Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Malicious Callers Spoofing Bank Numbers
June 23, 2018
Gear up for WannaCry 2.0
June 25, 2018
This is an advisory on a recent malware strain which lures users into enabling macros. This will execute a Visual Basic script running a PowerShell code.
IMPACT: CRITICAL
PUBLISH DATE: 24-06-2018
OVERVIEW
AlienVault has discovered a new Malware strain called GZipDe used to drop backdoors. In this multistage attack, a Word document gets users to enable macros which execute Visual Basic scripts running some PowerShell code. This will download a PE32 executable which will later drop the actual Malware GZipDe.
BACKGROUND INFORMATION
A user from Afghanistan embedded the malware in a word file and uploaded it on VirusTotal, which is believed to be a part of a cyber espionage. The malware GZipDe is encoded in .NET and uses a customized coding method to blur the process memory and escape antivirus detection.
The document uses text from an article about the Shanghai Cooperation Organization Summit, a conference from last month about Eurasian political, economic and security topics.
EXECUTIVE SUMMARY
The infection process comprises of multiple layers using Metasploit module. The Metasploit is a framework that security researchers use for conducting penetration tests to detect vulnerabilities. It was modified into a backdoor which gathers information from the system and forwards it to the attacker via C&C server and receives further instruction.
This is not the first time that Metasploit is used for cyber-attacks. Hackers now tend to use ready-made tools like Metasploit rather than custom-designing tools for every attack.
The custom-encryption of GZipDe enables it to escape the anti-virus detection as it is coded in .NET and confuses the process memory. Once activated, GZipDe downloads another potent threat from a remote server.
It drops a Metasploit based backdoor in the system to execute further malicious commands.
This shell code loads the entire DLL into memory, hence operating successfully without writing anything on the disk. Having reached this point, the attacker gains the ability to drop further payloads to acquire elevated privileges and move within the local network. The hacker can steal information which was available to privileged employees only.
WORK FLOW
IMPACT ANALYSIS
GZipDe Malware contains an encrypted payload which consists of a Base64 string compressed as a ZIP that is customencrypted with a symmetric key algorithm. The shell code present in the payload contacts the command & control server to grab the Metasploit payload. The Metasploit payload containing the shell code bypasses the Anti-virus detection and creates a backdoor using Meterpreter payload.
Once the backdoor is opened, it starts to steal sensitive information from the system and forwards it to the attacker via C&C server.
RESOLVE
The following Indicators of Compromise should be blocked at Proxy and Edge Firewall.
Indicators of Compromise (IOCs):
URLs:
- hxxp://118[.]193[.]251[.]137/dropbox/?p=BT67HU78HZ
- hxxp://118[.]193[.]251[.]137/dropbox/filesfhjdfkjsjdkfjsdkfjsdfjksdfjsdkfasdfjnadsfjnasdnj/utorrent[.]exe
IPs:
- 118[.]193[.]251[.]137
- 175[.]194[.]42[.]8
If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.