Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Severity
Medium
Analysis Summary
A malware campaign has been detected that seems to be associated with the threat actor tracked as “EmpireMonkey”.
This group uses PowerShell Empire Framework as the initial tool to gain foothold in the targeted entities. Additionally, in multiple earlier malware samples attributed to this actor, they distinctly used variants of the word “monkey” in the Macro functions embedded within their documents.
When the document is opened, the VBA/Macros copies a legitimate wscript.exe executable into the %APPDATA% directory as “cutil.exe” and uses it to execute the following Malicious JavaScript file…
The Malicious JavaScript has several obfuscation layers:
Impact
EmpireMonkey
IP(s) / Hostname(s) | www[.]finanstilsynet-dk[.]org 185[.]117[.]75[.]81 31.220.1[.]151 |
Ports | 443 |
URLs | hxxps://www[.]finanstilsynet-dk[.]org/litigations/report-122.doc Hxxps[:]//185.117[.]75[.]81/news/today[.]jsp |
Filename | report-122.doc logs.txt |
Email Address | u.poulsen[@]finanstilsynet-dk[.]org |
Malware Hash (MD5/SHA1/SH256) | e5483b77fbcf61bf29e73521464c520f 30b570a1d5a0151cbeec969f56f9f5c14fa22b31 415473af14e994163f88b5f9dd48770c444a619691209cff52469925b09b2a8e 13a1c33bf895cd58e5742088a1aa6276 ddfe514da9e68cd0a5f5687f91471448962e489a1f342f6ff499839475cc52a6 |
Remediation
Block the threat indicators at their respective controls.
Do not download email attachments coming from unknonw or untrusted sources.
Always scan downloaded files before execution.