• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2020-9712 – Adobe Acrobat and Adobe Reader code execution
August 12, 2020
Rewterz Threat Advisory – CVE-2020-6284 – SAP Netweaver (Knowledge Management) Cross-Site Scripting (XSS) vulnerability
August 12, 2020

Rewterz Threat Alert – Gorgon APT Using Maldoc Campaign in India

August 12, 2020

Severity

High

Analysis Summary

Researchers have observed a campaign targeting small/medium sectors using COVID-19 themed malicious documents. The documents contain two OLE objects which are a VBS script and code that exploits the Equation Editor vulnerability, CVE-2017-11882 . Should exploitation succeed, two files, an injector DLL and the Agent Tesla payload are downloaded from a remote URL and installed on the victim system. The Agent Tesla payload is injected into the legitimate Windows executable file, RegAsm.exe. Agent Tesla is a well known keylogger and infostealer. Researchers attributes the campaign to the Gorgon APT group. Gorgon are also known as Subaat.

Figure 2: Process Infection Chain

Impact

  • Information theft
  • Exposure of sensitive data

Indicators of Compromise

Filename

face mask order[.]doc

MD5

4FC5BA9426E9191AAB4E694E7E703E13

SHA-256

2022D9CC42ED2838DAA442561107C29297BDDB88B36222345C10B39164E66819

SHA1

B5EBAF2F5AF220FE1B1DE5433C2E39FF16B0C0B4

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about links/attachments sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

CVE-2017-1182

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882

  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.