Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 21, 2023Severity Medium Analysis Summary Rhadamanthys is a type of malware known as a stealer, which is designed to steal sensitive information from infected computers. It was […]March 21, 2023Severity High Analysis Summary The Mirai botnet is a type of malware that infects Internet of Things (IoT) devices, such as routers, security cameras, and other […]March 21, 2023Severity High Analysis Summary LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 21, 2023Severity Medium Analysis Summary Rhadamanthys is a type of malware known as a stealer, which is designed to steal sensitive information from infected computers. It was […]March 21, 2023Severity High Analysis Summary The Mirai botnet is a type of malware that infects Internet of Things (IoT) devices, such as routers, security cameras, and other […]March 21, 2023Severity High Analysis Summary LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Active Phishing Targeting Microsoft
December 28, 2020Rewterz Threat Alert – Fresh Emotet IoCs
December 29, 2020
Severity
High
Analysis Summary
A new strand of malware uses Word files with macros to download a PowerShell script from GitHub. This PowerShell script further downloads a legitimate image file from image hosting service Imgur to decode a Cobalt Strike script on Windows systems. Multiple researchers have potentially linked this strain to the APT group MuddyWater (aka SeedWorm) that mainly targets Middle Eastern entities. This new macro-based malware that is evasive and spawns payload in multifaceted steps, looks a lot like MuddyWater and ships as an embedded macro within a legacy Microsoft Word (*.doc) file. The macro embedded in the word document leads to a PowerShell script from GitHub that fetches an image file from Imgur. Using Steganography, tools like Invoke-PSImage encode a PowerShell script within the pixels of a PNG file and generate a one-line command to execute the payload. The payload calculation algorithm runs a foreach loop to iterate over a set of pixel values within the PNG image and performs specific arithmetic operations to obtain functional ASCII commands. The decoded script obtained from manipulating the PNG’s pixel values is a Cobalt Strike script. It is used to deploy “beacons” on compromised devices to remotely create shells, execute PowerShell scripts, perform privilege escalation, or spawn a new session to create a listener on the victim system. The payload, however, indeed contacts the command-and-control (C2) server via a WinINet module to receive further instructions.
Impact
- Remote Code Execution
- Privilege Escalation
- Unauthorized Access
- Data Exfiltration
Indicators of Compromise
Domain Name
- Mazzion1234-44451[.]portmap[.]host
MD5
- 97b5ca432a34b919a59fe8bc8e213fc3
- a9506c371418969ea5084b00db54573b
SHA-256
- d1c7a7511bd09b53c651f8ccc43e9c36ba80265ba11164f88d6863f0832d8f81
- ed93ce9f84dbea3c070b8e03b82b95eb0944c44c6444d967820a890e8218b866
SHA1
- 6774f7b5e533a4158b2b2375cf06fbc95e434526
- 1fb678ab15f3c311d7189d4c80bc7c91bc360e49
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails or from random sources on the internet.