Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Medium
Zeus Sphinx (AKA Zloader, Terdot) increased activities in March 2020. Like many other malicious campaigns, the one pushing Zeus is also leveraging the Covid19 pandemic. The malspam contains files named “COVID 19 relief” and similar subject lines. Zeus still targets banks across continents in the US, Canada, and Australia. The maldoc spam taking advantage of the trending COVID-19 theme tells victims that they need to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.
From a variety of Office programs, with the majority being .doc or .docx files, these documents at first request the end user to enable executing a macro, unknowingly triggering the first step of the infection chain. Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the new Sphinx variant.The maldoc is password-protected, likely to prevent analysis of the file before the recipient opens it. It writes numerous folders and files to disk and adds some Registry keys in order to hide itself and manage its configuration files over time.
The weaponized document creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it. After executing the batch file, it writes a VBS file to the same folder. That file is executed and uses a legitimate WScript.exe process, creates a communication channel with its C&C server and downloads a malicious executable in the form of a DLL. The malicious DLL, which is Sphinx’s executable, is also written to the folder under %SYSTEMDRIVE%. The infection process is initiated with the execution of the Sphinx DLL using Regsvr32.exe, which sets off Sphinx’s infection chain.
MD5
SHA-256
Source IP
URL