Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Dridex Banking Trojan – IoCs
October 1, 2020Rewterz Threat Alert – PayPal Squatting Campaign – IoCs
October 2, 2020
Severity
High
Analysis Summary
An unspecified “sophisticated cyber actor” is found using malware to launch cyberattacks against targets in India, Kazakhstan, Kyrgyzstan, Malaysia, Russia and Ukraine. The malware dubbed “SlothfulMedia,” is an information-stealer capable of logging keystrokes of victims and modifying files, according to an analysis.
The sample is a dropper, which deploys two files when executed. The first is a remote access tool (RAT) named ‘mediaplayer.exe’’, which is designed for command and control (C2) of victim computer systems. Analysis has determined the RAT has the ability to terminate processes, run arbitrary commands, take screen shots, modify the registry, and modify files on victim machines. It appears to communicate with its C2 controller via Hypertext Transfer Protocol (HTTP) over Transmission Control Protocol (TCP). The second file has a random five-character name and deletes the dropper once the RAT has persistence. Persistence is achieved through the creation of a service named “Task Frame”, which ensures the RAT is loaded after a reboot.
Impact
- Information Theft
- Unauthorized Remote Access
- Data Manipulation
- Credential Theft
Indicators of Compromise
Domain Name
- sdvro[.]net
MD5
- 448838b2a60484ee78c2198f2c0c9c85
- 9f23bd89694b66d8a67bb18434da4ee8
- 92a40c64cea4a87de1c24437612f2e0f
SHA-256
- 64d78eec46c9ddd4b9a366de62ba0f2813267dc4393bc79e4c9a51a9bb7e6273
- 927d945476191a3523884f4c0784fb71c16b7738bd7f2abd1e3a198af403f0ae
- 4186b5beb576aa611b84cbe95781c9dccca6762f260ac7a48f6727840fc057fa
SHA1
- f2c43a01cabaa694228f5354ea8c6bcf3b7a49b3
- db8c6ea90b1be5aa560bfbe5a34577eb284243af
- f52f0685a72d6a8f3e119ce92b7cf1c2c6a83bb9
Remediation
- Block the threat indicators at their respective controls.
- Maintain up-to-date antivirus signatures and engines.
- Keep all systems and software patched against all known vulnerabilities.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).