Archive for category Worms

Rewterz Threat Advisory – Emotet, A Banking Trojan Responsible For Network-Wide Infection

This is an advisory on Emotet, an advanced, modular banking Trojan also serving as a dropper of other banking Trojans.



PUBLISH DATE:  20-07-2018


Emotet is a highly devastating banking Trojan. Its worm-like features ensure speedy network-wide infection, which are difficult to combat. Emotet infections have costed SLTT governments up to $1 million per incident to remediate. Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.



Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be one of the most expensive and destructive malwares, affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.



Emotet is disseminated through emails containing malicious attachments or links, using similar branding to that of the recipient.

As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices.



Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro-enabled Microsoft Word document included in the spam email. Once downloaded, Emotet attempts to penetrate the local networks through incorporated spreader modules.


Currently, Emotet uses five known spreader modules: NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.


  • exe is a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
  • Outlook scraper is a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
  • WebBrowserPassView is a password recovery tool that steals passwords stored on Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
  • Mail PassView is a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
  • Credential enumerator is a self-extracting RAR file containing two components: a bypass component and a service component. The bypass component is used for the enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account.

Once an available system is found, Emotet writes the service component on the system, which writes Emotet onto the disk.


Emotet’s access to SMB can result in the infection of entire domains (servers and clients).


To maintain persistence, Emotet injects code into explorer.exe and other running processes. It can also collect sensitive information, including system name, location, and operating system version, and connects to a remote command and control server (C2), usually through a generated 16-letter domain name that ends in “.eu.”


Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server.


Emotet artifacts usually mimic the names of known executables. Emotet creates randomly-named files in the system root directories that are run as Windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares.


Note: Privileged accounts are not to be used while logging in to compromised systems during remediation, as that might speed up the propagation of the infection.




If you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

A Ransomware called WannaCry


WannaCry is a family of Ransomware which when executed, encrypts certain file types on the system. The user must pay a ransom to the attacker if they want their files to be decrypted.



This ransomware uses the EternalBlue exploit (MS17-010 Echo Response – SMB Vulnerability). The attackers have used the publicly available exploit code and embedded it in the dropper of the ransomware. The malware’s initial vector seems to be spam emails. The malware, on execution, connects to the IPC$ tree and attempts a transaction on FID 0, triggers the vulnerability, and then exploits it. The malware generates a random set of IP addresses for propagation



The Malware is executed using a main dropper and a sub dropper. The main dropper is embedded with the shell code needed for propagation. It also contains the sub dropper which executes the encryption process.


The sub dropper contains multiple components in the form of a password-protected ZIP file in its Resource section. The password is hardcoded “WNcry@2ol7”. The components of the sub dropper perform other functions on the system.


Given below is an example ZIP.




The dropper installs itself as a service called MSSECSVC2.0 with description “Microsoft Security Service (2.0)” as a restart mechanism. Once the service is started, it generated its random list of IP addresses to target.


The dropper uses the command line below to remove any existing shadow volumes and backups:


Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet


The various components dropped to disk are listed below: 


  • exe – Initial cleaner component used before the actual encryption begins. Looks for file in the install dir of the ransomware and RecycleBin and removes any files with extensions “.WNCRYT”
  • exe – Component that attempts to synchronize execution between machines. It waits for a signal and runs scripts concurrently. Use to connect to remove desktops by WTSEnumerateSessionsA, and create process. • b.wnry – Contains the wallpaper that is displayed
  • wnry – BitCoin Wallets, CNC, etc
  • wnry – Ransomware note
  • wnry – RTF containing the decryption instructions
  • wnry – An archive that contains a TOR client, used for payments
  • wnry – An encrypted file that contains the encryption routine used by malware for file encryption
  • wnry / @WannaDecryptor@.exe – Encryptor/Decryptor component of the ransomware. Loads t.wnry and executes it in memory
  • vbs – Used to create a shortcut to the decryptor on the desktop.
  • <Random_filename>.bat: – BAT file that is used to create the .vbs file.
  • Msg Folder – Contains language-specific decryption instructions


Once the system files are encrypted, the ransomware drops this message:



The desktop wallpaper is also changed to this:


The Folder containing the encrypted files also contains a text version of this message demanding a ransom for their decryption.


The main dropper creates a random set of IP addresses which are not limited to the local network. This means that the malware may attack devices sharing the same network, as well as devices across the Internet if they allow NetBIOS packets from outside networks.


This is why the attack has such a wide-spread impact and many affected users are unsure about the initial vector of the infection.


Once a device with an open NetBIOS port is found, the malware will send three NETBIOS session setup packets to it. This communication is followed by the transfer of a sub dropper.


Among the files transferred to the attacked system is a ZIP file containing Tor browser binaries which is used to access the Onion URLs in use by the malware to collect payments.


The Payment is collected through Bitcoin. The following addresses are found in the samples 


  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94


The sub dropper infects files with specific extensions on the local machine, any removable drive connected to it, and any network share mounted locally.


Indicators of Compromise




  • DB349B97C37D22F5EA1D1841E3C89EB4 – Example main dropper
  • 509C41EC97BB81B0567B059AA2F50FE8 – Example Sub dropper
  • 9C514CAB458488A082070560C40D9DAB
  • 4362E287CA45A4862B7FE9ECAF46E985
  • 4FEF5E34143E646DBF9907C4374276F5
  • B27F095F305CF940BA4E85F3CB848819
  • 7BF2B57F2A205768755C07F238FB32CC
  • 7F7CCAA16FB15EB1C7399D422F8363E8
  • 8495400F199AC77853C53B5A3F278F3E
  • 84C82835A5D21BBCF75A61706D8AB549
  • 86721E64FFBD69AA6944B9672BCABB6D
  • 9C7C7149387A1C79679A87DD1BA755BC
  • 4DA1F312A214C07143ABEEAFB695D904
  • D6114BA5F10AD67A4131AB72531F02DA
  • F0D9FFEFA20CDADF5B47B96B7F8D1F60
  • F107A717F76F4F910AE9CB4DC5290594


IP Addresses 


  • 51.134.123 :9001
  • 199.142.236 : 9001
  • 231.221.221:9001
  • 31.0.39:9191
  • 202.160.69:9001
  • 101.166.19:9090
  • 121.65.179:9001
  • 3.69.209:9001
  • 0.32.144:9001
  • 7.161.218:9001



  • Update patch MS17-010 (Microsoft guidance)
  • Network Admins can check the presence of an attempted network infection by looking for two hardcoded IPs in packet requests: (,
  • Ensure that your organization has not blocked access to the following domain:
    • www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
    • This domain has been sink holed. It was being used by the malware as a kill switch.




If you think you are a victim of a cyber-security attack. Immediately send an email to for a rapid response.

The Mystery of Duqu

Duqu is a sophisticated malware that was discovered on September 1st, 2011. Some experts claim that Duqu could only have been created by creators of the Stuxnet because nobody else could have the source code to create such a sophisticated malware that is identical to Stuxnet but serves an entirely different purpose as a malware. The three major similarities that have been come to attention between Stuxnet and Duqu are firstly, the components that are signed is done through stolen certificates. Secondly, similar to Stuxnet, Duqu uses a zero-day vulnerability to attack Windows system and lastly, the way Duqu is targeted it requires advanced intelligence to operate it again similar to Stuxnet.

Highlighted few weeks ago by Symantec, researchers have discovered how Duque infects the targeted computers. The malware hides in a Word file (. doc) sent through email to the victims. Once opened, it exploits an 0-day vulnerability in the Windows kernel to execute code and infects the system through service.exe. The infected computers can then be remotely controlled by attackers, who can spread the malware on the network and retrieve data in the process. Symantec issued a diagram summarizing the performance of the intrusion.

With this new discovery, security researchers are now confident that Duqu is designed to address specific high profile critical infrastructures via Word documents designed to look legitimate. Symantec has identified six organizations contaminated in 8 countries: Iran, Sudan, Vietnam, India, France, the Netherlands, Switzerland and Ukraine. To which is added a list of identifications made by other experts in Austria, Hungary, Indonesia and the United Kingdom.

If Duqu starts attacking Pakistani networks, Pakistan would face a huge threat regardless of the existing on-going cyber war between Pakistan and India. Duqu, on the other hand, is a much more powerful malware which if targeted towards Pakistani networks, it could collect intelligence data and assets from high profile entities, with the purpose of conducting a future attack without much effort against additional third parties.

Today remains to be seen whether future changes made by Microsoft will be sufficient to stem the problem. At present, the source of Duqu has not yet been identified. Many measures may be taken to prevent this situation from reaching a system. It is important to have a backup of all exiting data but even more importantly since Duqu is a powerful malware the best way to prevent any potential attacks from it is by protecting and securing critical infrastructure networks from such threats. Microsoft has finally patched the flaw being exploited by the Duqu.

Moreover, a recent discovery was made which states that Duqu has shut down all operations and has cleaned up all their commands leaving security experts almost no evidence for their further research. According to Kaspersky Lab, Duqu has been active since 2007 and was only discovered in October 2011 which proves that several systems might have been infected with the Duqu since years and possibly still not detected.

A further discovery was made that Duqu undertook a global clean on October 20th which cleaned up all their activities since the year 2009 as a result leaving almost no trace of their existence throughout these years. This goes to prove that the aim of attackers behind Duqu was to keep it a secret and as soon as the word got out it was banished. Even now the command & control (C&C) servers behind Duqu remain undiscovered which only goes to show the capability and power of the attackers behind this malware.

Experts were able to point out that servers were hacked through brute-forcing the root password rather than the believed zero-day theory and as soon as the attackers gained control over the servers they upgraded OpenSSH 4.3 to version 5.8 which explains that the newer version of the software must hold such importance.

Pakistani Websites under Attack

Recently many Pakistani websites have faced attacks from various international blackhat groups, which continue to be a huge concern for Pakistani cyber space. The main reason behind this remains the lack of secured hosting infrastructure along with badly coded web applications. Such websites can be extremely vulnerable and may be easily compromised by attackers.

Telenor Pakistan Hacked

Pakistani websites may be vulnerable to various attacks, which include blogs, forums, government, telecommunication, and banking websites. Only recently some of the high profile websites that were defaced include LG Electronics Pakistan, WorldCall Telecom Limited, DunyaTV, Supreme Court of Pakistan, Telenor Pakistan, National University, and few more.

Moreover, a newer form of malware has been discovered which has been attacking Pakistani websites not only does this malware attack the target website but also mobile devices. More than hundreds of Pakistani government sites including Ministry of Information and Broadcasting – Government of Pakistan (, PESC – Peshawar Electric Supply Company (, Pakistan Navy ( are under attack by this malware, known to be controlled by an Indian blackhat. Most of the websites initially fail to understand the importance of having a secured web application and consequently lack the information security knowledge for securing their online information.

Malware Alert on the Infected  Pakistani Websites

That is where we usually get involved and get to know about such incidents. Our team protects customers’ infrastructure from such attacks and performs constant monitoring. Rewterz already has a reputation of securing information for a number of high profile organizations. By providing services such as penetration testing, incident handling, application code review, forensics analysis, and security outsourcing, we ensure complete security to an affected website.

Today hacking is a career which is backed by strong institutes estimating about $2 billion annually. The cyber war between Pakistani and Indian blackhat community has been going on since years and this is not the first time we have seen rise in such attacks. The best way to protect the information available online on websites is by having secured hosting infrastructure which mitigates vulnerabilities that attackers may be looking to get into in order to carry out an attack. Taking such measures is becoming critically important in the cyber world and must be understood by personnel who make critical information available online before it’s too late.

In-depth Analysis of PDF Security

PDF, a portable file format, had gained popularity among general users due to its extensive features, portability and availability of free tools to read and author the documents. With the increasing popularity this file format has gained among the general users, it has also become vulnerable to various malware which exploit the document for executing malicious attacks, and which uses the PDF files as malware depositing source to attack specific item or even the entire system.

Over the last three or four years, PDF malware have become increasingly devastating for computer security. The reason behind this increasing success is the achievement of blackhat community in attaining the hand-full of PDF distribution with which various malicious PDFs are being utilized to jeopardize the computer’s security. Before going into the depth of the PDF security system, let’s get a closer look at the different distribution channels, the attackers use to deposit malware in the computer. Among a variety of different PDF distribution channels, three dominating channels are Mass-Mailing, Drive-By Downloads, and Targeted Attacks.

In mass-mailing PDF distribution technique, a user is lured to open an email and receives the malware unsuspected by downloading the attached PDF file in the email. These kind of spam emails contain major subjects like IRS emails, Political or current affairs or any controversial subjects. While, drive-by -downloads deposits the malware into the system when the user visits an infected website and downloading a hosted PDF file. Malware authors utilize web exploits packs to trigger malware creation on websites. The hosted PDFs contain shell codes which on being executed download malicious content from the internet. In contrast, PDF targeted attacks are directed to individuals or organizations to give themselves a disguise of an authentic source which, consequently, will enable the user to launch the PDF file attached. What makes targeted attacks relatively successful is the use of zero-day exploits which renders the victim unaware of the fact that his system’s security is at stake.

Now, to make matters worse, each distribution channel uses different exploit techniques which are classified into two categories, namely: JavaScript based exploits and Non-JavaScript based exploits. Now, almost all the PDF exploits are utilizing JavaScript in different forms because of its use of a malicious code called heap spray code (a JavaScript code that is executed at first to set up the process memory of the reader with a shell code which as a result exposes the system to the malicious attack).

Utilizing exploit techniques in different PDF distribution methods might have given the antiviruses and malware detection products to detect the presence of malicious PDF or the attack incorporated within the PDF file. To evade the possibilities of coming into antivirus detection, Malicious Acroform Stream is utilized by malware authors. This kind of evasion method misleads the user to believe that the malicious PDF file is simple a corrupt file and crashes the PDF reader so that it keeps on working in the background and remains undetected from both the user and the virus detecting product.

When your system’s security is jeopardized and various significant items are exposed to vulnerability, what can you do to protect your system to be infected with malicious content?

A bundle of considerable protective actions can be taken by the user which may keep his system safe from possible targeted or un-targeted attack from malware authors.

First and the foremost way to avoid system infection are keeping it up-to-date with all applications and softwares patches for your PDF reader. Second of all, keep your virus-detecting product up-to-date. Wherever possible, disable JavaScript so that the JavaScript based exploits may be prevented. Last but not the least; considerable discretion should be exercised while executing a PDF document from an untrusted location.

Conficker.C Pakistani (.PK) Domains

Conficker.A and Conficker.B created around 250 domains per day from which they downloaded the updates or atleast tried to download. Unlikely, Conficker.C creates 50,000 domains per day out of which over 400 are .PK ccTLDs (country code top-level domains) containing only 4-9 characters as compared to 8-11 in Conficker.A and .B.

We have taken out .PK ccTLDs from the list of all domain names, computed by Felix Leder & Tillmann Werner, that Conficker.C will use in April 2009. It’s recommended to sinkhole these domains.

The list of Conficker.C domains for April can be downloaded here.

, , , ,

Copyright © Rewterz. All rights reserved.