Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat ADVISORY – CVE-2018-19406 & CVE-2018-19407 – Linux Kernel Denial of Service vulnerabilities
November 27, 2018Rewterz Threat Advisory – CVE-2018-15442 – Cisco WebEx Meetings Elevation of Privilege Vulnerability
November 28, 2018
A list of malicious domains and IPs is given below. The contents were observed carrying out malicious activities during November 16-22, 2018.
IMPACT: VARIABLE
PUBLISH DATE: 27-11-2018
OVERVIEW
Listed below are some malicious IPs and domains that are suspected to be involved in malicious activities ranging from social engineering to dropping malware and payloads.
IMPACT ANALYSIS
The malicious activities associated with these threat indicators include the following known trojans and malware:
Empire is a pure PowerShell post-exploitation agent that implements the ability to run PowerShell agents without needing powershell.exe and contains rapidly deployable post-exploitation modules that evade network detection.
Emotet
Emotet is a banking trojan malware program which obtains financial information by injecting computer code into the networking stack of an infected computer, allowing sensitive data to be stolen.
Banload
BANLOAD malware variants arrive on the systems as files dropped by other malware or as files downloaded unknowingly by users when visiting malicious sites.
Ursnif
Ursnif is a data stealing malware with variants like Backdoors, spyware and file infectors.
Trickbot
TrickBot has become one of the most versatile threats of 2018. It’s distributed through separate distinct malicious spam (malspam) campaigns.
Arkei
Arkei is a malware strain specialized in dumping and stealing passwords and wallet private keys.
TinyNuke
Tinynuke, or Nukebot malware, is a trojan able to perform man in the browser attacks against modern web browsers. It’s promoted through social networking and advertisements that contain links to malicious software installers.
Alureon
Alureon is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, Paypal information, social security numbers, and other sensitive user data.
Trojan Downloader
A Trojan Downloader is a malicious program typically installed through an exploit sent through malicious attachments. It allows the download to install malware onto a victim’s computer.
MalDoc
There are powerful malicious document (maldoc) generation techniques that are effective at bypassing anti-virus detection. Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.
GrandCrab
Based on a ransomware-as-a-service model, GrandCrab is a ransomware that mines cryptocurrencies and shares profits between malware developers and cybercriminals.
THREAT INDICATORS
IP Addresses
- 248.56[.]131
- 120.97[.]51
- 223.109[.]139
- 243.111[.]170
- 143.57[.]109
- 184.13[.]216
- 213.21[.]254
- 58.165[.]119
- 0.186[.]35
- 201.103[.]16
- 32.33[.]194
- 201.103[.]26
- 207.113[.]106
- 247.181[.]125
Domains
- dayterria[.]com
- cjwefrfomatt[.]com
- onetwoabc[.]ws
- kerondown[.]com
- azzoodijdhgdr[.]com
- ogdotighth[.]com
- bellsyscdn[.]com
- lootototic[.]com
- wassedfast[.]com
- bizziniinfissi[.]com
RECOMMENDATIONS
- Consider blocking and alerting on these IP addresses and domains as this reduces the risk of security incidents.
- Review previously blocked IPs and domains and consider unblocking them, for the ones that have not been included in the fresh report and may not be malicious anymore.
- Note that some of the IP addresses may belong to legitimate organizations.
- If any traffic is found on either of the Malware Data tabs, then check the source host for signs of infection and report to us.
(An IP address can be associated with multiple domain names for those belonging to a hosting company, and a domain name can be associated with multiple IP addresses that utilize fast flux DNS or cloud hosting.)
If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.