearphishing, malware, disinformation, backdoors, droppers, etc. The group is a financially motivated threat actor and has been linked with major breaches over this past decade. The attack may also be exploiting two vulnerabilities in Microsoft Office; CVE-2017-11882, a memory corruption vulnerability and CVE-2017-0199, a remote code execution vulnerability.
Impact
- Remote Code Execution
- Unauthorized Remote Access
Indicators of Compromise
MD5
- 26d6177ec7abf13a8500e6de4794a268
- 4c239a926676087e31d82e79e838ced1
SHA-256
- 34837b01c2c390477d32efc0f14d77e76094ec42402ae6509cf769c61a18fcd9
- 34b4546e3468238702df24794e598add494beaeacf95df10af54d88b3d241e8a
SHA1
- c096807e801d7cf978262758f2665c3be3d27e9d
- 2bef437c6e7ed3c438d23e6cac0a7ffb9d2f3e26
Remediation
- Block the threat indicators at their respective controls.
- Use an updated version of Microsoft Office.
- Do not execute untrusted files downloaded from any source.