• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-11510 – Continued Exploitation of Pulse Secure VPN Vulnerability
January 13, 2020
Rewterz Threat Alert – Active Cryptomining Worm
January 13, 2020

Rewterz Threat Alert – TA428 Group Taking Advantage of Recent Conflict between Iran and USA

January 13, 2020

Severity

High

Analysis Summary

A suspicious document has attention due to its recent creation date (06-01-2020) and its title “How Swuleimani’s death will affect India and Pakistan.doc” which is directly related to recent political events between Iran and the USA.

Captura-de-pantalla-de-2020-01-09-16-44-17.png

The document is in RTF format, and has an OLE object related with the Equation Editor. During the last years, this OLE objects have been a good indicator that a document may aim to exploit the CVE-2018-0798 vulnerability in order to infect with some kind of malware. This particular document turns out to be one of these examples, and does it by dropping a binary called 8.t. in the “% TEMP%” folder of the user.

After this infection chain, what we get is a DLL executable file with extension “.wll” used for “Word.addin.8” files, that is installed in the path “%APPDATA%\Microsoft\Word\STARTUP” which causes that MSWord at the next application startup to load this “.wll” executable file. This DLL consists in a packed version of a PoisonIvy RAT sample, that after a few seconds makes traffic to the C2 server “95.179.131.29”, through port 443, and in case of error, through port 8080 using HTTP traffic.

Impact

Exposure of sensitive information

Indicators of Compromise

IP

95[.]179[.]131[.]29

MD5

  • f1b21f5f9941afd9eec0ab7456ec78b8

SHA-256

02dec90a18545d4bfbac5de19c6499142e141c3c0abaecdc8ac56b8eede167aa
0eb7ba6457367f8f5f917f37ebbf1e7ccf0e971557dbe5d7547e49d129ac0e98

SHA1

b0786a1f0b785d9800585cde1ce15cd6fe269dab

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.