Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 1, 2023
Severity High Analysis Summary Nivdort is a notorious and sophisticated strain of malware that has been active in the cyber threat landscape for several years. It […]September 1, 2023
Severity Medium Analysis Summary CVE-2023-1555 CVSS:2.7 GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation. By sending a specially […]September 1, 2023
Severity Medium Analysis Summary CVE-2023-33835 CVSS:5.3 IBM Security Verify Information Queue 10.0.4 and 10.0.5 could allow a remote attacker to obtain sensitive information that could aid […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 1, 2023
Severity High Analysis Summary Nivdort is a notorious and sophisticated strain of malware that has been active in the cyber threat landscape for several years. It […]September 1, 2023
Severity Medium Analysis Summary CVE-2023-1555 CVSS:2.7 GitLab could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation. By sending a specially […]September 1, 2023
Severity Medium Analysis Summary CVE-2023-33835 CVSS:5.3 IBM Security Verify Information Queue 10.0.4 and 10.0.5 could allow a remote attacker to obtain sensitive information that could aid […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2020-3956 – VMware Cloud Director updates address Vulnerability
May 21, 2020
Rewterz Threat Alert – COVID-19 GuLoader Spike
May 26, 2020
Severity
High
Analysis Summary
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia in two different campaigns where likely the target of both campaigns was data exploration and exfiltration. In the Kuwait attack, threat actors created their own user account and in the Saudi Arabia attack relied on social engineering to compromise victims
Kuwait attack
The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework. Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on). Once they gained a foothold inside the company, they started to install custom modules: a modified Plink (wehsvc.exe) installed as a service, as well as a backdoor (imjpuexa.exe), which was also executed as a service on some machines.
Saudi Arabia attack
The initial compromise was achieved through social engineering. The RAT component was located in the %Download% folder, which is the default folder for any download process, while its parent process was actually explorer. exe; indicating that the user executed the malicious file. Also, the RAT was executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). Internal network reconnaissance seems to have been performed using the “etblscanner.exe” tool. We also spotted the use of three different RAT components.
Impact
Data exfiltration
Indicators of Compromise
MD5
- efbd849619aee8bd3429dd9ccb2a1995
- dd9589b206791307d25e63d793c2ca31
- dc5695024cd23c90883db145cb236490
- d0e74da12c5e8d35f6db1ae0c60748b7
- 894fd325751465d6f48c17106a1a91d1
SHA-256
- 5ee9873c3c8684ac097bd28d3caf4264c6da6aa6acfeb8f6e72f1a99215a4be8
- 710e32af0d41a6701d57337701b091b158add04a601b68cca67a808bdd87d881
- d965352c6632e694b8f1f62f96874bd0df8d7c128c465ee9a76eb86ebddb0c02
- 11dbfb390f7008524e523da7d0cda61723584082fc91ff96d1148c4aac6198a0
- c839e886b98d2c752a134e888dad40799cd9966f8a73b51edc85ca2d72f99616
- 144a160c57c2d429d072046edfdd1b44ff22bcae4f0535732f6c2b19190f2f35
- 508ba7971b1f7651ba7d26815f75d66977820bd4eb3a615e3ab7079058d80380
- f991cadf11c5075f0ed6f381dfdac311cf59480962debf8b874f95e9bee5c4f2
- 021813c78cf31b0d7e77b40374347d8ed4e5a5ca69a7fc29bbc7bff969c09f3c
- b297a0b2e775f096d9ebda6130abbb5ec59813c7703159ea191b47d7b7293e1e
- a1f5c72721f9aa2ca29f1de7645a64b505c05dcd53dbdd7b9e904b1627c6d578
- 98a9b2329eefe618daa78b6afed82cebf40cb918ad0aae7a8d7f59af4cb13b41
SHA1
- aa0992ad9203168184a0f41e40ac901ec3f68afb
- 1b3c5d8a2844b6e0c839a670065e59a7cee05474
- 8eb9bfc25faf12ce359cef2fbddb8db4d9f5bfd7
- b90205c684255ac11e0384af1fc7718573754f68
- 06461f22ef82e993f055024891ff735c910421ad
Remediation
Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders