Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023
Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Scammers Abusing a New Firefox Browser Lock Bug
November 12, 2019Rewterz Threat Alert – Double Loaded Zip File Delivers Nanocore
November 13, 2019
Severity
High
Analysis Summary
A new malvertising campaign being used on low quality web games and blogs is redirecting Asian victims to the RIG exploit kit, which is then quietly installing the Sodinokibi Ransomware. This new malvertising campaign is targeting Internet Explorer users from Vietnam, Korea, Malaysia and possibly other Asian countries. When browsing the web, the malvertising campaign will redirect users to a RIG exploit kit gateway that will attempt to exploit Flash vulnerabilities in the browser. If successful, a user will see Internet Explorer begin to crash and various alerts from the Windows Script Host as shown below.
This is because the exploit kit will execute a JScript command that downloads an obfuscated VBScript script. This VBScript will then download and install the Sodinokibi Ransomware, also known as REvil, on the victim’s computer. Once executed, the ransomware will begin to encrypt the victim’s files. As the exploit kit will install the ransomware without the user’s knowledge, other than the suspicious Internet Explorer crash, most users will not know they are infected until the ransomware has finished. They will then notice that they are unable to access their documents and that their desktop wallpaper has been changed to instructions telling the victim to open the ransom note.
Users are advised to restore from backups if at all possible rather than paying the ransom.
Impact
Files Encryption
Indicators of Compromise
Domain Name
- palmecophilippines[.]com
- sppdstats[.]com
- kryptos72[.]com
- ruggestar[.]ch
- vedsegaard[.]dk
MD5
- e9075f6bb4802b4cb56eec65f2899d67
- 610c9c5f0686dfc0fcd6d68778ce5025
SHA256
- fba829759d359dea91db09ac8b4674237d8dbc57ec8b76a3ebf227da9ae96535
- e7f9c0229c0874c069c2f3dcf237e1ee334ac4f9bc955be8146d07941ff35790
SHA1
- 4c7da5878b1a233b46f5e80f748b57dba5c8d8f0
- 3d241b2c1b201205761ce10b381727b0c7fbc24a
Source IP
- 74[.]220.215[.]214
- 141[.]98.199[.]99
- 35[.]204.114[.]36
- 92[.]43.216[.]137
- 34[.]76.93[.]122
- 195[.]249.40[.]199
Remediation
- Block the threat indicators at their respective controls.
- Do not click on random ads during web browsing.
- Have the latest Windows updates installed, programs updated, and web applications upgraded.
- Use latest secure browsers only.