Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2020-7334 – McAfee Application and Change Control (MACC) security bypass
October 19, 2020Rewterz Threat Alert – IAmTheKing and the SlothfulMedia Malware – IoCs
October 19, 2020
Severity
Medium
Analysis Summary
IPStorm propagates by attacking Unix-based systems (Linux, Android and Darwin) that run Internet facing SSH servers with weak credentials or unsecured ADB servers. Its capabilities include backdooring the device (running shell commands) and generating malicious traffic (scanning the Internet and infecting other devices). The main purpose of the botnet is turning infected devices into proxies as part of a for-profit scheme. The bot herders are posing as a legitimate proxy service on the Clearnet. Earlier this month, IPStorm introduced a new variant for Linux.
Analysis indicates the authors of the botnet are proficient using Golang as well as development and concealment nodes. The complex infrastructure is designed to seek and compromise targets, update to newer versions, run commands on infected machines, and communicate with C2 servers which uses a web API. Specialized nodes are included within the management structure which provide the checking of node availability, proxy connection, web API hosting, signing authorized messages, and testing the malware. At present there are approximately 9,000 devices making up the botnet. Most of these victims are running an Android OS and Linux. A tiny number of Windows devices are also infected, however, these victims are using older versions of the malware. Targeting has been mostly focused on Asia, however some other countries have been observed such as: Brazil, Ukraine, the US, Sweden, and Canada. The botnet uses a multi-tier subscription-based pricing model. To date, there have been more than 100 code revisions. Interestingly, the malware examines the victim machine in an effort to locate competing malware and, if found, disable it.
Impact
- Unauthorized Access
- Device Compromise
- Data Exfiltration
- Code Execution
Indicators of Compromise
MD5
- 6ea7f841cc5716004096fa80beb4239c
- af91346509748f038726bbf3c1a6dcef
- becad26802d775c09bc46a07f31ddf47
- 5703ac56ccfc43a02438121f350f6fa5
- f07b80e10ecf08bdb8e0515d18da27c8
- 5f5edc19c2760588a8c846b349925b33
SHA-256
- ba1e8d25cc380fdbbf4b5878a31e5ed692cfd2523f00ca41022e61f76654dd4f
- 50406ec7fa22c78e9b14da4ccc127a899db21f7a23b1916ba432900716e0db3d
- 4cd7c5ee322e55b1c1ae49f152629bfbdc2f395e9d8c57ce65dbb5d901f61ac1
- 56c08693fdf92648bf203f5ff11b10b9dcfedb7c0513b55b8e2c0f03b209ec98
- 16bcb323bfb464f7b1fcfb7530ecb06948305d8de658868d9c3c3c31f63146d4
- d6086cc29061f596c782214cb7fdb4ccd4b0c3b2f4b9dec28542c093fe22e8ca
SHA1
- f7b008c30f5555f892211aeaa054d00ba8c093b7
- 71e7bb56899c7860729119734053409b6e8502f9
- dc917a8aa6e8061623163967629db945099062a9
- c442c0a74ec5eddd713e80ea1cb07c8863a4816b
- 98c80465c1caf0b59462013875a99b23a43ce73f
- ea665844b69815d6543cf4c8e6351d0129d7c669
- 7ae71c05a3dea0165b88ed1a8caa8666b74c03e3
- f74c6e810450a31184503e211484f944dda005b3
- 90d0ecb2489b4d958d1480e9e7d527f0c659c004
- 9cc0273d83f0c950c5adfb5e374a55d7503679a5
- aee0848450b28bbe1f24ee0287e83c3329955a40
- db2d7d829e305feea947073973335a914117ec2a
- 0546c9b436a87e029480687d6df7b63a19fa87de
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from untrusted sources.
- Maintain a strong password policy and implement multi-factor authentication where possible.