• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Netwire RAT Malware
June 10, 2020
Rewterz Threat Alert – Thanos Ransomware Auto-spreading to Windows Devices, Evading Security
June 11, 2020

Rewterz Threat Alert – Metamorfo Campaign Targeting Banking Customers

June 10, 2020

Severity

Medium

Analysis Summary

A campaign they targeting Brazilian banking customers. The threat-actors were using script interpreters (think wscript.exe and powershell.exe) to execute scripts that pulled the previously-stored malware from multiple directory locations to inject into DLLs. By executing from digitally signed code, such as the DLLs targeted, the requests the malware makes are less suspicious. Some anti-virus software may even ignore the code’s activity since it was a digitally signed and therefore seen as a trusted application. DLLs from Avira, AVG, Avast, Damon Tools, Steam, and NVIDIA were the more frequent vendors used in this campaign. The infection begins with an MSI installer that contains both legitimate and malicious files. After installing, the legitimate binary is run, which loads the malicious DLL.

Impact

  • Credential theft
  • Financial loss

Indicators of Compromise

MD5

  • a9effadaaf45280c79984be5266e829b
  • 3c212baf7e6dc3f279339e978ee97bd6
  • 1056133be70f5ab824e2508a8c3045a8
  • 71f7436994df0b6cd9b1b080c5a8093f
  • 35ac5e66364658bbdbcb39737e9a347c
  • 9eb538a6ec86ced18237cc99e37cf2c9
  • 8b0845c2847a13126dfc59582835f6fd
  • 4685fbd6a4dfbae8c4c0d09d925f63a8
  • 78b91c3e56c5c0466e3490e91d9ef0bd
  • f1a74b3e266126ed8edde3d819bfe864
  • 3e28dca2d50c26c7e22cf9f7c716b0bb
  • 1602c73365718cba8599dc6fcc06c175
  • d31d8cd4230ac53ab8c564a44e5a7a0d
  • 85c83ec905de2e99b19c6d0ce5027d00
  • 19a9b387eea6936cf93b0b21db62d49d
  • db4f176c985fe2f801d4f8e19f01f323
  • e15304e98d2f65f16889d2ade97fe687
  • 3a64344ac4c9c5f3e0f4bb47a3303d4a
  • 1b1dc38264689840d8243cc6c2717e4b

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the  links/attachments sent by unknown senders.
  • Search for IOCs in your environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.