Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2020-9746 – Adobe Flash Player Code Execution Vulnerability
October 14, 2020Rewterz Threat Alert – Latest Agent Tesla IOCs
October 15, 2020
Severity
High
Analysis Summary
A new Golang-written RAT is found targeting devices by using the CVE-2019-2725 (Oracle WebLogic RCE) vulnerability identified last year. Unlike other bots that have exploited this vulnerability, it doesn’t try to install a cryptominer or deploy other malware. This vulnerability was reported to have been a top exploited vulnerability in the wild.
CVE-2019-2725
A deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Cyber criminals have exploited this to deliver the Sodinokibi and Satan ransomware as well as to install Monero Cryptomining malware. It’s a new malware still in development, and it could go in any direction. The infection payload uses the CVE, giving the attacker access. This particular version was designed to work on Linux and on x86 architecture, but the fact that the RAT is developed in Golang lets the attacker easily compile versions for other operating systems and architectures. The campaign involves downloading the RAT, initializing it and making sure it stays operational. After the infection, the RAT monitors for version changes by interrogating a URL of on the hosting server (`l/sodd/ver‘). The RAT connects to the C2, sending a check-in message containing fingerprinting information for the system, then listens for commands. The data sent back to the operators includes the hardware of the devices, the OS and the IP. Communication with the C2 is encrypted using a simple XOR cipher with key 0x86.
Impact
- Unauthorized Remote Access
- Data Exfiltration
Indicators of Compromise
Hostname
- log[.]conf1g[.]com
- box[.]conf1g[.]com
MD5
- 48f0de466c907cfb202f006bb0ff0d0b
- e5cc6c2f8cda8356b93a3b96e9ea833e
- d7c4c5756a27a301f0da2ef3b5814420
- 69fbdbabb32747158b215089485dd2a2
SHA-256
- 371ce879928eb3f35f77bcb8841e90c5e0257638b67989dc3d025823389b3f79
- 59fa110c24920aacbf668baacadce7154265c2a3dca01d968f21b568bda2130b
- f12f6354e562a85127c69f4948a0324c43fda5fc3699dc703cc5bb1afc05f947
- e0d1a482b4df92def48cf714584fa417ce914b50ee28cc595bbf89bad76429d1
SHA1
- fc594723788c545fae34031ab6abe1e0a727add4
- add4db43896f65d096631bd68aa0d1889a5ff012
- 5b2275e439f1ffe5d321f0275711a7480ec2ac90
- e457b6f24ea5d3f2b5242074f806ecffad9ab207
Source IP
- 185[.]234[.]218[.]247
- 185[.]128[.]41[.]90
URL
- http[:]//box[.]conf1g[.]com/l/sodd/Security[.]Guard
- http[:]//box[.]conf1g[.]com/l/sodd/ver
- http[:]//log[.]conf1g[.]com[:]53
- http[:]//box[.]conf1g[.]com/l/sodd/Security[.]Script
Remediation
- Block the threat indicators at their respective controls.
- Immediately patch all unpatched products affected by this vulnerability.
- Keep all systems and software updated to latest patched versions.