Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 17, 2023Severity High Analysis Summary Chaos is a customizable ransomware builder that emerged on June 9 2021 (in underground forums) by falsely marketing itself as the .NET […]March 17, 2023Severity High Analysis Summary CVE-2023-26361 CVSS:4.9 Adobe ColdFusion could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially […]March 17, 2023Severity Medium Analysis Summary Ursnif banking trojan also known as Gozi and Dreambot has been around for more than 10 years. It gained popularity in 2015 […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Red Hat Update for Kernel
March 18, 2019Rewterz Threat Advisory – WordPress Comment Cross-Site Request Forgery Vulnerability
March 19, 2019
Severity
Medium
Analysis Summary
A malware campaign has been detected that seems to be associated with the threat actor tracked as “EmpireMonkey”.
This group uses PowerShell Empire Framework as the initial tool to gain foothold in the targeted entities. Additionally, in multiple earlier malware samples attributed to this actor, they distinctly used variants of the word “monkey” in the Macro functions embedded within their documents.
When the document is opened, the VBA/Macros copies a legitimate wscript.exe executable into the %APPDATA% directory as “cutil.exe” and uses it to execute the following Malicious JavaScript file…
The Malicious JavaScript has several obfuscation layers:
- Base64 Encoding
- RC4 Encryption (Passphrase = kjzppaa)
- After obfuscation, the resulting Malicious JavaScript appears to use code from SharpShooter’s AMSIKiller Module to bypass AMSI.
Impact
EmpireMonkey
| IP(s) / Hostname(s) | www[.]finanstilsynet-dk[.]org 185[.]117[.]75[.]81 31.220.1[.]151 |
| Ports | 443 |
| URLs | hxxps://www[.]finanstilsynet-dk[.]org/litigations/report-122.doc Hxxps[:]//185.117[.]75[.]81/news/today[.]jsp |
| Filename | report-122.doc logs.txt |
| Email Address | u.poulsen[@]finanstilsynet-dk[.]org |
| Malware Hash (MD5/SHA1/SH256) | e5483b77fbcf61bf29e73521464c520f 30b570a1d5a0151cbeec969f56f9f5c14fa22b31 415473af14e994163f88b5f9dd48770c444a619691209cff52469925b09b2a8e 13a1c33bf895cd58e5742088a1aa6276 ddfe514da9e68cd0a5f5687f91471448962e489a1f342f6ff499839475cc52a6 |
Remediation
Block the threat indicators at their respective controls.
Do not download email attachments coming from unknonw or untrusted sources.
Always scan downloaded files before execution.