Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 30, 2023
Severity High Analysis Summary Recently, researchers discovered an advanced phishing method called “file archiver in the browser” that exploits .ZIP domains to deceive unsuspecting individuals. This […]May 28, 2023Severity High Analysis Summary An email protection and network security services provider has issued a warning regarding a zero-day vulnerability that has been exploited to compromise […]May 26, 2023Severity High Analysis Summary CVE-2023-32165 CVSS:9.8 D-Link D-View could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in TftpReceiveFileHandler […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 30, 2023Severity High Analysis Summary Recently, researchers discovered an advanced phishing method called “file archiver in the browser” that exploits .ZIP domains to deceive unsuspecting individuals. This […]May 28, 2023Severity High Analysis Summary An email protection and network security services provider has issued a warning regarding a zero-day vulnerability that has been exploited to compromise […]May 26, 2023Severity High Analysis Summary CVE-2023-32165 CVSS:9.8 D-Link D-View could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in TftpReceiveFileHandler […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE 2021- 44228 RCE 0-day Exploit in log4j
December 10, 2021Rewterz Threat Advisory – Log4J Vulnerability Exploited in the wild
December 12, 2021
Severity
High
Analysis Summary
Emotet researchers are warning that emotet now installs Cobalt Strike directly onto infected systems.
“WARNING We have confirmed that #Emotet is dropping CS Beacons on E5 Bots and we have observed the following as of 10:00EST/15:00UTC. The following beacon was dropped: https://t.co/imJDQTGqxV Note the traffic to lartmana[.]com. This is an active CS Teams Server. 1/x”
Emotet is a banking trojan turned into malware infection that spreads through spam emails containing malicious Word or Excel files. Previously, emotet used to install TrickBot or Qbot trojans on infected systems. From thereon these trojans would deploy Cobalt Strike on compromised systems. However, now emotet deploys cobalt strike payloads directly onto infected systems.
Cobalt Strike is a legitimate Pen test (penetration testing) toolkit that deploys “beacons” on infected devices to perform malicious behaviors. It is commonly used in ransomware attacks.
“Emotet itself gathers a limited amount of information about an infected machine, but Cobalt Strike can be used to evaluate a broader network or domain, potentially looking for suitable victims for further infection such as ransomware.”
The main concern is that before emotet used to deploy TrickBot or Qbot on compromised devices and that still gave the victims a window to detect these payloads before Cobalt Strike was deployed. Now, however, these initial payloads are skipped by the malware and Cobalt Strike gives threat actors immediate access to the victim’s network. They can then spread laterally, steal information, and deploy their ransomware.
Impact
- Credential Theft
- Information Theft
- Financial Loss
Indicators of Compromise
Domain Name
- lartmana[.]com
- guvonuk[.]com
MD5
- 63ab5d17585a8734d643324e2a8fa90e
- f3e31cd5f0972e4dbc789807ad2d129b
SHA-256
- 5b5fa30bf12f13f881708222824517d662f410b212a0f7f7ce5c611fd809f809
- 3f13e9bc8011c8bc8f3d7cb9a616ed6da1b6f16d9fcaa65d29d81caf2d5574d3
SHA-1
- a02e0dbcfb20c3f5f2e8965f6b4dbe31928bee7b
- 2e5f9a632bf889f6e4d25c264a842478e3ba4cad
URL
- http[:]//lartmana[.]com[:]443/jquery-3[.]3[.]1[.]min[.]js
- http[:]//guvonuk[.]com[:]443/static-directory/bn[.]png
- http[:]//guvonuk[.]com[:]443/language[.]js
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.