Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 14, 2023
Severity High Analysis Summary Kimsuky is a North Korean advanced persistent threat (APT) group, also known as “Black Banshee”. The group has been active since at […]September 14, 2023Severity High Analysis Summary CVE-2023-4213 CVSS:8.8 Simplr Registration Form Plus+ plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by an […]September 14, 2023Severity High Analysis Summary CVE-2023-41032 CVSS:7.8 Siemens Parasolid could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 14, 2023Severity High Analysis Summary Kimsuky is a North Korean advanced persistent threat (APT) group, also known as “Black Banshee”. The group has been active since at […]September 14, 2023Severity High Analysis Summary CVE-2023-4213 CVSS:8.8 Simplr Registration Form Plus+ plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by an […]September 14, 2023Severity High Analysis Summary CVE-2023-41032 CVSS:7.8 Siemens Parasolid could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Malware Leveraging XMRig Miner
October 26, 2020Rewterz Threat Alert – New RAT Malware Gets Commands via Discord
October 26, 2020
Severity
Medium
Analysis Summary
A campaign is discovered that uses shipping-themed emails to deliver the Agent Tesla malware. The email contains shipping information usually found on a bill of lading and contains specific information such as the captain’s name, type of vessel, and other particulars. Victims are encouraged to download the attachment, in this case a .CAB file, and give the file a certain naming scheme. The actor uses an imposter email address to add credibility to the email; additionally, the actor also uses actual ship names in the email. The area reported as the destination matches the actual area of shipment for that particular ship. The attachments are usually between 500k and 1.5m in size and could either have zero detections in VirusTotal or more than 50 depending on the attachment. There have been several hundred different samples obtained. Stolen data is exfiltrated via HTTPS or SMTPS (using port 587). It is also revealed that the email addresses used for exfiltration are often legitimate email addresses within the shipping companies mentioned, indicating success in obtaining credentials for compromised email accounts. Agent Tesla exfiltrates stolen data via HTTPS, and more commonly, over email (SMTPS, tcp/587). While the former (HTTPS) destinations tend to be rather random, the latter (email) destinations are often hosted on email domains that also belong to shipping companies. This indicates that the campaign is likely successful to some extent, and over the months in fact has managed to steal valid email credentials (and probably more than that) from firms in the shipping and logistics sector.
Impact
- Credential Theft
- Data Exfiltration
- Information Disclosure
Indicators of Compromise
Domain Name
- smtp[.]hyshippingcn[.]com
- smtp[.]t7global-my[.]com
MD5
- 15f65230fb7dafdad1ca727fa7a3dd5bb132fe51
- f00fadbb5208ce7cdfe655c99c3d0cd4e13b688b
- e0be943cd75bbab62768510aaa1547a90ee41ab0
SHA-256
- e54a6b286a3f878d2141127a361b210de1f80733f13a7c146729740315cace60
- 3f9740d946f6881e2b2dfb54d2fe1a39bc7e0d6263d0ff0b0f792fd6c1297ab1
- b557b1f52acc68c6be8a10a51e68a3afc2880bac970421a572faefb4b589c5e1
SHA1
- 15f65230fb7dafdad1ca727fa7a3dd5bb132fe51
- f00fadbb5208ce7cdfe655c99c3d0cd4e13b688b
- e0be943cd75bbab62768510aaa1547a90ee41ab0
Remediation
- Block the threat indicators at their respective controls.
- Do not download files from unexpected emails even if the sender looks legitimate.