Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – AgentTesla Information Stealer – Fresh IoCs
December 15, 2020Rewterz Threat Alert – APT-C-23 Distributes Information Stealer PyMICROPSIA
December 15, 2020
Severity
High
Analysis Summary
The Dark Caracal threat group is found active again. It’s believed to be a state-sponsored group, supporting Kazakhstan and Lebanon government interests in particular. Although they were inactive for a period of time, they re-emerged in November of 2019 with new, signed versions of the Bandook malware targeting multiple sectors. Now, a much broader list of target industries and countries has been identified. The Bandook malware used by the group is a commercially available, full-featured RAT that has been around since 2007.
This time, new samples of the Bandook malware are found with legitimate signing certificates for Windows (issued by the “Certum” certificate authority,) which would allow them to be run without a warning to the user on any Windows computer. Three new variants of Bandook are found, some expanded (120 commands), some slimmed down (11 commands), and all signed with Certum certificates. In previous campaigns, this actor has displayed impressively lax operational security, enabling researchers to download terabytes of data from their command and control servers. The latest campaign exhibits a somewhat higher level of opsec. Targets include Government, financial, energy, food industry, healthcare, education, IT and legal institutions in multiple countries including Singapore, Cyprus, Chile, Italy, USA, Turkey, Switzerland, Indonesia and Germany.
The Dark Caracal threat actors still seem to primarily use phishing and Office-based macros as their primary method of infection. Because of this, the best step one can take to protect against Dark Caracal is to disable Office macros on your personal devices or that of your entire organization. The final payload in this infection chain is a variant of Bandook. Bandook’s execution flow starts with a loader, written in Delphi, that uses the Process Hollowing technique to create a new instance of an Internet Explorer process and inject a malicious payload into it. The payload contacts the C&C server, sends basic information about the infected machine, and waits for additional commands from the server.
Impact
- Unauthorized Remote Access
- Code Execution
- Information Theft
- Data Exfiltration
Indicators of Compromise
Domain Name
- opwalls[.]com
- megadeb[.]com
- wbtogm[.]com
MD5
- e2bcd26465f9715da2789febce3bedf7
- 6f4f9d9b13426b3e6b705ae65c22ba87
- 078282eecb219bafd4f995990469848b
- a337fc0c2bbbb47a19c41c667bd77c08
- 0fd1b688c44f27f18144de1f3127f9a9
- a9427349fea3c1aa47adf83e2e1e1c1d
- 057e97ae4547f8dbb058e87ba737e210
- 70fb69b85bae8c89e62e267b7852a760
SHA-256
- fabce973a9edff2c62ccb6fdd5b14c422bc215284f952f6b31cc2c7d98856d57
- 2f9ba191689e69e9a4f79b96d66c0fee9626fbd0ea11e89c0129e5d13afe6d76
- d50696eec5288f29994aa68b8f38c920f388a934f23855fb516fa94223c29ecc
- 4f2ebe6f4fc345041643d5d7045886956fe121272fa70af08498a27135a72d97
- f3b54507a82a17f4056baaa3cb24972a2dfa439fa9b04493db100edb191a239f
- f08cbc1c5bca190bc34f7da3ad022d915758f5eb2c0902b13c44d50129763cf1
- 2b54f945f5e3d226d3a09cdfcc41e311b039ceadf277310697672c8c706aa912
- fe18568eb574d8fa6c7d9bd7d8afa60d39aae0e582aff17c5986f9bab326ec8a
SHA1
- b3bd4d0c84d0751d88eb0343b8e194e499894a98
- c3291d4d099abfdd10b6c5ca6dea9a696fc124e6
- ce27ac8d4f5290882f8118458e1e24aba2e873b9
- b0b15e439c031caba8f787537225bdaff67ccf7a
- 5af8bf12ca712f306b59858c7b2babf7ecbc1640
- 88cbb2cba1fe9b96bba512c2d169d24d48faae64
- 17f5dd35a7a30fb2236383f313448267a7fb3187
- 5f7b82afef3713d93398b564a7407f1fc97e23d5
URL
- http[:]//wbtogm[.]com
- http[:]//www[.]opwalls[.]com/tunnel2015/add[.]php
- https[:]//pronews[.]icu/aqecva/
- https[:]//pronews[.]icu/raxpafsd/images
- https[:]//pronews[.]icu/aqecva/add[.]php
- https[:]//pronews[.]icu/cgi-bin
- https[:]//pronews[.]icu/phpmyadmin
- http[:]//blombic[.]com/uioncby281229hcbc2728hsha11kjddhwqqqqc/add[.]php
- https[:]//blancomed[.]com/newnjususus3/post[.]php
- https[:]//blancomed[.]com/newnjususus3/post[.]php
- http[:]//blombic[.]com/OSPSPSPS2222292929nnnxnxnxnxnx/add[.]php
- http[:]//blancomed[.]com/newnjususus1/post[.]php
- http[:]//blancomed[.]com/newnjususus2/post[.]php
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Keep all systems, software and browsers updated to latest patched versions.