• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – WinRAR ACE Vulnerability Exploited Through Malspam to Install Backdoor
February 26, 2019
Rewterz Threat Advisory – CVE-2019-6974 – Linux Kernel KVM “kvm_ioctl_create_device()” Use-AfterFree Vulnerability
February 27, 2019

Rewterz Threat Alert – Russian Language Malspam Pushing Shade Ransomware

February 26, 2019

Severity

Medium

Analysis Summary

The infection process is almost identical to the previous malspam campaign. The only difference is that the previous campaign had a ZIP archive attached to the malspam email, whereas this new campaign uses a link in a PDF attachment to retrieve the ZIP archive. Within the downloaded ZIP archive is a JavaScript file that infects vulnerable hosts with the Shade ransomware. Files are encrypted by the ransomware and payment via TOR is demanded in exchange for decryption.

Impact

File encryption.

Indicators of Compromise

IP(s) / Hostname(s)

74.220.207.61

62.212.69.227

URLs

  • http[:]//simplerlife[.]pl/wp-content/themes/hueman/assets/admin/css/pic[.]zip
  • http[:]//sidneyyin[.]com/templates/joomlage0084-aravnik/css/msg.jpg
  • http[:]//cryptsen7fo43rr6[.]onion/
  • http[:]//cryptsen7fo43rr6[.]onion.to/
  • http[:]//cryptsen7fo43rr6[.]onion.cab/

Email Address

pilotpilot088[@]gmail.com

Malware Hash (MD5/SHA1/SH256)

  • 6950efbd9d6d10fdd8f644a71b30e53a8d1dbd64976279d8a192a0c9459d06e1
  • e76b93f6ab032e16f5f1d600cb061db49a10538b10a063561df95be94156ac0b
  • 17539e1a0c33fe2f98fa1b8fa282f9f3786ba15419e30ae6c4171ccff65338c9
  • 33dde2eed8ccb2b74c9d0feaf19c341354e54cb5d2c9e475507ff3fe22240381

Remediation

Block the threat indicators at their respective controls.

Always be suspicious of unsolicited email.

Never click/ download any attachments sent from unrecognized senders.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.