Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Cisco SD-WAN Solution Vulnerability
March 19, 2020Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky
March 20, 2020
Severity
Medium
Analysis Summary
| Attackers are launching thematic email campaigns using COVID fear to lure people into clicking malicious documents. APT27 has launched a similar campaign. The first stage is a fake PDF file. It looks like a real PDF, it has a hidden extension and a nice PDF icon, but it really isn’t a PDF, it’s actually a .lnk file, or in other words a “Microsoft Linking File”. Opening up the .lnk file there are two main sections: one is a kind of header where it is possible to observe commands, and the other section is a big encoded payload. Stage 1 carved Stage 2 from its body by extracting bytes and decoding them using base64 encoding. The new stage is a Microsoft compressed CAB file. Stage 1 executes the Javascript included in the CAB file. 9sOXN6Ltf0afe7.js performs an ActiveXObject call to WScript.Shell in order to execute Windows command lists. Once ”deobfuscated” and beautified the command line looks like (9sOXN6Ltf0afe7.js payload beautified). The attacker creates a folder that looks like a “file” by calling it cscript.exe trying to cheat the analyst. Then the attacker populates that folder with the needed files to follow the infection chain. |
Impact
- Command Execution
- Unauthorized Remote Access
Indicators of Compromise
Hostname
- motivation[.]neighboring[.]site
MD5
- 83d04f21515c7e6316f9cd0bb393a118
- 21a51a834372ab11fba72fb865d6830e
- fd648c3b7495abbe86b850587e2e5431
SHA-256
- a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e
- 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
- 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124
URL
- http[:]//motivation[.]neighboring[.]site/01/index[.]php
Remediation
- Block the threat indicators at their respective controls.
- Do not download untrusted files attached in emails coming from unknown sources.