Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 25, 2023Severity Medium Analysis Summary GandCrab – a ransomware-as-a-service variant – was discovered in early 2018. At least five versions of GandCrab have been created since its […]March 25, 2023Severity Medium Analysis Summary NjRat is a Remote Access Trojan, which is found leveraging Pastebin to deliver a second-stage payload after initial infection. There are multiple […]March 24, 2023Severity Medium Analysis Summary CVE-2023-20113 Cisco SD-WAN vManage Software is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Microsoft Windows Server 2016 / Windows 10 Multiple Vulnerabilities
March 18, 2019Rewterz threat Advisory – Microsoft SharePoint Server 2016 Multiple Vulnerabilities
March 18, 2019
Severity
Medium
Analysis Summary
A malicious Microsoft Word document has been reported that contains a link to harvest the victim’s personal email accounts login credentials.
A Rich Text Formatted (RTF) file was reported that contains six Microsoft Excel worksheets with embedded Visual Basic (VB) scripts. The scripts invoke PowerShell to download a payload on to the system.
Another file containing a 32-bit Windows .NET executable was reported. The file is designed to install a malicious 32- bit Windows executable. The executable is the payload identified as a variant of the FormBook malware. During analysis, the malicious executable injected itself into a list of Windows processes and collected victim’s data including: user keystrokes, clipboard data, screenshots, web browser passwords, and other applications.
Impact
Credential Theft
System Access
Information Disclosure
Malware Infection
Indicators of Compromise
| IP(s) / Hostname(s) | 178.159.36[.]107 107.187.95[.]198 192.64.115[.]93 203.170.80[.]250 206.188.192[.]179 81.27.85[.]17 94.136.40[.]51 |
| URLs | igyygyigus[.]com weddingofmyday[.]info 41230935[.]net becoolpickuptruckhub[.]live bonzaj[.]com brysoldstop[.]win corito78[.]party dailylondonfashion[.]com e-pennys[.]com jyoumon-farm[.]com lanpaizhilian[.]com mesayang[.]com pcshooot[.]win queensofthescene[.]com spainbythesea[.]uk t70ia[.]info topcars[.]guru zhuangshi[.]ink |
| Filename | ProformAdviseMarch19.doc Oswald Crescent-converted.docx Payment_TT_Copy-pdf.exe bin.exe |
| Email Address | Rena_564[@]hotmail[.]com |
| Malware Hash (MD5/SHA1/SH256) | 4aa1bb25d9858452194548825836db66 3fea120d39b1f0b63dc6a73d0ee2d197169fc765dd5b1eafc5658c6799d4b00f 854a864b0b0465c352a24ba09ec3b4c0f24684e9c4ad4f8900f605e4705cf74e 9fdc3857779c18f9802b39d7f3caf90b 4fcaff67dd797d6bc76d9a1202838542bf88789a7ef6e4ac5ec0ca5f1a5301e1 e6aa24cabafb1f66e2e874a1722acd13 d6646857d68f0fe855887571c65f3ae3d89e74a59ea3f77bf576943103a84eb0 e1c2d815112ade0e7ad765485f72b337 |
Remediation
- Block the threat indicators at their respective controls.
- Maintain antivirus signatures and engines and keep them up-to-date.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Scan all software downloaded from the Internet prior to executing.