March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
September 4, 2020Rewterz Threat Alert – Phishing Campaign Stealing Company Credentials
September 7, 2020Rewterz Threat Alert – Exploits in the Wild for vBulletin Pre-Auth RCE Vulnerability CVE-2020-17496
September 4, 2020Rewterz Threat Alert – Phishing Campaign Stealing Company Credentials
September 7, 2020
Severity
High
Analysis Summary
A ransomware attack on two state-run organizations in the Middle East and North Africa was detected that ultimately installed and ran a variant of the Thanos ransomware. The Thanos variant created a text file that displayed a ransom message requesting the victim to transfer “20,000$” into a specified Bitcoin wallet to restore the files on the system. Below is the ransom note found on encrypted machines.
The threat group behind the use of these tools had previous access to these networks as they had already obtained valid credentials from the networks. The Thanos sample created for these networks executes several layers before the .NET Thanos ransomware runs on a system, specifically using code from several open source frameworks. The layers start at the top with a PowerShell script that not only loads another PowerShell script as a sub-layer, but also attempts to spread the ransomware to other systems on the network using previously stolen credentials. The ransomware was also configured to overwrite the master boot record (MBR), which is an important component loaded on a system’s hard drive that is required for the computer to locate and load the operating system. The ransomware overwrites the MBR to display the same ransom message as the previously mentioned text file. Thanos was first discovered in February 2020 when it was advertised for sale on underground forums. The Thanos ransomware has code overlaps with other ransomware variants, such as Hakbit, and has a builder that allows the user to customize the sample with a variety of available settings. This ransomware appears to be still under active development, as we observed newly added functionality in the samples built to run on the Middle Eastern and Northern African state-run organizations.
Impact
- Files Encryption
- MBR overwrite
- Possible Financial Loss
- Network-wide Infection
Indicators of Compromise
MD5
- c9c99f0896d4ac975d245d848ffabbd5
- 7c12a63096a6b157564dc912e62b2773
- d6d956267a268c9dcf48445629d2803e
- af0e33cf527b9c678a49d22801a4f5dc
- a15352badb11dd0e072b265984878a1c
- 7bdd4b25e222b74e8f0db54fcfc3c9eb
- e01e11dca5e8b08fc8231b1cb6e2048c
- be60e389a0108b2871dff12dfbb542ac
- 03b76a5130d0df8134a6bdea7fe97bcd
SHA-256
- 06d5967a6b90b5b5f6a24b5f1e6bfc0fc5c82e7674817644d9c3de61008236dc
- a224cbaaaf43dfeb3c4f467610073711faed8d324c81c65579f49832ee17bda8
- c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
- 40890a1ce7c5bf8fda7bd84b49c577e76e0431e4ce9104cc152694fc0029ccbf
- 240e3bd7209dc5151b3ead0285e29706dff5363b527d16ebcc2548c0450db819
- cbb95952001cdc3492ae8fd56701ceff1d1589bcfafd74be86991dc59385b82d
- 58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f
- 5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
- ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75
SHA1
- 955595c0b67c835c7fabc65dea613199e0676f19
- bee6c97ac6337adc22887da899d8a30acb523ade
- cc0feae505dad9c140dd21d1b40b518d8e61b3a4
- f6a9d604cfb384f46e48e19a9b71cf5bb278e323
- 85bac120e37f7bc24d875c8ca3b8c7f10806c523
- 94e97a6c0d62a3b225bd03b089998a4c78c60de5
- 4983d07f004436caa3f10b38adacbba6a4ede01a
- 14b4e0bfac64ec0f837f84ab1780ca7ced8d670d
- 60053d661ed03cd2a07f6750532e6ef11abcc4e5
Source IP
- 107[.]174[.]241[.]175
URL
- http[:]//107[.]174[.]241[.]175[:]80/index[.]php
Remediation
- Block the threat indicators at their respective controls.
- Implement a strong password policy and implement multi-factor authentication where possible.