Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Chinese Hacker Group Spotted Using a UEFI Bootkit in the Wild
October 6, 2020Rewterz Threat Alert – Iranian Hackers Actively Exploiting Windows Zerologon Flaw
October 6, 2020
Severity
High
Analysis Summary
Ransomware Egregor is found infecting multiple organizations around the world. The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, then aside from leaking part of the stolen data, they will distribute it via mass media where the company’s partners and clients will know that the company was attacked. The code seems to be a spinoff of the Sekhmet ransomware (itself named for the Egyptian goddess of healing). The analyzed sample has many anti-analysis techniques in place, such as code obfuscation and packed payloads. Also, in one of the execution stages, the Egregor payload can only be decrypted if the correct key is provided in the process’ command line, which means that the file cannot be analyzed, either manually or using a sandbox, if the exact same command line that the attackers used to run the ransomware isn’t provided. There’s also an “Egregor news” website, hosted on the deep web, which the criminal group uses to leak stolen data. There are at least 13 different companies listed in their “hall of shame”. The ransom note reads: “(In case the payment is done) … You WILL GET full DECRYPTION of your machines in the network, FULL FILE LISTING of downloaded data, confirmation of downloaded data DELETION from our servers, RECOMMENDATIONS for securing your network perimeter.”
Impact
- Files Encryption
- Exposure of sensitive information
- Confidentiality breach
Indicators of Compromise
MD5
- 4c36c3533a283e1aa199f80e20d264b9
- a654b3a37c27810db180822b72ad6d3e
SHA-256
- aee131ba1bfc4b6fa1961a7336e43d667086ebd2c7ff81029e14b2bf47d9f3a7
- 4c9e3ffda0e663217638e6192a093bbc23cd9ebfbdf6d2fc683f331beaee0321
SHA1
- f73e31d11f462f522a883c8f8f06d44f8d3e2f01
- d2d9484276a208641517a2273d96f34de1394b8e
Remediation
- Block the threat indicators at their respective controls.
- Do not download untrusted email attachments coming from unknown email addresses.
- Keep all systems and software updated to latest patched versions.