Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2021-23876 – McAfee Total Protection privilege escalation
February 12, 2021Rewterz Threat Advisory – Apache Thrift denial of service
February 15, 2021
Severity
High
Analysis Summary
The Iranian APT MuddyWater is targeting multiple Arabic-speaking countries. The APT exploits 2 lures: a report on relations between Arab countries and Israel, or a file on scholarships. These two lure ZIP files are being used by the threat actor to trick users into downloading malware. URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub. The attack commences by directing users to a downloader URL pointing to these ZIP files via a phishing email. This, when opened, launches the installation process for ScreenConnect, and subsequently uses it to communicate with the adversary. The URLs themselves are distributed through decoy documents embedded in the emails.
The campaign was detected targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. The campaign is linked to the Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand. The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).
Impact
- Unauthorized Remote Access
- Data Exfiltration
Indicators of Compromise
Domain Name
- instance-uwct38-relay[.]screenconnect[.]com
- instance-sy9at2-relay[.]screenconnect[.]com
MD5
- 2cd569dafe4f537150f0416b021c30ab
- e8e84ac1ae83a45c260df146e97cb1cb
- a8fce1e8e89053e143b5431cfa5209cb
- b9cff91be734e2a071d3b0fc07dc8386
- 960594cbdf938bcb03bd0637843d9154
SHA-256
- 31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535
- 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
- 5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b
- 77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1
- b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
SHA1
- 3cf40758a15faf5037a7fcb6c8d6c322ec54dfc1
- c58370b4114d4d493e141a66cd1484573ccf02b5
- 707c251833db0fb7c17c79413ddaebcb54cdb0fc
- 116646a11967c1eed0e6072150b8d581bcf8d6a5
- f228e772a31b4fc160cb59cf5627224613f10941
URL
- https[:]//ws[.]onehub[.]com/files/7w1372el
- https[:]//ws[.]onehub[.]com/files/94otjyvd
- https[:]//ws[.]onehub[.]com/files/mz8ok6gf
- https[:]//ws[.]onehub[.]com/files/wrz117le
- https[:]//ws[.]onehub[.]com/files/2b2nwhmh
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not click on URLs given in untrusted emails.