Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
May 21, 2020Rewterz Threat Alert – Blue Mockingbird malware gang infects thousands of enterprise systems
May 26, 2020
Severity
Medium
Analysis Summary
COVID-19 continues to be a leading lure to unsuspecting victims in malspam campaigns. The latest report from researchers has shown a sharp spike in this campaign since March 2020. The usage of GuLoader has shown the COVID-19 lures have shown no signs of slowing. Invoicing, COVID-1, and wire transfers are the latest in subjects that are employed in the campaign. Each of the malspam contains an attachment that is implanted with GuLoader. GuLoader is a popular RAT distribution program. This can allow attackers to control, monitor, and steal information from infected machines. Utilizing cloud services, the payload is kept encrypted. The malware is allocated within virtual memory and decrypted via XOR with read, write, and execute access. The payload is stored within a Google Drive folder. Anti-analysis techniques are employed such as an anti-debugger. GuLoader also creates a folder in which to place a copy of itself as well as modifying a registry key to achieve persistence. Using process hollowing, the malware will use the child processes to download, decrypt, and map the payload into memory. Common payloads include: Formbook, NetWire, Remcos, Lokibot, and others.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
MD5
- 0659a9731d2ab35331689dd356156a8d
- 936777216edf044b1eae1e4bd30951cb
SHA-256
- 466a8de97917fdbc706ccad735ef08a4b049f802d01a03e4f611f75a132e4839
- 7aadacc7c5bb0c0319f8943d3c65ef2d41d49b1c470210e70e250dd665f167fe
SHA1
- 4ef84d532c1eeefd38fd4e51c22708fe5057f7cc
- 64554fdd91939774ff95947fbdb71e9ba0837c80
URL
- hxxps[:]//onedrive[.]live[.]com/download?cid=1491235303209D1A&resid=1491235303209D1A!109&authkey=ACw2GiM8jfgliBs
- hxxps[:]//drive[.]google[.]com/uc?export=download&id=1EQ7DIlAk9lk2E52DQLELmB02ADqw-62s
- hxxps[:]//drive[.]google[.]com/uc?export=download&id=19sVk-ZTWHVl3_ITBst1x51qX2L28yNlw
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.