Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – DocuSign Themed Phishing Using Cloud Storage
August 13, 2019Rewterz Threat Alert – New Mirai Variants could enable DDoS Attacks
August 13, 2019
Severity
High
Analysis Summary
An elusive ransomware package found and dubbed “Sodinokibi”. The Sodinokibi authors have been linked to the now retired GandCrab ransomware, which accounted for about 40% of all ransomware infections in its day. This may give some indications and warnings about the potential of Sodinokibi. First discovered in Asia, Sodinokibi has now spread to parts of Europe. Initial infections were from server vulnerabilities being exploited. Currently, infections are spreading through phishing attacks and exploit kits. URLs are provided in the phishing emails that downloads Sodinokibi.zip. Should the user click on the obfuscated JavaScript file in the ZIP archive, WScript (legitimate Windows application for running JavaScript) begins executing it. The JavaScript deobfuscates a PowerShell script embedded in the its code. Variations of Sodinokibi will sometimes download this PowerShell script instead of having it embedded in the JavaScript. This PowerShell script, in turn, decodes yet another script that, combined with a .NET module, is executed. If the privileges of the victim are not high enough, this last script will attempt to bypass the UAC (User Access Controls) to elevate its permissions. Once high enough privileges are acquired, infection begins. Sodinokibi actively searches for a South Korean anti-virus package called “Ahnlab V3 Lite”. If it exists, Sodinokibi attempts to inject itself in the Ahnlab process. If not, a separate instance of the current PowerShell becomes the injection target. Sodinokibi contains a list of languages to exclude from infection. If the current system is configured with one from this set, the malware shuts down. If the system is not saved by the default language, Sodinokibi begins to delete the shadow files to make recovery more difficult. Next comes the encryption of the files on the system, recursively searching each directory. Each directory with files encrypted receives its own copy of the ransom note. When complete, the desktop is modified to inform the victim of the attack.
Impact
File encryption
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 2cc597d6bffda9ef6b42fed84f7a20f6f52c4756
- 5cd8eadcd70b89f6963cbd852c056195a17d0ce2
- 5dac89d5ecc2794b3fc084416a78c965c2be0d2a
- b751d0d722d3c602bcc33be1d62b1ba2b0910e03
- ee410f1d10edc70f8de3b27907fc10fa341f620a
- f9df190a616653e2e1869d82abd4f212320e9f4b
- 3e974b7347d347ae31c1b11c05a667e2
- 613dc98a6cf34b20528183fbcc78a8ee
- 7d4c2211f3279201599f9138d6b61162
- 8ea320dff9ef835269c0355ca6850b33
- b488bdeeaeda94a273e4746db0082841
- e402d34e8d0f14037769294a15060508
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.