Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – GandCrab Ransomware – IoCs
October 26, 2020Rewterz Threat Alert – Agent Tesla Phishing Campaign
October 26, 2020
Severity
High
Analysis Summary
Three malware families are found exploiting XMRig miner for monetary gain. The first malware family discussed is dubbed “ransominer” due to its combined use of ransomware and crypto-mining. The infection chain involves a common Trojan installed on a victim’s machine with the purpose of installing administration programs, adding a new user, and opening RDP access. A ransomware payload is then executed, followed by the XMRig loader; at the same time the user is seeing the ransom note while Monero mining is being performed in the background. The second family discussed is the Prometei backdoor. After a few years in operation, it expanded its capabilities by also distributing XMRig. After brute-forcing MS SQL credentials and gaining access, PowerShell scripts are run and privileges are elevated. Purple Fox and Prometei are both installed on the host. Lastly, the XMRig miner is downloaded from the C2 server and executed. The third family is the Cliptomaner miner. This malware is similar to the other families but has the added functionality of replacing crypto-wallet addresses in the clipboard. Additionally, instead of being written in a compiled language, it is fully written in AutoIT.
Impact
- Privilege Escalation
- Denial of Service
- Credential Theft
- Unauthorized Resource Consumption
Indicators of Compromise
Domain Name
- srhost[.]xyz
- taskhostw[.]com
- 2fsdfsdgvsdvzxcwwef-defender[.]xyz
- svchost[.]xyz
- sihost[.]xyz
MD5
- 6ca170ece252721ed6cc3cfa3302d6f0
- 78f5094fa66a9aa4dc10470d5c3e3155
- 16b9c67bc36957062c17c0eff03b48f3
- 1273d0062a9c0a87e2b53e841b261976
- 1357b42546dc1d202aa9712f7b29aa0d
- d202d4a3f832a08cb8122d0154712dd1
SHA-256
- f3a23e5e9a7caefcc81cfe4ed8df93ff84d5d32c6c63cdbb09f41d84f56a4126
- b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7
SHA1
- cf475d6e172b54633479b3587e90dd82824ff051
- 7054d2c2231311991670c43ab2dba6d70cb6eb55
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Keep all systems and software updated to latest patched versions.
- Enable multi-factor authentication.