Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
August 7, 2019Rewterz Threat Advisory – CVE 2019-1125 – SWAPGS Spectre Side-Channel Vulnerability
August 8, 2019
Severity
Medium
Analysis Summary
Trickbot banking trojan activity and recently discovered variant of the malware (TrojanSpy.Win32.TRICKBOT.TIGOCDC) from distributed spam emails that contain a Microsoft Word document with enabled macro. Once the document is clicked, it drops a heavily obfuscated JS file (JavaScript) that downloads Trickbot as its payload. This malware also checks for the number of running processes in the affected machine; if it detects that it’s in an environment with limited processes, the malware will not proceed with its routine as it assumes that it is running in a virtual environment.
Aside from its information theft capabilities, it also deletes files located in removable and network drives that have particular extensions, after which the files are replaced with a copy of the malware., this Trickbot campaign has affected the United States the most. It has also distributed spam to China, Canada, and India.
The distributed Word document presents the user with the following notification that states the content can be viewed by enabling macro content. It’s worth noting that the document hides the JS script in the document itself and not in the macro. It does this by disguising the script through the same font color as the document background.
The script is obfuscated and contains different functions. In order to decrypt a function, it will use another function that will convert it to a single character.
Upon successfully deobfuscating the file, we were able to analyze it and observed some interesting behaviors. Upon execution, it will display a fake Microsoft error to trick the user with an error message that pops up after enabling the macro. But actually, the JS file is already running in the background.
Impact
- Information theft
- Exposure of sensitive information
Indicators of Compromise
URLs
hxxps[:]//185[.]159[.]82[.]15/hollyhole/c644[.]php
Malware Hash (MD5/SHA1/SH256)
- 0242ebb681eb1b3dbaa751320dea56e31c5e52c8324a7de125a8144cc5270698
- 16429e95922c9521f7a40fa8f4c866444a060122448b243444dd2358a96a344c
- 666515eec773e200663fbd5fcad7109e9b97be11a83b41b8a4d73b7f5c8815ff
- 41cd7fec5eaad44d2dba028164b9b9e2d1c6ea9d035679651b3b344542c40d45
- 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2
- 8537d74885aed5cab758607e253a60433ef6410fd9b9b1c571ddabe6304bb68a
- 970b135b4c47c12f97bc3d3bbdf325f391b499d03fe19ac9313bcace3a1450d2
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.