Rewterz Threat Alert – SeedWorm Malware Campaign – Threat Indicators

Thursday, February 28, 2019



Analysis Summary

In a SeedWorm malware campaign, variants of a backdoor program called LisfonService were seen in various stages of development. Some files were retrieved leveraging a PowerShell to download and run a program called ‘muddy’ on the system. Indicators of Compromise are attached.


Malware Infection

Indicators of Compromise

IP(s) / Hostname(s)

  • 31.171.154[.]67
  • 46.99.148[.]96
  • 78.129.139[.]148
  • 78.129.222[.]56
  • 79.106.224[.]203


  • svchosts.exe
  • TestService.exe
  • lisfon.exe
  • lisfonservice.exe
  • Win7LisfonService.exe
  • LisfonService.exe
  • Lisfon.exe



Malware Hash (MD5/SHA1/SH256)

  • 51ac160f7d60a9ce642080af0425a446fb25b7067e06b3a9a8ec2f777836efd3
  • 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
  • 58972b27b7dc40494e715c2f39a1bcee4d8c18da6bcc3e22785496cca2cee1a0
  • 6f8226d890350943a9ef4cc81598e0e953d8ba9746694c0b7e3d99e418701b39
  • 9262bf6be648e1b15850a776fe4e393250d74afdf911e94ae07718f8ad4d1664
  • b6078804dfdc3219ac8ba0f74473ff7ada00228ea0141d0be8e7cf227ff09186
  • bf696397784b22f8e891dd0627dce731f288d14d4791ac5d0a906bc1cbe10de6
  • c514c3f293f0cb4c23662a5ab962b158cb97580b03a22b82e21fa3b26d64809c
  • f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e


  • Block the threat indicators where possible.
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Scan all software downloaded from the Internet prior to executing.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 23, February 2020 Rewterz Threat Advisory – CVE-2019-16028 – Cisco Firepower Management Center
  • 17, February 2020 Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware
  • 14, February 2020 Rewterz Threat Alert – Emotet Malware Hacks Nearby Wi-Fi Networks to Infect New Victims
  • 13, February 2020 Rewterz Threat Advisory – CVE-2020-3119 – Cisco NX-OS Software Cisco Discovery Protocol Remote Code Execution

Copyright © Rewterz. All rights reserved.