Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE2019-1880 – Cisco Unified Computing System BIOS Signature Bypass Vulnerability
August 2, 2019Rewterz Threat Alert – Amavaldo – A Latin American Banking Trojan Causing Financial Loss
August 5, 2019
Severity
High
Analysis Summary
A spear phishing campaign by the SectorE02 group going on against the Government of Pakistan and organizations there related to defense and intelligence. Spear phishing emails are sent to their victims via Excel XLS files, which asks their victims to enable macros which will end up executing the downloader. Malicious document lures they have employed in recent times include a document purporting to be for registration for the Pakistan Air Force.
SectorE02 is a threat actor which targets countries in South Asia, especially Pakistan, since at least 2012. Their arsenal includes a modular framework researchers have dubbed the “YTY Framework”, which has a Windows and mobile version. Usage of this framework allows the SectorE02 group to constantly modify and even remake individual plugins of the framework, and pick and choose which plugins – if any – are sent to their victims. This modularity also allows the SectorE02 group to maintain low detections by antivirus engines because each module only does something simple and will not even work without certain previously dropped files. In this post, we will describe their lure document, first stage downloader, file plugin, screenshot plugin, keylogger plugin, and exfiltration uploader plugin.
Excel Spear Phishing
The excel file used by them had names such as Credit_Score.xls, Advance_Salary.xls, CSD_Schemes_2019.xls, and Agrani_Bank.xls. In some instances, it masqueraded as an Excel calculator from the National Bank of Pakistan.
At the back, the excel macro would retrieve encoded data stored in itself, and the encoding here is just a simple decimal encoding with a comma (or exclamation mark) as a separator. The same encoding is used for the dropped executable, although more often one entire file is encoded as a zip archive containing two files – a batch script and executable which is then unzipped and executed.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
IP(s) / Hostname(s)
- 179[.]43[.]170[.]155
- 5[.]135[.]199[.]26
URLs
- data-backup[.]online
- servicejobs[.]life
Malware Hash (MD5/SHA1/SH256)
- 1f64ab4db42ad68b4b99120ef6e9d1409cf606d31d932c0d306bb11c8ddcb2b4
- 5a70d423fb336448fc7a71fbc3c7a4f0397bc7fa1ec32f7cc42824a432051c33
- 95ea070bbfca04fff58a7092d61527aad0474914ffd2501d96991faad1388c7a
- fdcf3873df6f83336539c4997ce69fce459737c6d655f1972422f861437858a9
- 6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
- 7703c3385894dd3468c468745c747bf5c75f37a9b1fcaf2a1d0f291ecb7abce6
- aa1c8adc4b7d352e487842b1d3017f627230ff1057350aaca1ffeb4d6abae16a
- a06a5b1d63ca67da90ba6cd9cbc00d6872707a1b49d44de26d6eb5ce7dd7d545
- cc2c2694d0284153605a98c0e7493fb90aff0d78e7f03e37c80fb505fbf3f93f
- 6d0a3c4b2414c59be1190710c09330f4dd07e7badc4194e592799783f1cfd055
- 42775c20aa5b73b2eaecb5b107ce59d105f978660e6e43f53f804733ce3f7cbe
- f0c85a1c9cf80ad424acebbe7af54176d0cb778a639da2f2f59828af5bb79842
- 92b12010772166647f510ad91731e931d58bc077bfc9f9d39adc678cc00fb65d
- 1b46735d6b6aebefd5809274de1aaa56b5fac314b33c2fa51b001e07b4f7e4d7
- 57a9a17baaf61de5cffa8b2e2ec340a179e7e1cd70e046cbd832655c44bc7c1d
- cd03ed9e4f3257836e11016294c8701baa12414b59f221e556cbed16a946b205
- ce1df70e96b4780329d393ff7a37513aec222030e80606ee3ef99b306951d74d
- 9169dab8579d49253f72439f7572e0aabeb685c5ca63bf91fff81502764e79bb
- 5acfd1b49ae86ef66b94a3e0209a2d2a3592c31b57ccbaa4bb9540fcf3403574
- 08b11f246e2ebcfc049f198c055fc855e0af1f8499ba18791e3232efa913b01a
- 62dfec7fe0025e8863c2252abb4ec1abdb4b916b76972910c6a47728bfb648a7
- 13f27543d03fd4bee3267bdc37300e578994f55edabc031de936ff476482ceb4
- b874a158f019dc082a0069eb3f7e169fbec2b4f05b123eed62d81776a7ddb384
- 8fff7f07ebf0a1e0a4eabdcf57744739f39de643d831c36416b663bd243590e1
- d71a1d993e9515ec69a32f913c2a18f14cdb52ef06e4011c8622b5945440c1aa
- f10f41bd38832596d4c449f81b9eb4129361aa4e4ebd4a8e8d2d8bf388934ca5
- f331f67baa2650c426daae9dee6066029beb8b17253f26ad9ebbd3a64b2b6a37
- d4e587b16fbc486a62cc33febd5438be3a9690afc1650af702ed42d00ebfd39e
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.