Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
COVID-19 Exploitation in Cyberspace
March 30, 2020
Rewterz Threat Alert – Hackers Start Capitalizing on Zoom’s Success to Spread Malware Amid Covid-19
March 30, 2020
Severity
Medium
Analysis Summary
Zeus Sphinx (AKA Zloader, Terdot) increased activities in March 2020. Like many other malicious campaigns, the one pushing Zeus is also leveraging the Covid19 pandemic. The malspam contains files named “COVID 19 relief” and similar subject lines. Zeus still targets banks across continents in the US, Canada, and Australia. The maldoc spam taking advantage of the trending COVID-19 theme tells victims that they need to fill out an attached form to receive monetary compensation for having to stay at home to help fight increasing infection rates.
From a variety of Office programs, with the majority being .doc or .docx files, these documents at first request the end user to enable executing a macro, unknowingly triggering the first step of the infection chain. Once the end user accepts and enables these malicious macros, the script will start its deployment, often using legitimate, hijacked Windows processes that will fetch a malware downloader. Next, the downloader will communicate with a remote command-and-control (C&C) server and fetch the new Sphinx variant.The maldoc is password-protected, likely to prevent analysis of the file before the recipient opens it. It writes numerous folders and files to disk and adds some Registry keys in order to hide itself and manage its configuration files over time.
The weaponized document creates a malicious folder under %SYSTEMDRIVE% and writes a batch file into it. After executing the batch file, it writes a VBS file to the same folder. That file is executed and uses a legitimate WScript.exe process, creates a communication channel with its C&C server and downloads a malicious executable in the form of a DLL. The malicious DLL, which is Sphinx’s executable, is also written to the folder under %SYSTEMDRIVE%. The infection process is initiated with the execution of the Sphinx DLL using Regsvr32.exe, which sets off Sphinx’s infection chain.
Impact
- Credential Theft
- Theft of Banking Information
Indicators of Compromise
MD5
- e8fcf85c39c4b99b903148cba3e2d913
- 2fc871107d46fa5aa8095b78d5abab78
- 70E58943AC83F5D6467E5E173EC66B28
- 7CA44F6F8030DF33ADA36EB35649BE71
- 8A96E96113FB9DC47C286263289BD667
- C6D279AC30D0A60D22C4981037580939
SHA-256
- dff2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe
- f40d11f983151b6f0405db63a3424e5063a7294f42bdbde07f7aed5fd96f4563
- 511dab2388e7a98cc70a8e6abbfe3c47f170c9fc616941a2c05c08b1fc449ef1
- 3c115864cb93746b3745a119855b17442ef9415ccc2bf1531fc5a269e4714c66
- 66fc5d683cf76c3c4b53199fc0796b7a13afba22fca8d97ef4dfd07249e5a9f1
- c89c43d51eba1eb522cca6ec720f778a59638a09ea07ce10a60dd1929023a8d5
Source IP
- 185[.]14[.]29[.]227
- 49[.]51[.]161[.]225
- 47[.]254[.]174[.]129
URL
- hxxp[:]//brinchil[.]xyz
- hxxps[:]//seobrooke[.]com
- hxxps[:]//securitysystemswap[.]com
- https[:]//axelerode[.]club/
Remediation
- Block the threat indicators at their respective controls.
- Do not download attachments from untrusted emails.