Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 22, 2023Severity Medium Analysis Summary Mekotio is a banking trojan that targets users in Latin America and Europe. It is primarily distributed via phishing emails and infected […]March 22, 2023Analysis Summary Overview – 23rd Mar – A Big Day – As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware […]March 22, 2023Severity High Analysis Summary CVE-2023-28684 CVSS:7.1 Jenkins remote-jobs-view-plugin Plugin could allow a remote authenticated attacker to obtain sensitive information, caused by improper handling of XML external […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Linux Kernel Privilege Escalation
December 2, 2020Rewterz Threat Alert – Multi-Vector Miner and Tsunami Botnet with SSH Lateral Movement
December 2, 2020
Severity
High
Analysis Summary
New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer. NPM is a JavaScript package manager that allows developers and users to download packages and integrate them into their projects. As NPM is an open ecosystem, anyone can upload a new package without being reviewed or scanned for malware. This makes it easier for threat actors to upload malicious packages. The recently discovered malicious NPM packages were masquerading as a legitimate tool to make databases out of JSON files. They look like harmless packages that could be used to add new functionality to a project. When installed, njRAT gives the threat actor full remote access to a victim’s computer, where they can perform the following malicious behavior:
- Modify the Windows Registry
- Create and delete files
- Upload files
- Execute commands
- Get information about the computer
- Take control over the computer
- Log keystrokes
- Steal passwords
- Kill processes
- Take screenshots
Impact
- Unauthorized Remote Access
- System Takeover
- Unauthorized Command Execution
- Credential Theft
- Data Manipulation
- Information Disclosure
Indicators of Compromise
IP
- 46[.]185[.]116[.]2
MD5
- 7e952af5e150618e282f8586bc6a7d21
- b131dc177af1c2bb38ffc9da6c5b3989
SHA-256
- d6c04cc24598c63e1d561768663808ff43a73d3876aee17d90e2ea01ee9540ff
- 86c11e56a1a3fed321e9ddc191601a318148b4d3e40c96f1764bfa05c5dbf212
- 89fef995339abb188a5a84ba8078c0f9e9927d14fb99c1bb93493442365055cf
SHA1
- c4906e174ae7673a50a9dc52960505647ff6f723
- fab5d5403369f6f9c41495d7492eb8ab596d11d7
Remediation
- Block the threat indicators at their respective controls.
- As malicious NPM projects utilize names similar to legitimate projects, pay close attention to the packages before integrating them into your projects.