Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Banking technology FinTech Firm Finastra hit by ransomware
March 21, 2020Rewterz Threat Alert – Covid-Themed Malware Campaign Distributes Ransomware
March 22, 2020
Severity
High
Analysis Summary
A campaign is found using malicious files posed as resumes, sent as a job application. The researchers dubbed the campaign “The Curious Case of the Criminal Curriculum Vitae”. The campaign is attributed to a known cybercriminal organization TA505, also known as “Evil Corp.” One of the most infamous campaigns associated with this organization was the necurs botnet, which was recently overtaken by Microsoft.
In this newly discovered campaign from TA505, threat actors targeted German companies with trojanized emails disguised as job applicants. While this activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization worldwide. Once the email attachment was activated, a company’s secure credentials and credit card data could be transmitted covertly to the threat actors. The group TA505 is known to use commercial tools to encrypt all the users files, which suggests this recent activity could also lay the groundwork for an infection vector into the company’s network to encrypt files. They are also capable of fetching an instance of Netsupport, a commercial remote administration tool, hosted on a user’s Google Drive account. This enables a host of actions, including remote file transfer, screen captures, and even voice recordings. Since these threat actors are abusing legitimate binaries such as GPG tools and NetSupport, they are unlikely to be removed by traditional antivirus software. Below information of a target is sent to the C2.
- Determine all the programs names installed on the machine
- Version of the programs,
- Date the programs were installed,
- Determine the computer’s name,
- Determine the computer’s domain.
The threat actor controlled C2 is located at URI hxxp://194.36.189[.]215/firstga990.php.
Impact
- Unauthorized Remote Access
- Information Theft
- Theft of financial information
- Files encryption
- Remote Files transfer
- Financial loss
Indicators of Compromise
Domain Name
- juristlex[.]com
MD5
- 30b4e109caaebab50007872085e8d208
- 5400daa180669b831383b6cb69bd6e78
- 9572b4c74e3de8e3024c02ca5d62b015
- 391f805e2db1adc93c42dd958c06aeaa
- 17a5810120956fb2f2b097cf64d57972
SHA-256
- 7ecfd68341fe276c17246dc51c5d70ee2c1bbc6801c85201c8a62956c23d872d
- c7d2abc2ff54556bec383afb05c5ae804d07a1fa171ea185c447d9f1e6a79746
- e102806a9a136143e6ddead6bed5214ab4b71026c9a4eb26cc4b973f471b6c12
- df548114eb5b7a56c489f5239f66e0990e1ecacd20bcfff1b2bd677267362ad8
- 0cbaf48d543d06c838ad30e28b7cf92732a93e0507d3f3af4a7ab934890fe2fe
Source IP
- 194[.]36[.]189[.]215
- 23[.]227[.]207[.]138
- 185[.]244[.]150[.]143
URL
- http[:]//185[.]244[.]150[.]143/rrr[.]zzz
- http[:]//juristlex[.]com/photo/photo88326635[.]scr
- http[:]//194[.]36[.]189[.]215/fnb[.]111
- http[:]//23[.]227[.]207[.]138[:]12233/fakeurl[.]htm
Remediation
- Block the threat indicators at their respective controls.
- Use known secure email security solutions.
- Do not download and execute files coming from untrusted sources.
- Ensure segmentation of the corporate network.
- Implement multi-factor authentication policy.