Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 25, 2023
Severity High Analysis Summary The STOP/DJVU ransomware initially made headlines in 2018 and has since been attacking individuals all around the world. It’s widespread on torrent […]May 24, 2023Severity Medium Analysis Summary CVE-2023-30440 IBM PowerVM Hypervisor could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to […]May 24, 2023Severity High Analysis Summary CVE-2023-33246 Apache RocketMQ could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when using the […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 25, 2023Severity High Analysis Summary The STOP/DJVU ransomware initially made headlines in 2018 and has since been attacking individuals all around the world. It’s widespread on torrent […]May 24, 2023Severity Medium Analysis Summary CVE-2023-30440 IBM PowerVM Hypervisor could allow a local attacker with control a partition that has been assigned SRIOV virtual function (VF) to […]May 24, 2023Severity High Analysis Summary CVE-2023-33246 Apache RocketMQ could allow a remote attacker to execute arbitrary commands on the system, caused by a flaw when using the […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Donot APT Group Targeting Pakistani Government – Active IOCs
February 21, 2022Rewterz Threat Alert – Remcos RAT – Active IOCs
February 21, 2022
Severity
High
Analysis Summary
Researchers have identified recent Mustang Panda activity that involves the use of DLL side-loading to deliver PlugX. The initial infection vector is an executable downloaded from a remote URL. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. The legitimate binary is the Adobe CEF Helper and is vulnerable to DLL side-loading. When the installer runs the legitimate binary, the dropped DLL is loaded. This DLL is the loader for the final payload. First, it reads a hardcoded .dat file that contains the XOR key for decrypting the final payload, then it performs the decryption and loads the malware into memory. Once running in memory, the PlugX payload is able to decrypt its configuration data, which includes its installation location, the XOR key for C2 communication, and any C2 addresses and ports
Impact
- Information Theft
- Exposure of Sensitive Data
Indicators of Compromise
Filename
- McUtil[.]dll
MD5
- b921f1f433015d3780e9c13ab245f2eb
- ffa5f4b6b580d53bc311d6e5bace3110
SHA-256
- 6e6bfcbc22644d060670718dea2c5a7d860edc55cf8bd6100e277e53a8b0fc92
- 9857e40be1fb5b9b6db93dc03f96f6b3ff0ffab85af7944dddcac0e37775ab02
SHA-1
- cbc30251bb9392dc0c47b2b1084273c0aa58a0dc
- d599ca575b995d8de971aed8a64762225bde386d
Remediation
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.