• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Threat Indicators – Malspam: Loki Bot Malware
February 28, 2019
Rewterz Threat Alert – Malspam Campaign Dropping Ursnif Banking Trojan and GandCrab Ransomware
February 28, 2019

Rewterz Threat Alert – SeedWorm Malware Campaign – Threat Indicators

February 28, 2019

Severity

Medium

Analysis Summary

In a SeedWorm malware campaign, variants of a backdoor program called LisfonService were seen in various stages of development. Some files were retrieved leveraging a PowerShell to download and run a program called ‘muddy’ on the system. Indicators of Compromise are attached.

Impact

Malware Infection

Indicators of Compromise

IP(s) / Hostname(s)

  • 31.171.154[.]67
  • 46.99.148[.]96
  • 78.129.139[.]148
  • 78.129.222[.]56
  • 79.106.224[.]203

Filename

  • svchosts.exe
  • TestService.exe
  • lisfon.exe
  • lisfonservice.exe
  • Win7LisfonService.exe
  • LisfonService.exe
  • Lisfon.exe

Extension

.exe

Malware Hash (MD5/SHA1/SH256)

  • 51ac160f7d60a9ce642080af0425a446fb25b7067e06b3a9a8ec2f777836efd3
  • 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
  • 58972b27b7dc40494e715c2f39a1bcee4d8c18da6bcc3e22785496cca2cee1a0
  • 6f8226d890350943a9ef4cc81598e0e953d8ba9746694c0b7e3d99e418701b39
  • 9262bf6be648e1b15850a776fe4e393250d74afdf911e94ae07718f8ad4d1664
  • b6078804dfdc3219ac8ba0f74473ff7ada00228ea0141d0be8e7cf227ff09186
  • bf696397784b22f8e891dd0627dce731f288d14d4791ac5d0a906bc1cbe10de6
  • c514c3f293f0cb4c23662a5ab962b158cb97580b03a22b82e21fa3b26d64809c
  • f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e

Remediation

  • Block the threat indicators where possible.
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Scan all software downloaded from the Internet prior to executing.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.