Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
High
A suspicious document has attention due to its recent creation date (06-01-2020) and its title “How Swuleimani’s death will affect India and Pakistan.doc” which is directly related to recent political events between Iran and the USA.
The document is in RTF format, and has an OLE object related with the Equation Editor. During the last years, this OLE objects have been a good indicator that a document may aim to exploit the CVE-2018-0798 vulnerability in order to infect with some kind of malware. This particular document turns out to be one of these examples, and does it by dropping a binary called 8.t. in the “% TEMP%” folder of the user.
After this infection chain, what we get is a DLL executable file with extension “.wll” used for “Word.addin.8” files, that is installed in the path “%APPDATA%\Microsoft\Word\STARTUP” which causes that MSWord at the next application startup to load this “.wll” executable file. This DLL consists in a packed version of a PoisonIvy RAT sample, that after a few seconds makes traffic to the C2 server “95.179.131.29”, through port 443, and in case of error, through port 8080 using HTTP traffic.
Exposure of sensitive information
IP
95[.]179[.]131[.]29
MD5
SHA-256
02dec90a18545d4bfbac5de19c6499142e141c3c0abaecdc8ac56b8eede167aa
0eb7ba6457367f8f5f917f37ebbf1e7ccf0e971557dbe5d7547e49d129ac0e98
SHA1
b0786a1f0b785d9800585cde1ce15cd6fe269dab