• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – Update fixes IE 0-day RCE vulnerability and 74 other flaws in Microsoft Products
November 13, 2019
Rewterz Threat Advisory – CVE-2019-11135 – Intel CPUs Vulnerable to Variant 2 of #ZombieLoad Attack
November 14, 2019

Rewterz Threat Alert – RevengeRAT Being Distributed via Malspam Campaigns

November 13, 2019

Severity

High

Analysis Summary

A multi-stage vbs downloader is found being delivered to targets via malspam campaigns which was used to distribute RevengeRAT and WSHRAT. This infection starts from an MHT file contained in a zip document sent over email, which communicates back to the following open directory server: http://newdocreviewonline.3utilities[.]com/

Contained on this server are two files, Review.php, which downloads Microsoft.hta. This file is a JavaScript file full of URL encoded characters:

Decoding the characters shows an html file with some VBScript code inside of it that essentially creates a new script called A6p.vbs (stored in AppData/Local) which it then uses to pull down and execute the stage2, a new script called Microsoft.vbs. This stage2 is downloaded from:

https://scisolinc[.]com/wp-includes/Text/microsoft.vbs and is heavily obfuscated.

The RevengeRAT is known for targeting government entities, financial services organizations, information technology service providers and consultancies.

Impact

  • Unauthorized Remote Access
  • Credential Theft
  • Data Manipulation
  • Financial loss

Indicators of Compromise

Domain Name

newdocreviewonline.3utilities[.]com

MD5

  • e3edfe91e99ba731e58fc2ad33f2fd11
  • b7927fd753061058bc67178c3bddf110
  • 2433eaa83c9cdf9d1fbd33490f17067a
  • d6a5cc000867f5778c3f761ea5a35d63
  • d85f8899ff755d4e46ee47305937ec57

SHA256

  • 9ada62e4b06f7e3a61d819b8a74f29f589b645a7a32fd6c4e3f4404672b20f24
  • d86081a0795a893ef8dc251954ec88b10033166f09c1e65fc1f5368b2fd6f809
  • c229c614c9bd2b347fd24ad12e3c157c686eb86bc0a02df1c7080cf40b659e10
  • ced8be6a20b38f5f4d5af0f031bd69863a60be53b9d6434deea943bf668ac8d8
  • 68dc6680befd948e2476fba139a53b7cce5471efe3aa3cadcb2feed714073091

SHA1

  • 2108e82d020ef7a0bcb61df031b96cad2232e892
  • cc34ab40bb24dd840395a68273c427fc9b50d264
  • 7fc512ac0768b3e6b224453f6c4578218857b3c1
  • d6040c2fc8b6006acfa1612ecaa36bb7740bc28e
  • 1f503a1551d2598c5e65e95297454e19e9ccbfbb

Source IP

  • 193.56.28[.]134
  • 185.84.181[.]102

URL

  • hxxp[:]//newdocreviewonline[.]3utilities[.]com/
  • hxxp[:]//newdocreviewonline.3utilities[.]com/2/
  • hxxp[:]//newdocreviewonline.3utilities[.]com/1/
  • hxxp[:]//newdocreviewonline.3utilities[.]com/microsoft[.]hta
  • hxxps[:]//scisolinc[.]com/wp-includes/Text/microsoft[.]vbs
  • hxxp[:]//britianica.uk[.]com:4132
  • hxxp[:]//185.84.181[.]102[:]5478

Remediation

  • Block the threat indicators at their respective controls.
  • Do not respond to emails coming from untrusted sources.
  • Do not download files/visit links attached in untrusted emails.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.