Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia in two different campaigns where likely the target of both campaigns was data exploration and exfiltration. In the Kuwait attack, threat actors created their own user account and in the Saudi Arabia attack relied on social engineering to compromise victims
The first signs of compromise were several reverse TCP files and PowerShell commands that executed some base64 compressed code, specific to the Metasploit framework. Once the victims were compromised, attackers started to bring reconnaissance tools for network scanning (“xnet. exe”, “shareo.exe”) and credential gathering (as “mnl.exe” or “mimi32.exe”) or tools with multiple functionalities, such as CrackMapExec (for users’ enumeration, share listing, credentials harvesting and so on). Once they gained a foothold inside the company, they started to install custom modules: a modified Plink (wehsvc.exe) installed as a service, as well as a backdoor (imjpuexa.exe), which was also executed as a service on some machines.
The initial compromise was achieved through social engineering. The RAT component was located in the %Download% folder, which is the default folder for any download process, while its parent process was actually explorer. exe; indicating that the user executed the malicious file. Also, the RAT was executed twice, with different names (“drivers.exe” and “drivers_x64.exe”). Internal network reconnaissance seems to have been performed using the “etblscanner.exe” tool. We also spotted the use of three different RAT components.
Data exfiltration
Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders