• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Microsoft Windows Server 2016 / Windows 10 Multiple Vulnerabilities
March 18, 2019
Rewterz threat Advisory – Microsoft SharePoint Server 2016 Multiple Vulnerabilities
March 18, 2019

Rewterz Threat Alert – Multiple Malware Campaigns – IoCs

March 18, 2019

Severity

Medium

Analysis Summary

A malicious Microsoft Word document has been reported that contains a link to harvest the victim’s personal email accounts login credentials.

A Rich Text Formatted (RTF) file was reported that contains six Microsoft Excel worksheets with embedded Visual Basic (VB) scripts. The scripts invoke PowerShell to download a payload on to the system.

Another file containing a 32-bit Windows .NET executable was reported. The file is designed to install a malicious 32- bit Windows executable. The executable is the payload identified as a variant of the FormBook malware. During analysis, the malicious executable injected itself into a list of Windows processes and collected victim’s data including: user keystrokes, clipboard data, screenshots, web browser passwords, and other applications.

Impact

Credential Theft

System Access

Information Disclosure

Malware Infection

Indicators of Compromise

IP(s) / Hostname(s) 178.159.36[.]107
107.187.95[.]198
192.64.115[.]93
203.170.80[.]250
206.188.192[.]179
81.27.85[.]17
94.136.40[.]51
URLs igyygyigus[.]com
weddingofmyday[.]info
41230935[.]net
becoolpickuptruckhub[.]live
bonzaj[.]com
brysoldstop[.]win
corito78[.]party
dailylondonfashion[.]com
e-pennys[.]com
jyoumon-farm[.]com
lanpaizhilian[.]com
mesayang[.]com
pcshooot[.]win
queensofthescene[.]com
spainbythesea[.]uk
t70ia[.]info
topcars[.]guru
zhuangshi[.]ink
Filename ProformAdviseMarch19.doc
Oswald Crescent-converted.docx
Payment_TT_Copy-pdf.exe
bin.exe
Email Address Rena_564[@]hotmail[.]com
Malware Hash (MD5/SHA1/SH256) 4aa1bb25d9858452194548825836db66
3fea120d39b1f0b63dc6a73d0ee2d197169fc765dd5b1eafc5658c6799d4b00f
854a864b0b0465c352a24ba09ec3b4c0f24684e9c4ad4f8900f605e4705cf74e
9fdc3857779c18f9802b39d7f3caf90b
4fcaff67dd797d6bc76d9a1202838542bf88789a7ef6e4ac5ec0ca5f1a5301e1
e6aa24cabafb1f66e2e874a1722acd13
d6646857d68f0fe855887571c65f3ae3d89e74a59ea3f77bf576943103a84eb0
e1c2d815112ade0e7ad765485f72b337

Remediation

  • Block the threat indicators at their respective controls.
  • Maintain antivirus signatures and engines and keep them up-to-date.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Scan all software downloaded from the Internet prior to executing.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.