Threat Report

Get your hot keys ready, we have a boatload of indicators for you to copy and paste this week. But first, we need to cover some recent events in security.

The IDF showed off military response to cyber threats with video release, APT Buckeye was hitting bullseyes a year early in timeline revelation, and ransomware was getting busy on both sides of the pond in two recently disclosed breaches.

Last but not least, we have details on a new variant of a familiar banking trojan that’s got stealthy tricks up its sleeve.

IDF goes above and beyond to respond to cyber threat

How far do you go in response to cyber threats? On Saturday, Israel Defense Forces (IDF) announced that a building used by Hamas cyber operatives was bombed as part of a joint retaliation operation with the Israel Security Agency (Shin Bet) and Unit 8200 of Military Intelligence, following an unsuccessful cyber-attack against Israel.

IDF’s attack on the Hamas cyber operations center came during intensive fire exchanges between Israel and the Palestinians, which led to the exchange of roughly 900 rockets and, eventually, with an Egyptian-mediated cease-fire that began Monday 4:30 A.M.

This is the first time Israel responded to state-backed hacking attempts with force, effectively moving cyber-attacks into the war theater and making it clear that similar future endeavors might also be facing a comparable reaction.

However, this is not the first time we’ve seen military force in response to cyber threats.

It is unclear at present what the aim was of the unsuccessful Hamas cyber-attack which prompted military response.

Buckeye using Equation Group exploits one year before Shadow Brokers

New evidence has been found that cyber espionage group APT3 (aka Buckeye) began using the Equation Group Tools in attacks 14 months prior to the Shadow Brokers leak.

Buckeye had been active since at least 2009 and is known for exploiting 0-day vulnerabilities. In recent attacks, Buckeye began using a custom exploit kit named “Bemstour” that exploits two Windows 0-days to achieve a remote kernel code execution on targeted computers. Then they deploy the DOUBLEPULSAR backdoor, which was released in 2017 by the Shadow Brokers.

Some of the Shadow Brokers set of tools and techniques were used by APT3 during an attack on an educational institution in Hong Kong on March 2016, a year before Shadow Brokers used the Equation Group exploits.

Additionally, the variant of DOUBLEPULSAR used in first attacks performed by APT3 was different from that leaked by the Shadow Brokers because it contains a code to target newer versions of Windows and includes an additional layer of obfuscation.

Hashes

7020bcb347404654e17f6303848b7ec4 
c2f902f398783922a921df7d46590295 
aacfef51a4a242f52fbb838c1d063d9b 
3dbe8700ecd27b3dc39643b95b187ccfd44318fc88c5e6ee6acf3a07cdaf377e 
0d2d0d8f4989679f7c26b5531096b8b2 
cbe23daa9d2f8e1f5d59c8336dd5b7d7ba1d5cf3f0d45e66107668e80b073ac3 
7bfad342ce88de19d090a4cb2ce332022650abd68f34e83fdc694f10a4090d65 
58f784c7a292103251930360f9ca713e 
6458806a5071a7c4fefae084791e8c67 
6b1f8b303956c04e24448b1eec8634bd3fb2784c8a2d12ecf8588424b36d3cbc 
951f079031c996c85240831ea1b61507f91990282daae6da2841311322e8a6d7 
a3932533efc04ac3fe89fb5b3d60128a 
1c9f1c7056864b5fdd491d5daa49f920c3388cb8a8e462b2bc34181cef6c1f9c 
01f53953db8ba580ee606043a482f790082460c8cdbd7ff151d84e03fdc87e42 
53145f374299e673d82d108b133341dc7bee642530b560118e3cbcdb981ee92c 
a469d48e25e524cf0dec64f01c182b25 

MegaCortex and RobinHood ransomware in the UK and U.S. making news

A recent report released on Reddit confirmed that the Wolters Kluwer, a publishing information service provider in the UK, was infected by MegaCortex ransomware. On May 6, Wolters Kluwer noticed a number of technical anomalies in their platforms and applications following the detection of the installation of the malware on its platform.

Wolters responded immediately to take a broader range of platforms and applications offline to limit the impact of the MegaCortex ransomware. On the following day, Wolters was able to restore service to a number of applications and platforms. In their findings, Wolters believes that no customer data was taken and leaked. Wolters Kluwer is currently working to restore all UK services following a reported MegaCortex ransomware attack.

On the other side of the pond, the city of Baltimore was hit by a ransomware attack that forced the shutdown of most city servers. City Hall employees were instructed to unplug Ethernet cables and turn off computers, printers, and other devices, Democratic city councilman Ryan Dorsey said to the publication. He indicated the attack was “spreading computer to computer.”

Lester Davis, a spokesman for Democratic mayor Bernard C. “Jack” Young, noted this attack was similar to the ransomware campaign that infected Greenville, NC, last month. In that case, officials found a form of ransomware called RobinHood. It has not yet been determined which specific type of threat has been used in this particular attack against Baltimore.

This marks the second time ransomware has hit Baltimore. In March 2018, a cyberattack infected the city’s 911 dispatch system and took down automated dispatches for 911 and 311 calls.

New Qakbot variant of banking trojan hides to avoid detection

A new variant of Qakbot has been observed in the wild which improves its evasion skills and techniques that can make it harder for users to detect and remove the infection.

Qakbot, also known as Qbot, is a banking trojan that is used by threat actors to steal banking credentials and financial data which then creates backdoors on compromised machines. Additionally, the malware has utilized scheduled tasks to maintain persistence. The malware starts its infection via a dropper on a targeted machine.

Once infected, the victim’s machine will create a scheduled task to execute a JavaScript downloader that makes a request to one of several hijacked domains. The downloader will grab two files containing encrypted data from one of the hijacked domains used by the attackers that will be saved as (randalpha)_1.zzz and (randalpha)_2.zzz.

The first 1,000 bytes of data are saved to the first .zzz file, while the remainder goes to the second file. The second scheduled task added by Qakbot will be used to re-assemble the decrypted data from the two downloaded .zzz files with the help of a specially-crafted batch file.

According to Talos, a spike in requests to the hijacked domains was first observed on April right after a number of changes were also made during March 19, 2019. Additionally, the comment string is contained within the malicious JavaScript downloader, suggesting that actors updated the code on March 15, 2019.

The new capabilities were added at the start of the newly detected malware campaign. Because of this update to persistence mechanisms, the transfer of the malicious Qbot binary will be obfuscated to the point that some security products could miss it.

We’re going out with a bang of indicators. Happy copy and pasting. For Perch customers, we’ve checked and we’ve reached out to you if we saw any hits.

Domains

lg.prodigyprinting[.]com 
layering.wyattspaintbody[.]net 
painting.duncan-plumbing[.]com 
hp.prodigyprinting[.]com 

Hashes

bd1190f7470b3219446024c9b85d1533d5ba56d24bcc618adfb05333c350ec8b 
cd00617dd8eac1a70bff92d029861487197eb486deb0c4c66542af50309bc535 
20e53f19fb58b36c93fff100d0e003ff6e88017d6ee6ae8e56d72ba3e1827250 
c97049d43b38577c01ef508c6ba5f6d15a3002728e5896b5d4982ee206a12a8b 
e3f9e76406739c68be2cd6a228131a63662e16fcf757c6251f5e4d0905ab3cd0 
fe294978397abe1f23b88e47a94d516c977cd0c9cb368bcdc20f5f3899daf6bd 
386796dcf6f731d43182b57dcaf1f7a9db346f84fdde59ea4c40e574983dd4e3 
8b88a48e14aec83e1c87fe6ca7a66ad718a82276766756f5741fb446bfc0db8f 
6e840301949f41830b927ef569e581d349820387a3ff45a90ef4ec8e4f6f0e86 
0dbf3f0a6a6b77eddd6e63849f2cea98edb855847a51ec313e7b764c5a5a3a59 
630ba9a1630e90bdbe3d1f63161dc07714818f5b3010f6f9af6e624746529975 
82bf2bf053fc21efd2b09403bb489d1f32e30ff4523a50963f05394524264ac6 
8fa303e89e0f25b4929d3a175c948e3b5a1b257a50911f3eeaaab7f3218077e3 
52b9d903cf6e578f781af3b1f38263fb2d81282a188e25cacf765d723d3de563 
c075b937f4ad0b6077253ad1ebc8cf531c6f1ba167f90cd6ed77fc7a44684340 
bddac88644d3e23abba825283df777b76676b5348fd7225aa3dc3ead39ff7201 
45cbe796d27e48e8983eba169a72c5c3da03053ffd9ea519173482bed8af666e 
63cb6cf78b6263ccb6308de73f8084debacf62b88315809473f5b7ffbf9fcbf8 
104d491cd7c6e3f7930edb780bed08fc88012a0f7f77f01ef987f270c9169b49 
33e97cb8c1508b7795748e54634ebcd9b04259f14ef1f5dce32bad765885649a 
a0ea5b224ee2a85334cf434805edb9dd57b100975fd3c0a564b03d28a5203ee2 
7086dd6a001e339ae9f789301de2fda398964799094587d55a8860199cdcbcba 
78b83e6f1612dd86338faadbccd2b05ecdbcdf221ab694daa6fe1ce0928e2d68 
f9969aaab5276399d486a0619840e41e63340c1106f1e2652eb098052d8a2241 
485dda6eb0574979a04ba831df8ca0588cf034b3005d17153fb56088d31fd487 
68b9de2981e3d74fbc83b3e26a45eda5611fd1791362d775e12b6db5f1f5f646 
75822e46bf9e827346da33141b8b69bb6210a29f2996d246d565e9567f95e9fe 
83a60ac3d70283ff82eeacdb500a204170c5ffcc6f59cbc30c0e7a5410ecb293 
edf907d35b16877a6ff344bdb62852f0f1c418bc4f83072b518204e398e61365 
e30ddbd161e44cf7823b1850604d1cf87d4b9c9af8d0407bde05e7bb758a0559 
89b01325e7a7a8e41d598d07efec7ade3b5da72a97d0a02054c8be8edf41ceb7 
78e917a47f28905498694ec901ae7619c46c71d5f57879ad0a43a451d107b8a1 
47df7cecfaf49a99c3ac8ebd5b47e4afe46658428dfc4818d7a968e0d84d6e19 
4efdd3448fbaaa164c0735891512ece65f78d9160ffef0f1983e9539b1c502d7 
9430fe8f223db4b551ed77e61ac6d38efee348940018ae9e1c15827f53cc618d 
3bd16f8213ff33b7e6ad5ba0974c2674e9a8f5a4b2a914006dbe060cec57d56e 
c77ed215f5ca3eb4b5ab6926b32392c4d58bcaaa9ad1d585632372e7f059360f 
3f1eb5d603074d6d56d99cad4a31fad015e45855e9dbf0ea3ae1969077358a25 
4ca4665d30d38df77d13ed756d2310faaabc42e3eb3a1b18c26e1698f3e073bd 
7772c892e7a846a7c7d852b73237f2d5e3aea485d423ddccfd7b66262b2a0a7a 
8bbb44176e94f4e65cc6862e62f3b1544617edc889105e9af07886c0a62942ac 
cdac2ca810ed43d4bd9bf7ade4b0a8dbc26fbeed3f11eee1aa5cb8334b6d6105 
e946b516013cb6cff31e21ee2ccabd1b8ce1e5ed5a4f9e36ffad07c4d880e417 
0633c16d45f6fdc9fd6ba13c86572bfb571e2307ea051e2c119b59458000b51d 
bef299f5cff4b601adc6c8cde21d22465d19846f2f97d81fa8ea2439a4867864 
72a45d06936294c83c321d4fb312bdaa9b3afdc089975021f4b80d1046f62623 
21898a62a58602b67b39ea4c5ce971be4d73c861a1abff22337d2531f7b18d29 
1430582ad86023fe4b75f4721158ab72c28bef13592ad4462ac30f7b0784cc37 
507d93bc04f4a52e451ec8e212f52397ff25b93e4ea3c9ab54fdd24c2c200171 
d8b5067443c940864e972369e259a0826bb3774487c8605d6e5e870510d41504 
6f840523ce151950e40e24bfedc27e6ba17a9f65b2a4c3105b543b44e153037d 
81788d067834ea0298b88cc251ac4b56820bbb85c77345b35886c9af1b139e1c 
668e1c7275dd3000fd0f24f2a5f9004fc5fd5293c646ad44882122889a99f353 
00e4f65b721b334c3aa40e0c0fdc63107965874981fbfef1fc6a3ebb9d6c8d1c 
fa3bc57c23c5f60050d5b6673681d8bc170d5c9417cfc4c231d3794800400315 
9926bc84e414ad65947461955bf043fe1dd11358f5d517785f6d0571b9acf548 
da823b80766ffc75ed32751ea6ded68e132976d28416fb78bddccd489372f069 
c6edaa1e6125faddacb34f5f567cbb78abb1c138f970d914b95fdd4499052aa0 
a4416996ae9e25b496a343f5a94366ea33ac8797eccd289a83402978b03d371f 
e8fff8ac794b44fade6bdf14f08104012bafff894e44003b84808a5bfd2cebbb 
cd9d8c6c3bc14559d5da15887c5c12be6ac6241b9c36d1fcc0063ad489d14bb5 
996ebea3b2e4b269cc10051f8a5d90cb0e68dee16a6000ff35bac85cb17024d4 
2f5b2a72e40226c54871113b18d4e62c76d4cd05eb50a84c02774ed13daee411 
9f2bf3c3efdd1e388f87a64bac0bfc4b756cc923b428e85ef9e67a86f79c0bc7 
5ac4fbe00b773cbeb52c58234a5d2676f1cf0961385eb6b73934fccdf82a6605 
77833ef35c69cee4d6c43b13330ef71f08db13290d3d079040ab5d0298a57ccf 
6372b115bd5eb33d586519ce478ce161420c53e3d92103f2d8b2bb0e6efedfb8 
42f6a0b64b8dda86c3905a12c3921ead06fa3f24b1231d1bcac7762fb54437d2 
7758f78992fe71389e36b63d0b22f174d67b8139a80c96df5ebdcef7f1eaa954 
abdcb3156ed4bcc5bce29f621ee8593fec625f74b3d1580cd1aa6e7557f822cf 
aa11c00bc40f9bea2aff915d9cbf89e067aabdf764e52d664e7337545ffca04b 
99005c7ebde6c9d72e84fbf246c7b8aacc8e3c39132834b846a5ed4d49b1dcd5 
9548afeb0037077a1e98feabe952472b6882eccd4c8ef6e1d3a93370198fa6a5 
c4f10d10da4598d970ada132f7a476f74902143567d45afd4858d4d9fa7210af 
87bf71ceaeacb6a70d86e6ff96ba4e1d2232c2b84242e8cef7ba30b5de47b4a4 
7e9e493e41fab952e0a5681782a54954447abc3df6ef1d1860e59e586ea6c990 
6d0f5953b6a2234e00e720b297cdfa12a4d9074a92b85e9e5c508938b5907a0a 
523789702a134745c78a1430ccc1704650181b2f4f773862d44d45ccf139b93f 
e8f943454ab41dbd019434e0716d923fb87547cf73306b164ada93612d5f263f 
83c4d91f93f56abf7504faa83a01a84210eb55de991131240a55dd22cb3cb55a 
482f9255b94f1a7813e3cf631ac4bd14c559694b6162fadc6888a83d5c8f18dd 
c6ef40e940c92b8399792521eb677f5238e21ecf99834826990153efa41064ba 
8a8e093089e7d144e5cbef20b5010a27da9c29ac0d64a924bb311a3a50ea5b05 
3c5fe3251afef44143b119f6ca45503dda70b51e006b882e9b0666a380c99774 
042b8c8ae4525b7fd067c6960def5bb01817bf884db9db0db42c2a3cb10ff327 
88b780e35400a63e5f2526e67287508865801f4c176b449c9bd9897a6f4d099e 
86e07fcea780307b1ef2151b19a41170262947193b7b5b8998203ee0bb648c14 
d0fefd2af365336288bc8d7c9bb3d840e483cccf8c2afe493e3dc71e402a78c8 
b76cc76001cb245697bab1d14b0b0a9c85dc0a034d70f70cc7b4a207124b932f 
dd8c25c7483acb627935b3ec6de505aa7fdf95ee4db8108b89d0deb57510217c 
fa209beccf0fe4883b900462ecdf25f7a405adc962f393e116a556f4018773a3 
37f2b74550724859eb8b30fd60d8580c0e4eb6dc64d5d55e46774967fb0b9719 
f3667a47b00bd70f06cefa19de31ccd818095638059f2fe237096741c6b47863 
59dbf5984c48109a16de20656a3305269f4afa66e8864276e69d900d6cfe92c0 
9a849f42734c1bad3fa3c3b5cb5d8781c21e6241f8977636774384e6177756f2 
2ce2651e7ea2ece2b45cadbf7ef916a998d14bbf3830631cf1de6c4c28a97d80 
5468b140b70a7c6566cc7bc60e11e32d0165015df59fc448588fa9f7c68a5c94 
1333715b86d4009eb40b92675ed494dda786c275ccdcd59644ea3b0408df3d08 
e57062a03e0397ba7b5edba76b92f6e00e00a3f5f3126335a152803ba9dea5a9 
8041bc11d40ef808f9a25a5b3d2104aa67e6ba5a696d1bd352ccdf8b3039df9b 
581fe44b3da62d2155452beeda2f20f63fa042271a97cd8e016b4f6f6f8b575f 
170f58ca16e031ce31d117ba36a525189cfe4a08fece3fe1d65f18d293e2c7fe 
b853bf59cbfa95d5c76c76b5cf583d867929ffd164e248e33f55929ce0f65456 
e64d432aac6c9209d84b9e9b9b77bae4148dba91f49e2871c6a14a2d0777e8e0 
16ea880880c3466e3ff95bc3df309242861b0d43600862b0e9f563bda90d00d3 
c9ce209cbc4d3a733ed2dc6ff65318ab0d49506a9b406e8c11805b762c80d2b0 
3876816f0cc13e72c2ed64e857090c6a78106b9accc5f8d8fd90652a293890be 
82a13c434e21f40bf5f1e7e2694784e2152834c3c5e7188026efd4d698d63d8d 
ce65b98b78ee749c5db5cb678cb6a8f21f568446a9e7433f6cb3c2d648602512 
f7ea4652a096c007a233fb588d7a1b129a1b68829f78d58bb67b33c3582f032d 
84defbc371379f548cbfc7837128f33c35a2a95835d93e287c6c2f7f8428d910 
11447fbf6b64d137ab09ae7c861719169650a06ccc44abf0bcbbac8f5830343b 

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday May 1st 2019