Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
March 15, 2023Severity High Analysis Summary According to researchers, a Golang-based botnet named GoBruteforcer has been discovered, which is specifically targeting web servers running FTP, MySQL, phpMyAdmin, and […]March 15, 2023Severity High Analysis Summary DarkComet RAT (Remote Administration Tool) is a type of malware that is designed to allow attackers to gain remote access to a […]March 15, 2023Severity High Analysis Summary CVE-2023-23410 CVSS:7.8 Microsoft Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – A Point-Of-Sale Malware Ecosystem that Exfiltrates Credit Card Data
May 8, 2019Rewterz Threat Alert – Dharma Ransomware Uses Legit Antivirus Tool to Distract Victims During Encryption
May 9, 2019
Severity
High
Analysis Summary
A Turla backdoor targeted at Microsoft Exchange mail servers and controllable remotely via email attachments using steganography was discovered while used in attacks against multiple targets from around the world.
The specific targeting of Microsoft Exchange servers by malware is in itself unique, but even more interesting is the use of Transport Agents as a persistence mechanism. Transport Agents are used in a Microsoft Exchange mail flow to allow custom software to be involved in the processing of email messages. By creating a custom Transport Agent, the Turla threat group was able to apply a custom rule-set to emails passing through compromised Exchange servers allowing them to read, modify, compose, send, or delete emails. Using the rule file for the Transport Agent, the attackers implemented handlers that included the ability to execute commands. If an attacker sends an email to the victim organization with either a PDF or JPG attachment, a rule is applied that decodes commands that were hidden in the documents via steganography methods. The commands enable full control over the Exchange server via functions such as executing processes, exfiltrating files, and writing executables.
Impact
- Remote code execution
- Exfiltrate sensitive documents
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 3C851E239FBF67A03E0DAE8F63EEE702B330DB6C
- 76EE1802A6C920CBEB3A1053A4EC03C71B7E46F8
- FF28B53B55BC77A5B4626F9DB856E67AC598C787
- C1FF6804FDB8656AB08928D187837D28060A552F
- F9D52BB5A30B42FC2D1763BE586CEE8A57424732
- 0A9F10925AF42DF94925D07112F303D57392C908
- A4D1A34FE5EFFD90CCB6897679586DDC07FBC5CD
- 0a9f10925af42df94925d07112f303d57392c908
- 3c851e239fbf67a03e0dae8f63eee702b330db6c
- 76ee1802a6c920cbeb3a1053a4ec03c71b7e46f8
- a4d1a34fe5effd90ccb6897679586ddc07fbc5cd
- c1ff6804fdb8656ab08928d187837d28060a552f
- f9d52bb5a30b42fc2d1763be586cee8a57424732
- ff28b53b55bc77a5b4626f9db856e67ac598c787
Affected Vendors
Microsoft
Affected Products
Remediation
Block all threat indicators at your respective controls.