Severity

High

Analysis Summary

A recent campaign targeting financial sector linked to the REvil/Sodinokibi ransomware family is identified. Often refered to Ransomware-as-a-Service (RaaS), the TTPs used in each campaign may vary from one another. Threat actors of REvil/Sodinokibi often uses techniques as lateral movement and gaining access to the domain controller/ active directory.

In a recent campaign, bank in Latin America was targeted with REvil/Sodinokib malware when users were targeted via phishing campaign with malicious attachment or a link. The attachment was likely opened and accessed which gave the way in for threat actors to the victim network. The access was used to move laterally within the network to the domain controller and eventually deployed the REvil/Sodinokibi ransomware from the domain controller to connected systems.

Impact

• Data exfiltration
• File encryption

Indicators of Compromise

MD5

• 4a97c4345aabf9dd922d29687c95ac66
• bcfe3d2ff936b0a844aa3aab8d47d359
• 4c27833b7e59d8d38ae492dd2dba6265
• 4c1f937abc0de55eac059977e67c5cd5
• c62ea1fbc45f1baf086e01b313aeb441

SHA-256

• 5bc506b9f61ecec47326892dfd17d958d3568b189dca3afd09f6daffa021acc0
• 3420402111e66697e566f2545628bd9b8aee2abeb30a1517e540812b419e7a33
• d7f57bc1d517e31371b44e359b7307fd9edaf9aa047998f40c6dd8c0ee71f99d
• 511eeb8974f08f27cdae3502bed1520def590dc0cf88b6b4eaf28c92764fc1ec
• 5446b50d7feccd20ea602dd0c0da45e0a4c005409b6619e671ea9940879e2c8b

SHA1

• f54bf6a4c6f7c3d0077d152a094e3c7738cf0bd1
• 19f752bf063dc421a814810044d688ca1cb79b67
• 8f4fe7c056145e5307c9fa74903ab9b69d733b5a
• c33bbc72f552bf9abdc94d31c9642c8699de3d43
• 1e4eeaf86798fe222a9f16f5cc36f2446bbbbab8

URL

• hxxp[:]//aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd[.]onion/

Remediation

• Block all threat indicators at your resepctive controls.
• Search for IOCs in your environment.