Rewterz

Rewterz Threat Advisory – CVE-2020-3960 – VMware ESXi, Workstation and Fusion information disclosure Vulnerability

June 11, 2020
Rewterz

Rewterz Threat Alert – IOCs- LokiBot Malware

June 12, 2020

Rewterz Threat Alert – Valak Malware and the Connection to Gozi Loader

Severity

High

Analysis Summary

The malware Valak is a multi-stage, script-based package that researchers have observed re-using Gozi’s infrastructure. Once installed, Valak captures emails from the system, weaponizes it, and then sends it out in what is known as a “Reply Chain Attack”. The concept behind this form of attack is that users may be trained to recognize phishing emails, but if an incoming email appears to be part of a chain of discussion they were already involved with, their guard may be relaxed. It also means that the attackers do not have to invest time and effort in creating email accounts that look legitimate. As for the confusion with Gozi, in a recent campaign utilizing Valak, the final payload delivery steps were quite similar to a Gozi infection and actually used the same storage server as Gozi attacks had used.

Impact

  • Information theft
  • Exposure  of sensitive data 

Indicators of Compromise

SHA1

  • 435ec42fefc05eba0a8005256c815979877d430a
  • 693e681e7be554e50e4ff9bf7cbfe5aeab3fe91f
  • e22b404e1fec743f0795cdea8a95337660878860
  • dba1337a0a8293b721642b8b45a86352bcdfd04f
  • 4d33425d7031284cf5ee323dc616d9f84987dc0d
  • 17b74a4c3f43c21504b355b1ffc333280ef4cd74
  • 7f58d22d9e95f65170acadd05e324ec2d8ef13f6
  • 9be234bf2268f4e055ea59cf7bef76781a36c35c
  • 19f481063ca956688824e3cc022b8eedb6dd0bea
  • 4ae3ed6c1ab2fe41daf6f650a54dae63684d2064
  • 30fd553dedfadc81522adf37e11dfc4039d4ea31

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Search for IOCs in your environment.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.