Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – PHP Denial of Service vulnerability
January 8, 2019Self-concealing Digital Steganography is on the rise
January 9, 2019
SEVERITY: High
CATEGORY: Data breach
ANALYSIS SUMMARY
GrandCrab ransomware and vidar stealer are here to attack Windows-based servers and PCs. The combo operates through a malvertising chain. Their advertising is often aggressive and poorly regulated. A malicious actor using a rogue advertising domain redirects site visitors to different fallout kits according to their geolocation, in which vidar is the most actively noted, which extracts confidential information before eventually being compromised with GrandCrab ransomware.
VIDAR
It should be noted that Vidar is sold as a product, and as such can be distributed by several different threat groups through different campaigns.
Vidar customers can customize the stealer via profiles, which gives them a way to adjust which kind of data they are interested in. Beyond the usual credit card numbers and other passwords stored in applications, Vidar can also scrape an impressive selection of digital wallets.
Upon execution on the system, Vidar will search for any data specified in its profile configuration and immediately send it back to the C2 server via an unencrypted HTTP POST request.
This includes high level system details (specs, running processes, and installed applications) and stats about the victim (IP address, country, city, and ISP) stored in a file called information[.]txt. This file is packaged along with other stolen data and zipped before being sent back to the C2 server.
GRANDCRAB
Vidar also offers to download additional malware via its command and control server. This is known as the loader feature, and again, it can be configured within Vidar’s administration panel by adding a direct URL to the payload. However, not all instances of Vidar (tied to a profile ID) will download an additional payload. In that case, the server will send back a response of “ok” instead of a URL.
Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper will be hijacked to display the ransom note for GrandCrab version 5.04.
Once the files are encrypted, the victim is asked for a ransom payment in order to get their files decoded.
IMPACT
- Leaking of confidential, financial and personal information.
- Extortion to recover encrypted data.
INDICATORS OF COMPROMISE
URLS
- ovz1.fl1nt1kk.10301.vps.myjino[.]ru/topup.exe
- kolobkoproms[.]ug
MALWARE HASHES
- E99DAF10E6CB98E93F82DBE344E6D6B483B9073E80B128C163034F68DE63BE33
- ABF3FDB17799F468E850D823F845647738B6674451383156473F1742FFBD61EC
REMEDIATION
Never trust and never click on:
- The emails you weren’t expecting, especially those coming from unfamiliar senders.
- All the pop-ups on your screen even if they look harmless.
- The ads found on Internet while browsing, like banners and others.