Rewterz Threat Alert – New WhiteShadow Downloader Retrieves Malware Using Microsoft SQL
September 30, 2019Rewterz Threat Advisory – CVE-2019-16928 – Exim string_vformat function buffer overflow Vulnerability
October 1, 2019Rewterz Threat Alert – New WhiteShadow Downloader Retrieves Malware Using Microsoft SQL
September 30, 2019Rewterz Threat Advisory – CVE-2019-16928 – Exim string_vformat function buffer overflow Vulnerability
October 1, 2019Severity
Medium
Analysis Summary
Defense Contractor themed phishing campaign has been active lately and targeting different organizations. This campaign has been previously active as well, mainly targeting defense / military infrastructure and try to sneak into as much possible as they can by luring users for their credentials.
The spear phishing attacks appear to be a part of a broad campaign targeting defense contractors, several universities and security firms. The malware operates as a remote access tool and initially was detected by only a minimal number of antivirus vendors.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
URLs
- https[:]//mtcareers[.]myftp[.]org[:]4343/ManTech/hta/index[.]html
- http[:]//213[.]252[.]246[.]80[:]8888/asd123
- http[:]//213[.]252[.]246[.]80[:]8888/asd123[.]
- http[:]//ngcareers[.]myvnc[.]com/
- http[:]//mantechcareers[.]serveftp[.]com/
- http[:]//8933-16423[.]bacloud[.]info/
- https[:]//213[.]252[.]246[.]80[:]448/business/retail-business/
- http[:]//213[.]252[.]246[.]80/
- http[:]//mtcareers[.]myftp[.]org/
- https[:]//213[.]252[.]246[.]80/business/retail-business/
- http[:]//8933-16423[.]bacloud[.]info/mantech/index[.]php
- http[:]//213[.]252[.]246[.]80[:]8888/asd123?A1GROUQBOO=a2e5bce1092e47188db4826e7a6adac3;5E1O9L3YWI=;
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.