Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023
Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023
Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023
Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023
Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – SideWinder APT Active in South Asia
December 10, 2020
Rewterz Threat Alert – Lokibot – Active IoCs
December 10, 2020
Severity
High
Analysis Summary
Recently, APT28 has been found distributing the Zebrocy malware. The lure was delivered as part of a Virtual Hard Drive (VHD) file that requires victims to use Windows 10 to access the files. The malware samples were heavily obfuscated. Zebrocy is a malware used by the threat group APT28, also known as Sofacy, Sednit, Fancy Bear, and STRONTIUM. The malware was first used in 2015 and overlapped with known Sofacy infrastructure at the time. Zebrocy operates as a downloader and collects information about the infected host that is uploaded to the command and control (C&C) server before downloading and executing the next stage.
The first version of the downloader was written in Delphi and was based on a previous malware used by Sofacy. Zebrocy samples written in AutoIT, C++, C#, Delphi, Go, and VB.NET have been discovered by the research community. The group is believed to be the successor of BlackEnergy, also known as Sandworm. Sandworm was recently attributed to Russia’s GRU by the United States government in an indictment for the NotPetya and Olympic Destroyer campaigns. Generally speaking, Sofacy and BlackEnergy have diverging goals and have been known to go after different targets. In this case, the common infrastructure and targets between the Sofacy subgroup using Zebrocy and GreyEnergy suggests a relationship between the groups. Targets have been located in Afghanistan, Azerbaijan, Bosnia and Herzegovina, China, Egypt, Georgia, Iran, Japan, Kazakhstan, Korea, Kyrgyzstan, Mongolia, Russia, Saudi Arabia, Serbia, Switzerland, Tajikistan, Turkey, Turkmenistan, Ukraine, Uruguay, and Zimbabwe. The delivery of Zebrocy is usually via a spear-phishing email. The email has contained Microsoft Office documents or archive files. Same files have been renamed to target different victims.
Impact
- Information Theft
- Data Exfiltration
- Information Disclosure
Indicators of Compromise
Domain Name
- support-cloud[.]life
MD5
- 855005fee45e71c36a466527c7fad62f
- 72552ef22b484f8868dab10b0f605779
- 6e1afd4df848888056494247fcf88f53
- 49a34cfbeed733c24392c9217ef46bb6
- 395e166af5197967503f45c3ac134ff7
SHA-256
- d5d9210ef49c6780016536b0863cc50f6de03f73e70c2af46cc3cff0e2bf9353
- 6449d0cb1396d6feba7fb9e25fb20e9a0a5ef3e8623332844458d73057cf04a1
- 61c2e524dcc25a59d7f2fe7eff269865a3ed14d6b40e4fea33b3cd3f58c14f19
- f36a0ee7f4ec23765bb28fbfa734e402042278864e246a54b8c4db6f58275662
- d444fde5885ec1241041d04b3001be17162523d2058ab1a7f88aac50a6059bc0
SHA1
- bfe3e62770c8a4479d19ee4208410199b7484924
- 40ef7b08f271cee4482f01b820d1c54e0fdf9d89
- a0a00e3efd4900f1a0e73b68399049b9293e48da
- fbe27e84dd553477894242844652a30eb7d713bc
- 5761e431cf35b39bb4a9cf0a7dfd913fa822fe48
Source IP
- 89[.]37[.]226[.]148
- 80[.]90[.]39[.]24
URL
- https[:]//support-cloud[.]life/managment/cb-secure/technology[.]php
- http[:]//89[.]37[.]226[.]148/technet-support/library/online-service-description[.]php
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.