Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 26, 2023
Severity High Analysis Summary CVE-2023-32165 CVSS:9.8 D-Link D-View could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in TftpReceiveFileHandler […]May 26, 2023Severity Medium Analysis Summary Cobalt Strike first appeared in 2012 in response to alleged flaws in the Metasploit Framework, an existing red team (penetration testing) tool. […]May 26, 2023Severity Medium Analysis Summary CVE-2023-44520 CVSS:7.8 Adobe Acrobat Reader DC could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
May 26, 2023Severity High Analysis Summary CVE-2023-32165 CVSS:9.8 D-Link D-View could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in TftpReceiveFileHandler […]May 26, 2023Severity Medium Analysis Summary Cobalt Strike first appeared in 2012 in response to alleged flaws in the Metasploit Framework, an existing red team (penetration testing) tool. […]May 26, 2023Severity Medium Analysis Summary CVE-2023-44520 CVSS:7.8 Adobe Acrobat Reader DC could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – The TRITON Malware Framework – Reverse-Engineering a Recent ICS Cyberattack
February 19, 2019Rewterz Threat Advisory – CVE-2019-6547 – CNCSoftScreenEditor out-of-bounds Read vulnerability
February 20, 2019
Severity: HIGH
Analysis Summary:
Rietspoof is a new malware family which uses a multi-stage delivery system to drop multiple payloads on the systems it infects. However, the targets of this malware are still unknown. The delivery system involves the malware acting as a bot that “can download/upload files, start processes, or initiate a self-destruct function,” as well as behaving like a run-of-the-mill downloader.
The first stage of this malware was delivered through instant messaging clients, such as Skype or Messenger. It delivers a highly obfuscated Visual Basic Script with a hard-coded and encrypted second stage — a CAB file. The CAB file is expanded into an executable that is digitally signed with a valid signature, mostly using Comodo CA. The .exe installs a downloader in Stage 4.
A latest innovation in the malware allows it to acquire persistence by adding WindowsUpdate.lnk to the Windows startup folder which will run an expanded Portable Executable (PE) binary after each reboot.
Rietspoof’s third stage is the one which will drop the bot payload that can be used by the malware’s authors to start processes on the compromised machines, download and upload files, as well as send self-destruct commands.
Impact
- Running of shell commands or applications
- Malware Infection
- System Access
- File Deletion
- Data manipulation
Indicators of Compromise
IP(s) / Hostname(s)
ocsp[.]sectigo[.]com
192[.]241[.]217[.]57
Ports
80
49194
49201
49203
49195
Filename
EmergencyExitMap.doc
Windows SATA Device Manager
wscript.exe
emplate.vbs
isatsrv.exe
Extension
.exe
.tmp
.sample
.vbs
Malware Hash (MD5/SHA1/SH256) 90813ad836effce0e21843c7db025d56bf1d204af25746578800f09a049ac008 f5c4782591675cd51ac3cdfd1bc719d576b7b98d529cf281b706d94fd1916c96
Remediation
Block the threat indicators at their respective controls.
Closely monitor all communication associated with the ports mentioned above.