March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Advisory – CVE-2020-10188 – Telnet Vulnerability Affecting Cisco Products
June 25, 2020Rewterz Threat Advisory – CVE-2020-14478 – ICS: Rockwell FactoryTalk Services Platform XXE
June 26, 2020Rewterz Threat Advisory – CVE-2020-10188 – Telnet Vulnerability Affecting Cisco Products
June 25, 2020Rewterz Threat Advisory – CVE-2020-14478 – ICS: Rockwell FactoryTalk Services Platform XXE
June 26, 2020
Severity
Medium
Analysis Summary
Researchers have tracked an obfuscated VBScript package in campaigns since March 2020. Initially, the malware campaign was focused on targets within Germany, but has since moved on to additional targets excluding any IP address within Russia or North Korea and can later shift their tilt towards Asian region. The VBscripts started in March with delivering Zloader, as previously identified, and have since evolved into a delivery mechanism for trojans like Ursnif, Qakbot, and Dridex in addition to Zloader.
The email the target receives contains a ZIP attachment that appeared to be an invoice, specifying the amount of the transaction, date, and transaction number. The goal here, as in most of these emails with false invoices, is that the target won’t pay careful attention to the email.
Simple obfuscation, or even less-simple obfuscation, of interpreted languages like VBScript are just enough for attackers to bypass scanning solutions.
Impact
- Credential theft
- Data breach
- Exposure of sensitive data
- Financial loss
Indicators of Compromise
SHA1
- 2a80a3357994b0ea24832d8aa7c18d4efdaf701b
- a12e1fec7957efa07498649844ed26b91c1ef0d6
- ba212c1819fef115142ba0ec545d376f8c998cea
- ef3d638377e245d7f388b41aad5e3525a8ccd2ed
- dffea6584a9a89723ae81864cd7a68976b49e62c
- ee29a9908064d1a6bd54898732e4f8c8606914ba
- 3f8ddfac37a997a113e131984f189e151ec990b4
- 14c1aa17661931bed55bdeebc7c3df8d2f03464c
- 733fc14cfb234f5cd16e05909a5f02e56801d780
- 62439824c1f73cce160b24ce2ecdc422637dad72
- a8354753917ad5b417833a24eae8765fd8655f57
- 0275719274a656be9111408fa73c7145ad16b04d
- f13e44b026ad0e1bc08afbf25f17411bb20566e6
- 809ec6d35efc2b64b85c85a6e26efe7e84bb6b7a
- d4b3f7334a8405c0458d86a5a7ac0c97619a93c0
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your existing environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.