Archive for June, 2018

Rewterz Threat Advisory – PDF attachment redirecting users to malicious site

This is an advisory on a reported phishing attempt involving a pdf document, which redirects user to a malicious site when opened.


IMPACT:  Normal

PUBLISH DATE: 26-06-2018


A team member reported a phishing attempt involving a PDF attachment which, when clicked, redirects the user to the URL lopiefuhf[.]ml/wp-admin/docpage/gieeedoc/melstod.php. This URL leads to a malicious site. The PDF was labelled as “Offer for Purchase.PDF”.



Last night, one of our team members observed a phishing attempt. They reported having received a PDF attachment from paulo[@]novahometeam[.]com. Clicking on the PDF redirected them to the URL  lopiefuhf[.]ml/wp-admin/docpage/gieeedoc/melstod.php which is a malicious site capable of transferring malware to your system.


The attachment is named “Offer for Purchase.PDF”. The IP analysis of the source of this phishing attempt produced the IP: 80.211.69[.]217.


The phishing attempt was made from Europe, with a country code of Italy.



It is recommended to avoid clicking all such PDFs received from unusual sources.  Moreover, members are advised to block the following threat indicators.











If you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

Gear up for WannaCry 2.0

WannaCry 2.0 In The Making?

After the disasters of WannaCry in the global cyberspace last year, and the on-going fiasco of cyber-attacks involving the name, it’s predictable that these attacks aren’t likely to end here.


WannaCry is being played with to create even more powerful attacks and techniques.


Being the most impactful attack worldwide, WannaCry sets a historical example of both monetary losses and physical damages a cyber-attack can lead to. This standardized malware aiming to attack windows machines hindered real-life activities, like employees getting to work and patients receiving speedy medical treatments.


The current damages caused by WannaCry 1.5 phase are an indicator of the approaching WannaCry 2.0 phase, getting ready to unleash its malicious tactics for ransom-hungry hackers to use.


WannaCry 2.0 seems real because of the following advantages:


1.   Delayed Patching

Organizations fail to update and implement the available patching cycles on time. A patch for EternalBlue released in March 2017 is an example of delayed patching, as organizations were affected by it even in May 2017 due to untimely patching.



2.   Consistency in Hacking

The hackers don’t seem to be resting at all. Continuous streaks of zero-day and one-day vulnerabilities are being found every single day. Hackers are being inventive and trying to create hacking and ransomware streaks as big as WannaCry.



Government Agencies under pressure


Government agencies are under massive pressure as the global cyberspace turns into a battalion threatening national security and breaching confidential data of organizations. Government organizations responsible for keeping the cyberspace safe for general use are required to exercise hyperactive precautions to make sure any vulnerabilities found in the system are not leaked or exploited by attackers. These confidential and exploitable vulnerabilities could yield catastrophic results when accessed by hackers.


Several vulnerabilities and codes leaked from governmental organizations have already been accessed and exploited by hackers. WannaCry and EternalBlue are two major examples of ransomware exploiting this leaked data. Spreading at an exponential rate, these leaked codes invite not only the ransomware attacks but also crypto miners like Monero. The pressure on organizations to set up a strong defense plan is therefore becoming more nerve-straining with every passing day.



Guide for Enterprises and IT professionals  


The speedy overnight patches required by these fast-leaking vulnerabilities have pressurized enterprises to seek help from IT professionals. The mass scale exploits like the Careem data breach and the Nadra data breech, along with the ransomware like the EternalBlue, targeting institutions, employees, customers and stakeholders have put IT professionals on the edge to find speedy solutions for every vulnerability they detect.


Security professionals should keep these things in mind to mitigate threat factors.


• Understand vulnerability databases


IT professionals need to conduct detailed analysis and testing for any found vulnerabilities and demonstrate how the problem will affect the organization. They should focus on the risk factors and determine the severity of every vulnerability. The IT professionals should then help organizations in deciding an action plan against the threat and suggest solutions to the problem.

• Out-of-the-ordinary workflow


Timely patching is hard for organizations with bulk workflow. However, that doesn’t lessen the importance of patching. To safeguard all the hard work that goes into running a business successfully, it is recommended to dedicate a team of tech experts fully focused on mitigating threat factors. The dedicated team can run timely testing and perform any patching and software updates available in the market against new discoveries of threats.



If you think you are a victim of a cyber-security attack, immediately send an email to  for a rapid response.

Rewterz Threat Advisory – New GZipDe Malware Drops Metasploit Backdoor

This is an advisory on a recent malware strain which lures users into enabling macros. This will execute a Visual Basic script running a PowerShell code.



PUBLISH DATE:  24-06-2018


AlienVault has discovered a new Malware strain called GZipDe used to drop backdoors. In this multistage attack, a Word document gets users to enable macros which execute Visual Basic scripts running some PowerShell code. This will download a PE32 executable which will later drop the actual Malware GZipDe.



A user from Afghanistan embedded the malware in a word file and uploaded it on VirusTotal, which is believed to be a part of a cyber espionage. The malware GZipDe is encoded in .NET and uses a customized coding method to blur the process memory and escape antivirus detection.

The document uses text from an article about the Shanghai Cooperation Organization Summit, a conference from last month about Eurasian political, economic and security topics.



The infection process comprises of multiple layers using Metasploit module. The Metasploit is a framework that security researchers use for conducting penetration tests to detect vulnerabilities. It was modified into a backdoor which gathers information from the system and forwards it to the attacker via C&C server and receives further instruction.


This is not the first time that Metasploit is used for cyber-attacks. Hackers now tend to use ready-made tools like Metasploit rather than custom-designing tools for every attack.


The custom-encryption of GZipDe enables it to escape the anti-virus detection as it is coded in .NET and confuses the process memory. Once activated, GZipDe downloads another potent threat from a remote server.


It drops a Metasploit based backdoor in the system to execute further malicious commands.


This shell code loads the entire DLL into memory, hence operating successfully without writing anything on the disk. Having reached this point, the attacker gains the ability to drop further payloads to acquire elevated privileges and move within the local network. The hacker can steal information which was available to privileged employees only.





GZipDe Malware contains an encrypted payload which consists of a Base64 string compressed as a ZIP that is customencrypted with a symmetric key algorithm. The shell code present in the payload contacts the command & control server to grab the Metasploit payload. The Metasploit payload containing the shell code bypasses the Anti-virus  detection and creates a backdoor using Meterpreter payload.


Once the backdoor is opened, it starts to steal sensitive information from the system and forwards it to the attacker via C&C server.



The following Indicators of Compromise should be blocked at Proxy and Edge Firewall.


Indicators of Compromise (IOCs):



  • hxxp://118[.]193[.]251[.]137/dropbox/?p=BT67HU78HZ
  • hxxp://118[.]193[.]251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent[.]exe


  • 118[.]193[.]251[.]137
  • 175[.]194[.]42[.]8


If you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

Rewterz Threat Advisory – Malicious Callers Spoofing Bank Numbers

This is an advisory on attempts of obtaining card information of clients spoofing a bank’s number.



PUBLISH DATE: 23-06-2018


A member has reported a suspicious call to a client, attempting to social engineer their credit card information. The bad  actor spoofed the main number of the organization to appear credible to the client.


Spoofing or faking an identity is used to trick users into releasing sensitive information in order to gain access to their bank account, computer system or to steal personal credentials like passwords.


Social Engineering involves psychologically manipulating people to produce sensitive and confidential information.



Earlier this week, a member reported that their client had received a call from someone spoofing the main telephone number of the bank. In an attempt to obtain credit card information of the client, the caller used social engineering to convince the client about their authenticity.

The member reports that no sensitive information was provided to the caller.



Too many cases of spoofing are being reported worldwide. Spoofing is not illegal if an organization wants to use the same number for all lines they’re using. When involved in unlawful activities like faking an identity to gain access to confidential information, spoofing is illegal.


Mostly, it is used to fake a bank’s identity for theft from bank accounts. Millions of dollars have been compromised and stolen from bank accounts using spoofing.


It can also be used to ruin the reputation of a person or an organization.



As many experts reveal, there’s no specific solution to telephone-number spoofing or  Caller-ID spoofing. It can be dodged with awareness and quick judgement.


It is important for clients to understand that most organizations won’t call a client asking for personal information or sensitive information, as they should already be having that information.


Tips against spoofing

  • Be sure to always log out of all the accounts when not actively using them. This will prevent irrelevant people from sneaking into your personal information and credentials.


  • When a caller sounds fishy on the phone and asks for confidential information, tell them that you’ll return the call. When you call the number, it’ll be directed to the original owner of the number rather than the fake caller. Then you can inquire about the call you received.





If you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

Rewterz Threat Advisory – CVE-2017–11882 Multi-Layered Infection Attack Installs Betabot Malware

This is an advisory on a multi-stage attack installing Betabot Trojan to exploit a 17-year-old vulnerability using malicious office documents.



PUBLISH DATE:  19-06-2018


The Betabot Trojan is a malware having served many purposes for the hackers. It used to be a banking Trojan evolving into a password stealer and later becoming a botnet for distributing ransomware and other malicious programs. The attack involves exploitation of the 17-year-old vulnerability CVE-2017–11882 which was discovered and manually fixed by Microsoft last year.




A vulnerability in the Microsoft’s equation editor (EQNEDT32.EXE) prevalent since November 2000 was identified last year as  CVE-2017–11882 and was patched by Microsoft manually. The bug was not fixed in the source code which is now being  exploited by the Cobalt hackers.


The Cobalt hackers specially crafted an RTF file to execute commands on the compromised device. They embedded an OLE  object (inteldriverupd1.sct, task.bat, decoy.doc, exe.exe, and 2nd.bat) into the RTF file which pretend to be authentic software. The security researchers claim that they managed to create an exploit that would work with all Office versions released over the past 17 years, including Office 365, and which would impact all Windows versions, including Windows 10 Creators Update.




The attack is multi-layered and involves many things like remote code execution. The RTF file designed by the Cobalt hackers is  used to contact a remote server and deliver the first payload to the victim’s system. The code is executed using MSHTA.exe which then proceeds to grab another payload from the remote server. The second payload is a script having a final payload embedded in it.


This embedded final payload is the Cobalt Strike backdoor often used by the cobalt hackers group in various attacks they’re associated with.The malware is now ready to execute remote commands on the victim’s system.




The impact of the Betabot malware is far-reaching as it’s been a tool to attack banks, steal passwords and to deliver ransomware and malware. The multi-purpose Trojan can be used to launch several kinds of damages to a system or organization. The detection of its activity is another complex mechanism as it does not require user interaction to perform its malicious functions. The researchers claim that once the malicious document is opened, the remote code execution will silently  pour its venom into the system without even effecting the user’s activity on Microsoft office.



The only hinderance in the code execution is observed when the user has enabled protected mode. The protected mode  forbids any active content execution (OLE/ActiveX/Macro). However, this resolution can easily be by-passed using social engineering. A hacker can easily manipulate a user into saving the document on cloud (OneDrive, Google Drive). In such cases, the files obtained from remote sources are not labelled with MOTW (Mark Of The Web), and will not be  opened in the protected mode when a user opens them.


Therefore, great caution is required against social engineering whenever an employee is dealing with office documents to avoid the Betabot malware from running this multi-layered streak of attack on your system.



If you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

Copyright © Rewterz. All rights reserved.