Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 19, 2023Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]March 19, 2023Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]March 17, 2023Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 19, 2023Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]March 19, 2023Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]March 17, 2023Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Message Hoaxing emerges in Pakistan via ScareWare Messages
December 31, 2018Rewterz Threat Advisory – Adobe Flash Player Zero-Day vulnerability CVE-2018-15982 exploited in APT Attacks
January 4, 2019
SEVERITY: Medium
CATEGORY: Cyber Crime
ANALYSIS SUMMARY
A compromised email account belonging to an employee of the financial sector was used to target another financial organization in Russia. The email contained a malicious Word document, which executed Javascript to drop a Meterpreter payload. The tactical methodology of this email campaign resembles with another campaign called MoneyTaker that emerged in October 2018. Both campaigns target Russian financial organizations and use similar techniques, thereby hinting at a common origin. The email account and the email template used in this campaign belongs to Alfa Capital of Russia.
The word document contained in the email was an Office Open XML document, containing an OLE object and JavaScript containing binary data. The JavaScript is hidden behind a PDF icon in the document. As the target clicks the PDF, they receive a prompt to run the file.
The Meterpreter payload is downloaded using a HTTP POST request to 185[.]117[.]75[.]73. The SSL certificate for https://185[.]117[.]75[.]73 was issued for the domain cbrrf[.]tech which happens to be the domain for the C&C server used in the October campaign.
Peculiar as it is, the SSL certificate presented by 185[.]117[.]75[.]73 was changed in later December to a certificate for files[.]migcredit[.]host, generated via Let’s Encrypt. The domain migcredit[.]host was earlier used in the October campaign and a fresh SSL certificate suggests that it is likely to resurface in upcoming campaigns. The indicators of compromise were retrieved in the concluding week of 2018.
Indicators of Compromise
IP(s) / Hostname(s)
185[.]117[.]75[.]73
URLs
- https://185[.]117[.]75[.]73:443/LGdbmOghX_gtGSwbcQqdUAmyKLQqZKm2G6YD___QRkiZ4C9LEg6xq73ClIrpAe3OgmJxI XUe6YOVnM0VfwI7a5lLVChCdNvFZR/
- cbrrf[.]tech
- migcredit[.]host
- https://185[.]117[.]75[.]73:443/9BTDDrzQPUxjU2JSP0DQUgWrp3ssj79u9A4-85X7JJ9xCVTvfHdMD6WpfeZOJ_pOoG/
Malware Hash
- 7cae71083d2a48217c1e6daa2ecf23656d25f8e1
- 8a1be90d944b8f6b7f15eb2e67efb876a45b8ead0a496fd44a3f2daf4e65cab4
- 8958c87cf0d37660b18b050328b1d169
- 34ed9f1979a3fcf1ff166ea89073a4684c576bec
- f7d0cca48627a11bfcc3a6845cac09ec8f687a94ba75cf0fa4db042f33607993
- b26e04c40e740117c70f1fe5821650ce
- fd7d781dc27be4224c3d40abc721e28d39bfb6b7
- 071c29fcef473feae536136756c66426f635ee957b50724ee0bffa106f18fdd3
- a7cb468f17aae8b2f5bc6e0ca15e4285
- 95b03cc29cfacf86772dfedd867dfb330ef6086e
- 1e4b3f2118368f4e9aa6c87288b144e07fb1fcc63903f33d98018c6862fe3608
- febca0710ba10a58672674cf7bd5cacc
- 55df0445859df73251602144279af233c1cbcef3
- 8b1d88dec146a22d2efb6460d91ce012b00679c05a4cdcee5d1256cc81900b2e
- af300509f4190b2a6598333690076e01
Remediation
It is suggested to block the Indicators of Compromise at their respective controls. As more and more sophisticated email spam campaigns are emerging, employee training must be ensured so that they don’t fall victim to such phishing attacks.