Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
Formbook is an information stealer acting as a form grabber which harvests credentials, passwords, banking details, key strokes and network requests, by intercepting web browser and other clients such as email and IM. Formbook is used in a recent campaign embedded in a malicious Microsoft Excel document which is sent to targets via emails as part of a phishing attack. Attached below is a screenshot of the Excel sheet.
Macros are disabled by default and users are prompted to ‘Enable Content’ upon opening the document.
When “Enable Content” button is clicked within Microsoft Excel, a malicious macro executes a PowerShell script which runs in the background as a child process to wmiprvse.exe. The script uses a bitwise XOR to decode and convert the obfuscated payload. It then makes an external request to an infected WordPress site, and downloads a further payload from hxxp://insumoscerveceros.com.co/wp-admin/network/Purchase.exe.
IP(s) / Hostname(s)
69[.]175[.]87[.]74
URLs
Malware Hash (MD5/SHA1/SH256)