Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023
Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 18, 2023Severity Medium Analysis Summary Lumma is an information stealer that is sold as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums and Telegram. Lumma is an information […]September 18, 2023Severity Medium Analysis Summary CVE-2023-4948 CVSS:4.3 WooCommerce CVR Payment Gateway Plugin for WordPress could allow a remote attacker to bypass security restrictions, caused by missing capability […]September 18, 2023Severity High Analysis Summary Microsoft has stated that a ransomware group working with an initial access broker has recently started using Microsoft Teams for their phishing […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – ICS: Honeywell Maxpro VMS & NVR
January 22, 2020Rewterz Threat Alert – Increased Activity of Emotet
January 23, 2020
Severity
High
Analysis Summary
Identification of new versions of an old Linux malware known as Rekoobe, a minimalistic trojan with a complex CNC authentication protocol originally targeting SPARC and Intel x86, x86-64 systems back in 2015 is back. The new malware samples have lower detection rates than their predecessors. This might be because of malware ceased its operation in 2016 after it was reported. In the current context, Rekoobe have resumed their operations utilizing a newer version of the malware.
Technical Analysis
the new variants are statically compiled ELF binaries while older variants were dynamically compiled.This undeniably implies that on a code level these two generations of the same malware are different. Since the compilation flags used by the GCC compiler differ between dynamically and statically linked code, the compiler will generate different code accordingly.
In previous Rekoobe variants, the malware would initially collect some preliminary configuration saved in disk, masquerading this configuration to be a shared object, However, in the new variants, the need for this configuration file has been completely removed, having hard-coded the subject artifacts previously dependent on the configuration file.
Impact
Download user files
Indicators of Compromise
Domain Name
huawel[.]site
Hostname
7xin[.]bitscan[.]win
IP
- 119[.]3[.]22[.]174
- 96[.]45[.]187[.]113
MD5
- f34119a442651945d5efb33db8901d9b
- 4b45e601d480124c38be06a706f7d8f4
SHA-256
- 2e2dc0328f6c19b033bb19c24e59e354e519606958afb93fd8049d162a8e3edd
- c9eb46d00e11acb354b518f725412b88c69cc511ec8d5bd3cb03c1740f8a2936
- 7148ae1ab45e17889915100fdc203fe7941d8e9b946d44a3989ab8baeb6066e1
- 80e5fec19843c32c6c3fc38aabdeb428c339b0dfce28023529144405b9c72b33
- e63c2e35a41c51e33b246f5b60c5d1b8da0d8c50bf7ec592383b61818217e8d7
- 1d0591049a65db6508a9517f72954541ef6b5a7fe9153c5edcb1bac1b70b991c
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.