• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Multiple vulnerabilities in IBM Security Secret Server
September 24, 2020
Rewterz Threat Alert – CVE-2020-1472 – Attackers Exploiting ‘ZeroLogon’ Windows Flaw – IoCs and PoC
September 25, 2020

Rewterz Threat Alert – MoDi RAT Spreading Via Email

September 25, 2020

Severity

Medium

Analysis Summary

Researchers discovered a unique reflective loader attack. The email, possibly part of a malspam campaign, is delivered to the potential victim’s inbox with a malicious attachment. When the victim opens the attachment, the VBS code connects to a remote website to retrieve an archive file, encountering a number of 302 redirects along the way. The ZIP archive is hosted on OneDrive and contains another VBS file. This second VBS file is extracted by the original and saved to disk. It then creates three registry blobs as well as creating a scheduled task to run the downloaded code at some point in the future. When the scheduled task runs, the VBS file launches PowerShell, writes output to the system clipboard, then pastes that clipboard content as commands into the PowerShell window. This write and then paste using the clipboard may be an attempt to evade security products by not invoking PowerShell with a suspicious command line. The PowerShell window retrieves a .NET decoder executable from one of the registry blobs and injects it into a system process. This code then retrieves the other two blobs and injects them as well. One of the two blobs retrieved from the registry is the payload MoDi RAT.

Impact

  • Exposure of sensitive data 
  • Information theft

Indicators of Compromise

MD5

  • 695b21032e1ba37affa4f13d525798f9869ea794
  • 0449ae73074153195368cfefd910946d540e59ff
  • 00c8144d988385ad0d44a8871044185fa9bb78e4
  • 17b85597c55e99d09c8ad5cf9631f0f1d5d82d0e
  • a7967f4f66d4f9d3ac7187cab601abdc47e1c6c0
  • 79bcda484419f0adc9648b581b10498c8415d89a

URL

  • http[:]//vanesaescribano[.]com/services/coaching-personal
  • http[:]//phix[.]es/impots-center

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders
  • Never click on links/ attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.