Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
August 25, 2023
Severity High Analysis Summary In a notable case, an 18-year-old member of the Lapsus$ data extortion group, Arion Kurtaj, has been convicted by a London jury […]August 25, 2023
Severity High Analysis Summary The North Korea-linked threat actor known as Lazarus Group has recently been observed exploiting a critical security vulnerability in Zoho ManageEngine ServiceDesk […]August 25, 2023
Severity High Analysis Summary REvil/Sodinokibi, also known as Sodin, is a sophisticated ransomware discovered in April 2019. This elusive malware encrypts files and cleverly erases its […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
August 25, 2023
Severity High Analysis Summary In a notable case, an 18-year-old member of the Lapsus$ data extortion group, Arion Kurtaj, has been convicted by a London jury […]August 25, 2023
Severity High Analysis Summary The North Korea-linked threat actor known as Lazarus Group has recently been observed exploiting a critical security vulnerability in Zoho ManageEngine ServiceDesk […]August 25, 2023
Severity High Analysis Summary REvil/Sodinokibi, also known as Sodin, is a sophisticated ransomware discovered in April 2019. This elusive malware encrypts files and cleverly erases its […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – InfoStealers Weaponizing COVID-19
May 14, 2020
Rewterz Threat Alert – AgentTesla Malware – IOCs
May 14, 2020
Severity
High
Analysis Summary
Hangover threat group’s use of the BackConfig malware in attacks against government and military organizations in South Asia. In almost all cases, the initial malware was hosted on a compromised site and a link was sent to targets in spear phishing emails. Besides the usage of an RTF document in a couple instances, a macro-enabled XLS document was the main format of the initial file. The decoy content in the document uses a theme relevant to the target, such as housing program registration forms in the country of interest. The macros then proceed to perform the tasks needed to ultimately infect the system with the BackConfig malware. The specific steps taken to do this have evolved over the years. The most recent version uses a combination of text files and batch scripts dropped by the macro to ultimately download the BackConfig payload from a remote URL. Persistence is also established by the macro code via scheduled tasks. Once on the system, BackConfig’s modular architecture can be used to perform a variety of tasks, such as gathering system information, keylogging, and downloading additional payloads.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
SHA-256
- 56349cf3188a36429c207d425dd92d8d57553b1f43648914b44965de2bd63dd6
- 8892279f3d87bcd44d8f9ac1af7e6da0cfc7cf1731b531056e24e98510bea83c
- 021b030981a6db1ec90ccbd6d20ee66b554b7d8c611476e63426a9288d5ce68b
- be3f12bcc467808c8cc30a784765df1b3abe3e7a426fda594edbc7191bbda461
- 0aa5cf1025be21b18ab12d8f8d61a6fa499b3bbcdbdced27db82209b81821caf
- ed638b5f33d8cee8f99d87aa51858a0a064ca2e6d59c6acfdf28d4014d145acb
- 752c173555edb49a2e1f18141859f22e39155f33f78ea70a3fbe9e2599af3d3f
- 4BAFBF6000A003EB03F31023945A101813654D26B7F3E402D1F51B7608B93BCB
- C94f7733fc9bdbcb503efd000e5aef66d494291ae40fc516bb040b0d1d8b46c9
- 6a35d4158a5cb8e764777ba05c3d7d8a93a3865b24550bfb2eb8756c11b57be3
- 750fc47d8aa8c9ae7955291b9736e8292f02aaaa4f8118015e6927f78297f580
- 5292f4b4f38d41942016cf4b154b1ec65bb33dbc193a7e222270d4eea3578295
- f64dbcd8b75efe7f4fa0c2881f0d62982773f33dcfd77cccb4afc64021af2d9e
- 98d27e830099c82b9807f19dcef1a25d7fce2c79a048d169a710b272e3f62f6e
- 29c5dd19b577162fe76a623d9a6dc558cfbd6cddca64ed53e870fe4b66b44096
- abe82ffb8a8576dca8560799a082013a7830404bb235cb29482bc5038145b003
- 02c306bb120148791418136dcea8eb93f8e97fb51b6657fd9468c73fb5ea786c
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.