Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
A phishing campaign is detected in which a malicious Microsoft Excel document delivered as an email attachment was spreading a new variant of Dridex. Dridex is a Trojan malware, also known as Bugat and Cridex, that is capable of stealing a victim’s online banking and system information from an infected machine.
The email was disguised as a payment request email with a fake Excel invoice file attached. If a victim double-clicks the attached file, Microsoft Office Excel opens it. Microsoft Excel displays a yellow bar with a Security Warning message, which means the opened file contains risky active content like a VBA Macro. Once the victim hits the “Enable Content” button, however, the risky content is loaded and even executed automatically. The Excel document deliberately shows a vague invoice in the file to drive the victim to click the button to get a clearer look at the invoice.
This file contains a malicious Macro (VBA code) that can be executed in two ways. The first is by clicking the green “All-Open and pay” button to execute the malicious VBA code. The other way is when a Layout event occurs, it has a private Formsa_Layout() function to handle such an event that executes the malicious VBA code. Such a Layout event occurs many times while the victim is working on the file.The Dridex developer puts all of its malicious work in the function DllRegisterServer(), which can be thought of as the Main() function to other normal processes.
Many anti-analysis techniques are observed in the core Dridex to prevent its code from being analyzed.