• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Ryuk Ransomware – IOC’s
January 29, 2020
Rewterz Threat Alert – New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
January 31, 2020

Rewterz Threat Alert – New Watering Hole Identified for Credential Harvesting

January 30, 2020

Severity

Medium

Analysis Summary

A Kuwaiti organization’s webpage used as an apparent watering hole. The webpage contained a hidden image which was observed between June and December 2019, and referenced domains associated with malicious activity conducted by the xHunt campaign operators. It is believed that the same threat actors involved in the Hisoka attack campaign compromised and injected this HTML code into this website in an attempt to harvest credentials from the website’s visitors; specifically, gathering account names and password hashes. It is yet to be confirmed but, it is possible that the actors intended to crack these hashes to obtain the visitor’s passwords or using the hashes gathered to carry out relay attacks to gain access to additional systems.

If successful in harvesting account credentials, the compromised data has a plethora of uses for the attackers and can allow them to breach an organization to steal sensitive information. Furthermore, because they’d be using trusted credentials, it can allow attackers to go undetected for long periods of time, enabling them to infiltrate other parts of an organization and even implement backdoors, like RATs, to get back into a system even after being removed. This can result in significant damage to an organization over a prolonged period of time.

Impact

Credential harvesting

Indicators of Compromise

URL

  • http[:]//ffconnectivitycheck[.]com/
  • http[:]//www[.]alforatsystem[.]com/%D9%85%D8%B7%D8%A7%D8%B1-%D8%A7%D9%84%DA%A9%D9%88%DB%8C%D8%AA-%D8%A7%D9%84%D8%AF%D9%88%D9%84%DB%8C/y[.]almayal[.]zip
  • https[:]//ns1[.]alforatsystem[.]com/
  • http[:]//googie[.]email/
  • http[:]//lowconnectivity[.]com/
  • http[:]//cloudipnameserver[.]com/
  • http[:]//www[.]cloudipnameserver[.]com/
  • http[:]//antivirus-update[.]top/
  • http[:]//google-update[.]com/cgi/1b50500dad/15687/7098/6a1b870f/227990648
  • http[:]//google-update[.]com/install/inst
  • http[:]//googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=GQVZDGJNSWAFJNRVAFIOSXCGKNRUYCHLPTWZ-9@21@2018%202@45@18%20PM2302725&sender=prizrak
  • http[:]//googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=JQUYCGKOSWZCGJMPTWZDGJOSYFKNRVZDGLOR-9@12@2018%2012@35@45%20AM633639&sender=prizrak
  • http[:]//google-update[.]com/install/inst/
  • http[:]//google-update[.]com/plugins/1b50500dad/15687/7098/6a1b870f/227990648/21353E1C29353F520B/True/True
  • http[:]//google-update[.]com/service/update[.]rd
  • http[:]//google-update[.]com/service/update[.]rdf
  • http[:]//google-update[.]com/service/update[.]xml
  • http[:]//ww11[.]google-update[.]com/service/update[.]rdf
  • http[:]//ww25[.]googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=JQUYCGKOSWZCGJMPTWZDGJOSYFKNRVZDGLOR-9@12@2018%2012@35@45%20AM633639&sender=prizrak
  • http[:]//ww25[.]google-update[.]com/service/update[.]rdf
  • http[:]//ww25[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=49[.]0[.]2623[.]75&lang=zh-CN&x=id=eilhmoehgahbfcoknmpkccbdpmojpijh&v=1[.]0[.]2&uc
  • http[:]//ww6[.]googleupdate[.]com/install/inst[.]php?vers=CL%201[.]0[.]0[.]0&id=JQUYCGKOSWZCGJMPTWZDGJOSYFKNRVZDGLOR-9@12@2018%2012@35@45%20AM633639&sender=prizrak
  • http[:]//ww6[.]google-update[.]com/service/update[.]rdf
  • http[:]//ww6[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=57[.]0[.]2987[.]98&lang=zhCN&x=id%3Dfplobmecckpccjkcnojgljfpiaekbnic%26v%3D3[.]0[.]1%26installsource%3Dnotfromwebstore%26uc
  • http[:]//www[.]google-update[.]com
  • http[:]//www[.]google-update[.]com/service/update[.]xml?os=win
  • http[:]//www[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodversion=49[.]0[.]2623[.]75&lang=zh-CN&x=id=eilhmoehgahbfcoknmpkccbdpmojpijh&v=1[.]0[.]2&uc
  • http[:]//www[.]googleupdate[.]com/service/update[.]xml?os=win&arch=x86&nacl_arch=x86-64&prod=chromiumcrx&prodchannel=&prodve
  • rsion=57[.]0[.]2987[.]98&lang=zhCN&x=id%3Dfplobmecckpccjkcnojgljfpiaekbnic%26v%3D3[.]0[.]1%26installsource%3Dnotfromwebstore%26uc
  • http[:]//sakabota[.]com/

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.