Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Moving Ahead of Single-Step Password Authentication
August 27, 2019
Rewterz Threat Advisory – CVE-2019-9569 – Delta Controls enteliBUS Controllers Code Execution vulnerability
August 30, 2019
Severity
Medium
Analysis Summary
A new group LYCEUM is found focusing on critical infrastructure organizations in the Middle East. It uses simple techniques to compromise targets and deploys post-intrusion tools. Operating since 2018 and having targeted South African targets, LYCEUM has now turned its focus to Oil and Gas companies in the Middle East since April 2019. Also referred to as ‘Hexane’, LYCEUM focuses on collecting information, rather than disrupting operations, according to security experts.
It was found that LYCEUM uses password spraying and brute-force attacks to compromise email accounts of individuals working for their target organization. The attackers send spear-phishing emails to executive level employees of the target organizations carrying malicious Excel spreadsheets that install DanBot – a remote access trojan (RAT) with basic capabilities.
LYCEUM uses the following tools in its attacks:
- DanBot — A first-stage remote access trojan (RAT) that uses DNS and HTTP-based communication mechanisms and provides basic remote access capability, including the abilities to execute arbitrary commands via cmd.exe and to upload and download files
- DanDrop — A VBA macro embedded in an Excel XLS file used to drop DanBot
- kl.ps1 — A PowerShell-based keylogger
- Decrypt-RDCMan.ps1 — Part of the PoshC2 framework
- Get-LAPSP.ps1 — A PowerView-based script from the PowerShell Empire framework
Password spraying, DNS tunneling, social engineering, and abuse of security testing frameworks are common tactics detected to have been in use by attackers targeting Middle Eastern organizations.
Impact
- Information Disclosure
- Accounts compromise
- Possible disruption of Industrial Processes
Indicators of Compromise
IP(s) / Hostname(s)
- 62.113.207[.]181
- 144.217.149[.]61
- 75.87.185[.]45
- 62.113.196[.]37
- 104.149.37[.]44
- 198.50.152[.]162
- 164.132.181[.]82
URLs
- bsolutions-cloude[.]com
- cybersecnet[.]co[.]za
- cybersecnet[.]org
- opendnscloud[.]com
- dnscloudservice[.]com
- dnscachecloud[.]com
- web-traffic[.]info
- web-statistics[.]info
- online-analytic[.]com
- excsrvcdn[.]co
Malware Hash (MD5/SHA1/SH256)
- a8f68c928f82edd8a28c0fd25e207929a7dbce23
- 9df776b9933fbf95e3d462e04729d074
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to emails coming from untrusted sources.
- Do not download email attachments coming from unexpected sources.
- Always scan documents prior to downloading.
- Implement Multi-factor authentication.
- Conduct phishing awareness programs for employees.