This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • Malspam delivers ISR Stealer 2-13-2017

Malspam delivers ISR Stealer 2-13-2017

AhmedSonbol1
Employee AhmedSonbol1
Employee
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2018-02-14 01:06 PM

Malspam activity was observed on February 13th delivering a variant of ISR password stealer. ISR was reportedly used in spear phishing attacks against food and machine industries. In this blog post we will discuss the network activity using RSA NetWitness Packets.

 

The delivery document Payment receipt.doc is crafted to exploit CVE-2017-11882. You can learn more about the vulnerability in this FirstWatch threat advisory.

 

Screen Shot 2018-02-14 at 10.51.16 AM.png

 

Opening the malicious document with an un-patched Microsoft Word application led to the following network activity:

 

Screen Shot 2018-02-14 at 10.54.09 AM.png

 

Screen Shot 2018-02-14 at 10.54.26 AM.png

 

Screen Shot 2018-02-14 at 10.59.09 AM.png

 

Once 99v.exe executes on the victim machine, it starts to communicate with what looks to be a compromised Wordpress website transeagleperu[.]com:

 

Screen Shot 2018-02-14 at 11.03.53 AM.png

 

Since the User-Agent string used in this session is common to ISR variants, it was tagged with the value known bad ua credentialleak under Indicators of Compromise meta key:

 

Screen Shot 2018-02-14 at 11.10.24 AM.png

 

It is worth mentioning that the delivery domain menorasarainc[.]info has been active over the past week:

 

Screen Shot 2018-02-14 at 11.17.18 AM.png

 

Payment receipt.doc (SHA256):

  • 383521ecc7aa09050e82498e10c756c866b0ce47702d77c6a5a4a7da98517146

 

99v.exe (SHA256):

  • 29eb49ad843aa992abff873d9b611a62248b2b8b4fbfa900bb7712f6aa6cda65

 

All the IOC from those HTTP sessions were added to RSA FirstWatch Command and Control Domains on Live with the following meta:

  • threat.source = ‘rsa-firstwatch’
  • threat.category = ‘malspam’
  • threat.description = ‘delivery-domain’

 

footer.png

  • cve-2017-11882
  • firstwatch
  • infostealer
  • isr
  • malspam
  • NetWitness
  • netwitness packets
  • NW
  • NWP
  • rsa firstwatch
  • RSA NetWitness
  • RSA NetWitness Platform
2 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Microsoft Azure Log Analytics workspace integration with Netwitness
  • Cryptonite Ransomware
  • Deployment Inventory (Serial Numbers)
  • The History of APT10
  • Integration of Symantec Endpoint Security with Netwitness Platform
  • JAMF Protect Integration with Netwitness
  • Zscaler Integrations with Netwitness
  • FirstWatch Threat Spotlight: Truly Asynchronous AsyncRAT
  • File Activity Alert Optimization in Multi-EPS Deployment
  • Threat Profile Series: An Introduction to Royal Ransomware
Labels
  • Announcements 60
  • Events 7
  • Features 10
  • Integrations 11
  • Resources 63
  • Tutorials 27
  • Use Cases 24
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.