Archive for category Threats

Rewterz Threat Alert : ‘Love You’ MalSpam campaign dropping Grandcrab Ransomware, Phorpiex Spambot and Cryptocurrency miner







A massive Malspam campaign using zipped JavaScript (.js) files as malicious email attachments is discovered. The
attachments begin with ‘Love_You_’ indicating the subject matter to be love letters.





Behind this LoveYou campaign are hidden malicious hate-worthy entities. The infection traffic includes GandCrab
ransomware, a Monero (XMRig) cryptocurrency miner, and Phorpiex spambot traffic.

Several HTTP requests for additional malware were spotted in the infection traffic, creating multiple copies of same malware on the infected host, which generated Monero (XMRig) cryptocurrency mining traffic as well as the expected post-infection traffic patterns for GandCrab ransomware. The infected host also turned into a spambot for the Phorpiex botnet.





GrandCrab dominated the infected host and its file downloader also established itself on a USB thumb drive plugged into the infected host.









  • Malware Infection
  • System Compromise
  • Ransomware infection
  • Loss of information






IP(s) / Hostname(s)

  • 92[.]63[.]197[.]48
  • 198[.]105[.]244[.]228
  • 78[.]46[.]77[.]98
  • 217[.]26[.]53[.]161
  • 74[.]220[.]215[.]73
  • 136[.]243[.]13[.]215
  • 138[.]201[.]162[.]99



  • 80
  • 443
  • 9090
  • 25
  • 53



  • icanhazip[.]com
  • slpsrgpsrhojifdij[.]ru
  • osheoufhusheoghuesd[.]ru
  • suieiusiueiuiuushgf[.]ru
  • www[.]2mmotorsport[.]biz
  • www[.]haargenau[.]biz
  • www[.]bizziniinfissi[.]com
  • www[.]holzbock[.]biz
  • www[.]fliptray[.]biz
  • gandcrabmfe6mnef[.]onion



  • .exe
  • .txt
  • .zip
  • .js


Email Address

  • Teddy31@8038[.]com
  • Imogene99@0354[.]com
  • Imelda31@1529[.]com
  • Ted93@4302[.]com
  • Deanne11@5387[.]com
  • Bob01@0437[.]com
  • Teddy21@8381[.]com
  • Bradford99@2804[.]com
  • Taylor74@4656[.]com
  • Deena49@1659[.]com



Email Subject

  • Always thinking about you
  • Felt in love with you!
  • I love you
  • Just for you!
  • My letter just for you
  • My love letter for you
  • Wrote this letter for you
  • 😀


Malware Hash (MD5/SHA1/SH256)

  • 72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06
  • 27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3
  • 99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645
  • 06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad
  • 7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d
  • 0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698
  • 32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20
  • 12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8
  • 6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002
  • 99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349
  • d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a
  • c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0
  • f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc
  • f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4
  • 9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45
  • ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87
  • cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2
  • 0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7
  • 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
  • 035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285
  • b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
  • 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b
  • 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040






Consider blocking the threat indicators at their respective controls and strictly avoid opening spam emails coming from unknown sources.



If you think you’re a victim of a cyber-attack, immediately send an email to


A new Trojan has been discovered in the on-going FASTCash cyber espionage campaign funded by North Korean government.



Release Date: November 20th, 2018






The Lazarus hacker group funded by the North Korean government is a predator for the financial sector, targeting major banks in Africa and Asia. It first breaches the target bank’s network and compromises the switch application server handling the ATM transactions. Also known as the Hidden Cobra, the Lazarus group is associated with the on-going FASTCash campaign stealing tens of millions of dollars in multiple ATM attacks across the continents.



In 2017 alone, Lazarus targeted ATMs in more than 30 countries, whereas in 2018 it compromised banks of 23 countries, simultaneously. Recently, a new Trojan has been found that’s being used in the FASTCash campaigns.






The initial attack vector used by Lazarus isn’t confirmed. However, traces have been retrieved of the usage of a malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”.



It seems that the Hidden Cobra attackers initially used a Windows-based malware to explore a bank’s network to identify the payment switch application server. Researchers have found that all of the compromised switch application servers were running unsupported IBM Advanced Interactive eXecutive (AIX) operating system versions beyond the end of their service pack support dates. Therefore, AIX could be the possible exploit, however, no evidence has been found that proves exploitation of the AIX operating system in these attacks.



Although each known incident has a different malware associated with it, a detailed analysis of malware samples gathered through these attacks suggests similarities between malware features and capabilities.






Analysts predict that the attacks were initiated with spear-phishing emails against bank employees, which led to compromise of the bank’s network.



There are multiple versions of the Fastcash Trojan, each of which appears to have been customized for different transaction processing networks. The samples are associated with legitimate primary account numbers, or PANs – the 14 or 16-digit numerical strings found on bank and credit cards that identify a card issuer and account number.






The malicious code inserted by Lazarus attackers searched for references tied to attacker-controlled accounts, then returned fraudulent information about those accounts in response to balance inquiries made by the Switch application server.



In simpler words, the validation requests prior to cash withdrawal did not reach the bank for authentication and verification of bank balance. Instead, the communication was spoofed by the attackers and fake responses were generated that made ATMs spit out cash even from the accounts having zero balance.





Analysts believe that HIDDEN COBRA (Lazarus) actors exploited the targeted systems by using their knowledge of International Standards Organization (ISO) 8583—the standard for financial transaction messaging—and other tactics. HIDDEN COBRA actors most likely deployed ISO 8583 libraries on the targeted switch application servers. These libraries can be exploited by malicious threat actors to help interpret financial request messages and properly construct fraudulent financial response messages.



Analysts believe HIDDEN COBRA actors blocked transaction messages in order to stop denial/decline messages from leaving the switch and used a GenerateResponse* function to approve the transactions.



“In order to permit their fraudulent withdrawals from ATMs, the attackers inject a malicious [AIX] executable into a running, legitimate process on the switch application server of a financial transaction network, in this case; a network that handles ATM transactions,” analysts say.



The malicious executable contains logic to construct fraudulent ISO 8583 messages, which is the international standard for financial transaction messaging. The IBM AIX executable files were designed to conduct code injection and inject a library into a currently running process.



It is believed that the North Korean government funds these attacks to combat international sanctions imposed over its weapons’ development and testing programs. Apart from Lazarus, another major wave of attacks was launched by the APT38 which is also said to be associated with the North Korean government.



Here’s a detailed coverage of APT38 cyber espionage.






Organizations should configure system logs to detect incidents and to identify the type and scope of malicious activity. Continuous monitoring of all the activity on the network is essential to pinpoint any cyber espionage targeting an organization.





Lazarus has previously earned an International reputation as one of the largest groups of cybercriminals targeting the financial sector.

The Sony Pictures Entertainment hack in 2014; the breach of central bank of Bangladesh’s New York Federal Reserve account leading to $81 million being stolen; the WannaCry ransomware outbreak in May 2017, as well as other crypto-mining incidents are also associated with this hacker group.


The U.S. Government assesses that HIDDEN COBRA actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation.


BankIslami hit by Cyber Attack, $6 Million Stolen

Editor’s Note: This post was originally published on 28th October 2018 and is being continuously updated with latest information.


Hackers have waged a sophisticated cyber-attack against BankIslami, an Islamic bank in Pakistan, resulting in the theft of around $6 million via fraudulent payments through ATM and POS from different countries. Reports claim that 5000 accounts have been compromised in this attack and that it might be the biggest cyber-attack in the history of Pakistan.


The alleged security breach first came to light on October 27, when certain abnormal transactions were detected by the bank on one of its international payment card scheme. Also, customers of the bank received automated messages about their payment cards being used in different countries. The bank tried to hide the breach until the hackers possibly used dark web to publish information of payment cards and PINs for sale for about $75. The bank has temporarily shutdown all transactions routing through international payment scheme.


State Bank of Pakistan (SBP) Directives


“As a result of security breach of payment cards of one of the banks in Pakistan yesterday and their unauthorized use on different delivery channels i.e. at ATMs and POS in different countries, the bank has temporarily restricted usage of its cards for overseas transactions,” State Bank said in a statement yesterday.


SBP instructed the affected bank to take all necessary measures to trace the vulnerability and fix it immediately.


The affected bank has also been directed to issue advisory on precautionary measures that should be taken by customers.


  • To make sure that resources are deployed to ensure the 24/7 real-time monitoring of card operations related systems and transactions. Additionally, coordinate immediately with all the payment schemes, switch operators and media service providers integrated with the banks, to identify any malicious activity of suspicious transactions.


  • To foster arrangements to ensure security of all payments cards in the country and monitor on real-time basis the usage activity for their cards, especially for overseas transactions.


SBP said that it would continue to assess these developments in coordination with banks and take further measures, if required. The banks across Pakistan are directed to ensure that security measures on all IT systems including those related to card operations are continuously updated to meet any challenges in future.


Attack Vector


Apparently, FASTCash schemes can possibly be an attack vector for this hack, which remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.


When a payment card is used in an ATM or PoS machine, the machine communicates with the bank’s switch application server to validate the transaction, and then accepts or declines based on bank balance. The malware installed on the compromised switch application servers fraudulently intercepts transaction request associated with the attackers’ payment card. It then responds with fake but legitimate-looking affirmative response without checking their available balance with the core banking systems. Eventually, machine is fooled into processing or spitting out large amounts of cash without sending a notification to the bank.


Rewterz had published important advisories on similar attacks earlier this month, Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash and North Korean State-Funded APT38 Launches Financially Motivated Attacks Worldwide that include mitigation recommendations for institutions that have payment processing systems.


“Since at least 2014, hacker group involved in FASTCash campaign has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources,” FireEye researchers said in a blog post.


Based on known attacks, an APT attacker spends an average of 155 days camped out in an attacked organization’s networks, whereas, in one case they had two years of access to a victim’s network, FireEye says.


“APT attacker executes sophisticated bank heists typically featuring long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom-developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards,” FireEye says.


“The group is careful, calculated and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions and system technologies to achieve its goals.”


The U.S. Computer Emergency Readiness Team issued an alert about “malicious cyber activity by the North Korean government” – which it refers to as Hidden Cobra – perpetrating an ATM cash-out scheme, which the U.S. government refers to as “FASTCash.”


US-CERT’s “Hidden Cobra – FASTCash Campaign” alert says that the attack campaign has been operating since 2016 and so far targeted institutions in Asia and Africa with malware designed to “remotely compromise payment switch application servers within banks to facilitate fraudulent transactions.”


“The initial infection vector used to compromise victim networks is unknown; however, analysts surmise Hidden Cobra actors used spear-phishing emails in targeted attacks against bank employees,” US-CERT says, “Hidden Cobra actors likely used Windows-based malware to explore a bank’s network to identify the payment switch application server.”


Attackers will likely move beyond targeting banks, US-CERT warns. “The U.S. government assesses that Hidden Cobra actors will continue to use FASTCash tactics to target retail payment systems vulnerable to remote exploitation,” it says.


Pakistani Banks Card Data on Dark Web


As you are probably aware that some of the analysis are connecting this attack with Pakistani banks’ cards data being up for sale on dark web. According to various sources, a report is being circulated regarding the sale of Pakistani banks’ card data that shows that more than 8000 cards of different banks are available for sale on the dark web and carding websites.


Rewterz Threat Intelligence Team has carried out an in-depth analysis and appears to assume that this report has been created based on a 3rd category Dark Web Card Shop. Mostly, 3rd category shops are easily accessible and doesn’t ensure reliable data. The cards dump was posted on a shop yesterday, however, it was taken down by the seller on the same day. Based on further analysis, the dump consisted of old skimmed cards data of different banks, so probably 99.9% of the data is either bogus or blocked cards. Research shows that reliable and authentic data is available on 1st category card shops which have verified cards available and they are on sale with refund offer if it doesn’t work.  Our threat intelligence team is further investigating and endeavouring to acquire all the data available for cards so that further analysis can be carried out.


Therefore, it can be assumed that in order to create a chaos and further exploit the mayhem in Pakistan, the seller consolidated all the skimmed cards data available from past and posted together.


According to our intelligence, the hackers have done a targeted and sophisticated attack on local bank, similar to what we have seen in FashCASH. Skimmed cards don’t have capacity of launching an attack on this scale.




  • Implement chip and Personal Identification Number (PIN) requirements for debit cards.
  • Validate card-generated authorization request cryptograms.
  • Use issuer-generated authorization response cryptograms for response messages.
  • Require card-generated authorization response cryptogram validation to verify legitimate response messages.
  • Require two-factor authentication before any user can access the switch application server.
  • Verify that perimeter security controls prevent internet hosts from accessing the private network infrastructure servicing your payment switch application server.
  • Verify that perimeter security controls prevent all hosts outside of authorized endpoints from accessing your system.
  • Configure the switch application server to log transactions. Routinely audit transactions and system logs.
  • Develop a baseline of expected software, users, and logons. Monitor switch application servers for unusual software installations, updates, account changes, or other activity outside of expected behavior.
  • Develop a baseline of expected transaction participants, amounts, frequency, and timing. Monitor and flag anomalous transactions for suspected fraudulent activity.


Rewterz’s SOC team has released specific recommendations for the internal security monitoring and incident response teams, to help them detect such advanced APT attacks.


Integration for Cyber Security Monitoring Visibility


Following should be enabled and integrated to detect such advance APT attacks on your centralized security monitoring platform, such as SIEM or Log Management:


  • Network flows for visibility of inbound/outbound traffic and network insight.
  • Detailed system and application auditing besides standard logs.
  • Process tracking and network share object auditing.
  • Command line parameter should be enabled once the process tracking is enabled, this will help analysts to understand the parameters passed in the process by the attacker.
  • Authentication events.
  • Database events.
  • Advance malware events.


Use Cases for Cyber Security Monitoring of Switch Application Servers (SWIFT, IRIS, Nimbus, etc.)


  • Outbound connections towards external and local networks from switch application servers.
  • Inbound connections from external and local networks towards servers.
  • Excessive internal and external connections.
  • Excessive connections made by any process in application servers.
  • Application servers’ traffic on unknown and high ports.
  • Traffic deviations.
  • IoCs’ hits on servers from advance malware.
  • Administrators’ traffic who manage switch application servers.
  • Any activity being performed on servers by administrators.
  • All the authentication performed by processes and services on switch application servers.
  • All authentication attempts on servers.
  • Monitor applications and services that are talking to other systems.
  • Monitor all the extensions and processes of these systems with their path of execution, specifically for bin, js, ps1, exe, vbs, png, rtf, docm, xlsm, xltm, bat, jar, msi, scr, hta, cmd, vbe, txt, jse, lnk, and inf.
  • All privileged user activities who have logged in switch application servers.
  • File share activities of privileged users.

A Cybersecurity Fiasco: Chinese Spies Plant a Microchip to Tamper US Tech-Giants’ Server



Bloomberg Businessweek reported earlier this month that Chinese spies allegedly exploited the technical supply chain of 30 major US companies, including Apple and Amazon by planting tiny microchips on motherboards used on their servers.


The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China.


The chips, which Bloomberg said have been the subject of a top-secret U.S. government investigation started in 2015, would allow attackers to covertly modify these servers, bypass software security checks, gather intellectual property, trade secrets and essentially give the Chinese government a complete backdoor into these American companies’ network.


If true, this might be one of the largest corporate espionage and hardware hacking programs in the history of cybersecurity.





However, the impacted companies such as Apple and Amazon are fiercely disputing the claims. Meanwhile, Supermicro and Chinese Ministry of Foreign Affairs have also strongly denied Bloomberg’s findings by releasing lengthy statements.


Some highlights from the responses released by Apple, Supermicro and Amazon, according to a Bloomberg report are listed below:





“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”






“While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.

Furthermore, Supermicro doesn’t design or manufacture networking chips or the associated firmware and we, as well as other leading server/storage companies, procure them from the same leading networking companies.”






“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.


We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.”






These assertive statements are leading national security experts to question who exactly is telling the truth. The prospect of this kind of attack is very real, but the fact that both Bloomberg and the companies named in the story are rivaling is confusing everyone, and a sign that we are probably not done hearing about this story anytime soon.


However, If the Bloomberg story turns out to be true, Amazon and Apple would seem to be lying and invalidating a potential global security risk. Ultimately, a deeper look into this potential attack shall be conceded.

British Airways faces Data Breach of 380,000 Accounts

A malicious JavaScript code had been planted within British Airway’s website, leading to data breach of around 380,000 accounts.



RELEASE DATE: September 14th, 2018






Starting from August 21st, around 380,000 accounts have been compromised in a major data breach of British Airways, revealing customers’ information. Cybersecurity organization RiskIQ believes that the Magecart attackers were involved in the breach, who have previously been associated with the Ticketmaster UK breach, earlier this year.


The attackers were successful in obtaining names, street and email addresses, credit card numbers, expiry dates and security codes of the airline’s customers, which could potentially lead to theft from user accounts.


British Airways informed that all the payment information processed through the airline’s website and mobile app between August 21st and September 5th had been exposed.






The evidence reveals that a malicious JavaScript code had been planted within British Airway’s website.


Magecart has traditionally stolen data by injecting the malicious script into payment forms.


RiskIQ further informed that hackers used only 22 lines of code to get a hold of the data. (attached below)




The attack compromised British Airways’ own Web server, making it a highly targeted attack that aimed for this particular website and its mobile Application.


“This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.” Yonathan Klijnsma, head researcher at RiskIQ said.






The Magecart’s association with the attack was identified because the attack is web-based and targeting credit card data. The attackers focused on the unique site structure and functionality of the British Airways website and exploited their security lapses. RiskIQ crawled the scripts on the British Airways’ site and traced how they changed over time. During the process, the researchers found a modified script in the compromised site.


The BA site is found to be utilizing a JavaScript library called an API, on a malicious Web server at It’s a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (to appear legitimate) on August 15. The code was injected through the JavaScript library.


When a customer enters information on the website’s payment form and clicks “submit”, the 22-lines of code export the entered data to the malicious server as a JSON object.


The customer’s transaction is not disturbed and appears to be over a secure session while the attackers receive a full copy of the payment information. The attackers also added a “touchend” callback to the script, extending the attack to BA’s mobile App as well, which also called the same modified script.






The British Airways website seems to be operating without visibility into its Internet-facing web assets. Therefore, the British Airways could not detect this compromise and data breach until it was too late.


With so many attack vectors and ever-increasing techniques of cyber-attacks, organizations should make sure that they have an intact cybersecurity implementation. With proper measures, visibility and regular penetration testing, such attacks can be nipped in the bud before they cause any damage.


Rewterz Threat Advisory – Microsoft Windows ‘SchRpcSetSecurity()’ Privilege Escalation Vulnerability

 A vulnerability in Microsoft Windows Task Scheduler can be exploited to gain escalated privileges.


PUBLISH DATE: 28-08-2018


Elevated SYSTEM privileges can be gained by exploiting an error in the Microsoft Windows task scheduler. The error occurs while handling the ALPC calls related to the “SchRpcSetSecurity()” function.



In the handling of ALPC calls, the Microsoft Windows task scheduler contains a vulnerability which can permit a local user to gain System privileges, without needing authentication.


The public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems. The publicly-available exploit source code can be modified to make it compatible to other systems.


_SchRpcSetSecurity, a part of the task scheduler ALPC endpoint, allows us to set an arbitrary DACL. It will Set the security of a file in c:\windows\tasks. Even a Guest can write here without impersonating. Before the task scheduler writes the DACL we can create a hard link to any file we have read access over. This will result in an arbitrary DACL write. This PoC will overwrite a printer related dll and use it as a hijacking vector. This is just one of the many options to abuse this.


The error in the Task Scheduler is that the API function SchRpcSetSecurity fails to check permissions, allowing even a guest to call it and set file permissions on anything.The vulnerability was discovered by SandboxEscaper and needs prior code execution to exploit.



Exploit currently only works on 64-bit OSes (likely Win 10 and Server 2016).



There is currently no practical solution to address the vulnerability. Therefore, extra vigilance is required in monitoring a network user’s behavior. Network traffic analytics should be used to detect unusual behavior from traffic going across the network.


Copyright © Rewterz. All rights reserved.