Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 21, 2023Severity Medium Analysis Summary Rhadamanthys is a type of malware known as a stealer, which is designed to steal sensitive information from infected computers. It was […]March 21, 2023Severity High Analysis Summary The Mirai botnet is a type of malware that infects Internet of Things (IoT) devices, such as routers, security cameras, and other […]March 21, 2023Severity High Analysis Summary LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 21, 2023Severity Medium Analysis Summary Rhadamanthys is a type of malware known as a stealer, which is designed to steal sensitive information from infected computers. It was […]March 21, 2023Severity High Analysis Summary The Mirai botnet is a type of malware that infects Internet of Things (IoT) devices, such as routers, security cameras, and other […]March 21, 2023Severity High Analysis Summary LockBit ransomware takes as little as five minutes to deploy the encryption routine on target systems once it lands on the victim […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Moxa EDR 810 Series Multiple Vulnerabilities
October 3, 2019Rewterz Threat Alert – Reductor Infects Files on the Fly to Compromise TLS Traffic
October 4, 2019
Severity
High
Analysis Summary
Recently, a VirusTotal submitter uploaded a file that was digitally signed with the same certificate as two previously reported Lazarus tools. Like one of those tools, this newly uploaded malware appears to act as an injector, although it behaves significantly differently.
The digital signature of this file matches the signature used on two Lazarus tools discussed in open source.
Operation
The injector expects four command line parameters to be present on operation:
– The path of the injector, which under normal circumstances is automatically part of the command line
– An integer value (1 or 2) that specifies the operational mode (inject or eject)
– A process identifier (PID) value that specifies a target process
– A path to the DLL to be injected into the target PID
The malware first checks that there are a total of four parameters present before validating their content. Next, it uses the PathFileExistsA API call to validate the path to the DLL to be injected. The injector also contains debugging messages. These items are all visible in the image below.
Next, the malware checks that an integer has been supplied as a PID and that either the integer 1 or the integer 2 have been supplied for the operational argument. Curiously, dynamic debugging suggests that the PID check will still pass as long as an integer is the first digit (for example, passing “94a” will still cause the malware to attempt to inject or eject a DLL from a process with an invalid PID, although this will fail the OpenProcess attempts).
Impact
Exposure of sensitive information
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 39cbad3b2aac6298537a85f0463453d54ab2660c913f4f35ba98fffeb0b15655
- 89081f2e14e9266de8c042629b764926
- 730c1b9e950932736fc4b02cbdb4e4e891485ac2
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/ attachments sent by unknown senders.