Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023
Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs
July 9, 2022Rewterz Threat Alert – Confucius APT group Targeting Pakistan – Active IOCs
July 10, 2022
Severity
High
Analysis Summary
In the year 2018, the threat actor WIRTE APT Subgroup was discovered for the first time. Spear-phishing emails are used to encourage victims to open a malicious Microsoft Excel/Word document. All of the Excel droppers found were using a technique that leverages formulae in hidden spreadsheets or cells to execute macro 4.0 commands named as Excel 4.0 macros. It is used to drop malware called Ferocious droppers. The payload was downloaded using conventional VBA macros by the Word droppers. The actor customized the counterfeit contents to the targeted victims, including logos and themes that were relevant to the targeted company or current events in their location. However, in some circumstances a bogus ‘Kaspersky Update Agent’ executable worked as a dropper for the VBS implant. The threat actor appears to have targeted a range of sectors, including diplomatic and financial institutions, government, law firms, military groups, and technological enterprises. Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey are among the countries affected. WIRTE is a suspected part of the Gaza Cybergang that is an Arabic politically motivated cyber criminal group. WIRTE APT Subgroup changed their toolkit and how they operate in order to be inconspicuous for longer. They use simple but successful tactics to compromise its victims and outperformed its suspected peers in terms of OpSec by using interpreted language malwares like VBS and PowerShell scripts.
Impact
- Information Theft and Espionage
Indicators of Compromise
MD5
- c5e75fcb0aa0bf152affecb33f9094df
- 8ba9ed3005407fc8a85b4db88c7e1c0a
- fecaee84b2fb27e9e68e6b9598609706
SHA-256
- 58ff981332189a0a2e0b1152f36a5eb58402501fcf218339deab69a187edf823
- 467b59feba8ebaa7ef81b19ca69c133c07953affebeaf32f2d284b12533391be
- 086e49e431272b1ea8e3c1d7a9e297a8c50891db833bf180f2a5e9035f1bee8b
SHA-1
- 484565cab3abf806df68f2d84f79f974ab79279a
- 2b3f98995576d9a68ccc80542f5390e290a4359e
- e177d85ee3092aa54c95e1804ee3d256b5865fcb
Remediation
- Block the threat indicators at their respective controls.
- Search for IOCs in your environment.