• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – WatchBogMiner Targets Linux Servers’ RCE Vulnerabilities
July 24, 2020
Rewterz Threat Alert – Emotet Still Active – IoCs
July 24, 2020

Rewterz Threat Alert – SNOW Serves as Maze Loader in Active Campaigns

July 24, 2020

Severity

High

Analysis Summary

Maze is found being spread in post initial access phase. The loader this time is a Maze affiliate called SNOW. Access is gained through brute force attacks, SMB exploitation and RDP attacks.  

 This loader has been leveraged in its unpacked form being directly downloaded from (hxxp://37[.]1.210[.]52/vologda.dll). The loader SNOW uses the following tools.

  • Mimikatz
  • Metasploit
  • Cobalt Strike
  • PowerShell
  • AdFind
  • Koadic
  • PowerShell Empire

Impact

  • Theft of sensitive information
  • Credential theft
  • Unauthorized code execution
  • Files encryption

Indicators of Compromise

MD5

  • ea7bb99e03606702c1cbe543bb32b27e
  • 6099bbf0f6f85495929ddfc9b66d6992

SHA-256

  • fb71eaae22e6d93286d10228fc08229b1edf805e5817f698accfe2ec18968458
  • d6d98da42bc495153168a6e7fceeebb599f9ed3e3a95ca67c301a66b50f34bd2

SHA1

  • 85e38cc3b78cbb92ade81721d8cec0cb6c34f3b5
  • 07849ba4d2d9cb2d13d40ceaf37965159a53c852

Source IP

  • 37[.]1[.]210[.]52

URL

  • http[:]//37[.]1[.]210[.]52/vologda[.]dll

Remediation

  • Block the threat indicators at their respective controls.
  • Keep all systems and software updated to latest patched versions against all known security vulnerabilities.
  • Maintain a strong password policy.
  • Enable multi-factor authentication where possible.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.