Rewterz

Rewterz Threat Alert – Latest IOC’s – TrickBot

April 22, 2020
Rewterz

Rewterz Threat Alert – AgentTesla – IOCs

April 22, 2020

Rewterz Threat Alert – North Korean Lazarus Active Again

Severity

High

Analysis Summary

A new active sample is detected that is being linked to the Advanced Persistent Threat group from North Korea, called Lazarus or Hidden Cobra. The sample leverages template injection to execute malicious macro and drop a backdoor to a target system, meant to control the target computer remotely. It’s likely delivered via an office file detected as a Trojan dropper. Common attack methods of this group include exploiting zero-days, spearphishing, malware, disinformation, backdoors, droppers, etc. The group is a financially motivated threat actor and has been linked with major breaches over this past decade. The attack may also be exploiting two vulnerabilities in Microsoft Office; CVE-2017-11882, a memory corruption vulnerability and CVE-2017-0199, a remote code execution vulnerability.

Impact

  • Remote Code Execution
  • Unauthorized Remote Access

Indicators of Compromise

MD5

  • 26d6177ec7abf13a8500e6de4794a268
  • 4c239a926676087e31d82e79e838ced1

SHA-256

  • 34837b01c2c390477d32efc0f14d77e76094ec42402ae6509cf769c61a18fcd9
  • 34b4546e3468238702df24794e598add494beaeacf95df10af54d88b3d241e8a

SHA1

  • c096807e801d7cf978262758f2665c3be3d27e9d
  • 2bef437c6e7ed3c438d23e6cac0a7ffb9d2f3e26

Remediation

  • Block the threat indicators at their respective controls.
  • Use an updated version of Microsoft Office.
  • Do not execute untrusted files downloaded from any source.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.