Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 14, 2023
Severity High Analysis Summary Kimsuky is a North Korean advanced persistent threat (APT) group, also known as “Black Banshee”. The group has been active since at […]September 14, 2023Severity High Analysis Summary CVE-2023-4213 CVSS:8.8 Simplr Registration Form Plus+ plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by an […]September 14, 2023Severity High Analysis Summary CVE-2023-41032 CVSS:7.8 Siemens Parasolid could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 14, 2023Severity High Analysis Summary Kimsuky is a North Korean advanced persistent threat (APT) group, also known as “Black Banshee”. The group has been active since at […]September 14, 2023Severity High Analysis Summary CVE-2023-4213 CVSS:8.8 Simplr Registration Form Plus+ plugin for WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by an […]September 14, 2023Severity High Analysis Summary CVE-2023-41032 CVSS:7.8 Siemens Parasolid could allow a remote attacker to execute arbitrary code on the system, caused by an out of bounds […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – ICS: Siemens KTK, SIDOOR, SIMATIC, and SINAMICS
April 15, 2020Rewterz Threat Advisory – ICS: Siemens IE/PB-Link, RUGGEDCOM, SCALANCE, SIMATIC, SINEMA Denial of Service Vulnerabilities
April 15, 2020
Severity
High
Analysis Summary
The TA505 cybercrime group has ramped up its attacks lately, with a set of campaigns bent on spreading the persistent SDBbot remote-access trojan (RAT) laterally throughout an entire corporate environment. SDBbot RAT is a custom job that has been observed in TA505 attacks since at least September 2019; it offers remote-access capabilities and has a few spyware aspects, including the ability to exfiltrate data from the victimized devices and networks.The custom RAT also offers persistent access and lateral network movement.
Recently, targeted emails were sent to enterprise employees in Europe. The malicious emails purported to be messages coming from the HR department via Onehub, which is a legitimate, cloud-based file-sharing application for businesses. The messages had attached, macro-enabled documents called simply “Resume.doc.” And if opened, they ultimately delivered the SDBbot malware, via a dropper containing embedded dynamic-link libraries (DLLs) and the use of an installer component. The emails were designed to extract Active Directory (AD) discovery data and user credentials, and to infect the environment with the SDBbot RAT. Once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The three additional files make up SDBbot; there’s an installer, a loader and the payload itself. A Meterpreter reverser shell was used in order to remotely control compromised systems within the internal network. It was installed as a service using the execution of an encoded PowerShell script. The malicious PowerShell command decodes into a reverse shell connecting back to two malicious IP addresses. Analysts expect that this group will continue to target a wide range of industries using social engineering to deliver open-source and custom malware, while constantly adjusting TTPs and C2 infrastructure to evade detection.
Impact
- Credential Theft
- Unauthorized Remote Access
- Data exfiltration
- Network-wide infection
Indicators of Compromise
Domain Name
- drm-server-booking[.]com
- microsoft-live-us[.]com
- dl1[.]sync-share[.]com
- office365-update-en[.]com
- d1[.]syncdownloading[.]com
- googledrive-download[.]com
- update365-office-ens[.]com
- office-en-service[.]com
- news-server-drm-google[.]com
- drm-server-booking[.]com
MD5
- edbe98468cd888bf029bc8e297a310b3
- 994104c30d57141a99e0e414ef2d8837
- ab9103c8fd35ec7b5a99e463a2f8fc59
- 61b94dfc9bea1a876b140a72c450e4bb
- cd1096991867bb5ad72b983441bfe04b
- e14d7460f62a122d85a2ce1b69080497
- 0fdb43fc559a35afcc422b786f45a997
- bc59fa5dbb11f5d286fc41e8f25c6cc0
- 888fa9c56b06cf6255142e2c592b2437
- 945fff5b2d903ccc0787f41a9ba6df98
SHA-256
- 7be0da2a873fe10fadb76b241460badbd5d6533237e99ca7a59f4b6676edcc33
- a04d0cb7362e3650239230b40fac1d2d42357cec1ded2e78456e49dd6713b470
- 1cbad7cdb6a27a48c98a75b28ca2c63116440dd7891f7300e2109d36b8aae7a1
- 169f8f4798d048e1c50dac25417ad639b951571a371346401cc981d677b2d5ac
- e12e250047a8074c9f68199b81b05414ec5461a9e94af225ba3896948dad882e
- c850d3b6c9a8a8af6072e79fa1430bb1d2290d2b59ccfe6b2edb5a6de1464326
- 50bf52cbfcdfa125120b7b7b79218a0a09cbd8b5fac4db1be35dc63f7e557ec8
- 0e40ba8c2c0a2fcbb5290d131bb42651f90f33f5e230556736a5acb4ffd4251d
- 238d40bbc430c6098a8ad4682ac3722e36b1d2e91fc9030124e5152b6b186e94
- bc7ea56a2dd0f7a2db378da4565c6fe97968e1387f2e16d3adb82fd75e53d33a
SHA1
- bf0f7abda2228059bb00ec9658ee447fbe84d277
- d40510da42a478d72e649993208710668a7f6c27
- 0cc7cca16afd632857e3883c06b2f55c057b563e
- d36e983886a084887f887c6d562d3bc0664587c4
- fea7d944e317c7b2ef1aba57600a8c5310368085
- 35423e04e58ab1f2267e19c47e1c69ea5b7041cc
- fd9620c0c295caaee3096423532bb1dbfb7064c5
- cb0b39534d99057b02b090c3650fb1de43d19a02
- caff1d315a5d87014e5fa62346f58407755d971e
- 45c43ec18d15ba7850e6ad2e2e54671636f4d926
Source IP
91[.]214[.]124[.]25
91[.]214[.]124[.]20
185[.]176[.]221[.]45
URL
- https[:]//clck[.]ru/JnFFT
- https[:]//clck[.]ru/JnFFT&data=02|01||bed42450519b40df
Remediation
- Block the threat indicators at their respective controls.
- Do not download unexpected files coming from untrusted email addresses.
- Ensure employ awareness about latest phishing emails and subjects.