Rewterz Threat ALert – Trickbot Using Google Docs to Bypass Email Gateways

Rewterz Threat Alert – Domen Social Engineering Toolkit Generates 100,000 Page Views

September 5, 2019

Rewterz Threat Alert – Network Routers Hit with Glupteba Campaign

Severity

Medium

Analysis Summary

A malvertising attack distributing the malware Glupteba. This is an older malware that was previously connected to a campaign named Operation Windigo and distributed through exploit kits to Windows users. In 2018, a security company reported that the Glupteba botnet may have been independent from Operation Windigo and had moved to a pay-per-install adware service to distribute it in the wild. The activities of the actors behind Glupteba have been varied: they were suspected of providing proxy services in the underground, and were identified as using the EternalBlue exploit to move into local networks and run Monero (XMR) cryptocurrency miners.

Impact

Exposure of sensitive information

Indicators of Compromise

URLs

okonewacon[.]com
keepmusic[.]xyz
lienews[.]world
bigtext[.]club
clubhouse[.]site
playfire[.]online
nxtfdata[.]xyz
blackempirebuild[.]com
phonemus[.]net
venoxcontrol[.]com
takebad1[.]com

Malware Hash (MD5/SHA1/SH256)

8591804d5f8feb97f07522145302e7e8c48915aaa05f126f5eb79ee99bda547a
b2618747cf051309d882671402bfe78d4c0297e6b321c80d4ac33ee0e5d428e3
b4be0ec52b20643ef4d3740cf471d4f570d7cc4be2a2ef33ed5c4ccfa7c025c9
c1b76b5a3cec09416dacb32d446eb2d71618476e9cb6ade83bce731608728c32
20e983e90144c385996eeb2edb584d654d898c34725e149682170f870ee12870
1e71965e20aa50df21375a1db003e92823abacac1c1850c2d0922d43420e2d30
b562ad8c740ba4549be9c7dc693c1f77bd2ba3bac33128769d5a7e079bfdedec
5486f07cccc300dd939b4936daeb37b83d4c818d1735470bf791b6fd112db25d
69c40f971402945d188a66e1fd9117965fd7c11af71514e3f8152a9c873b600d
ab54f3f4851aa06ce6eccafc922f0fba6e5387bd0220fb2fbd45632a6fe6ace7
0dedb703da8d7aeae5d6f6da3e37b3d3fc42d0872b8470a81066a4491f2455f2
46f8d4dcdbec752ba57a682d62265221e0a2db67a37b5ccd851dcb44b907a32d
07d1ea5c0b4a1b437d2146fd9c918d72a16c2950d24d4c7f1f95f8409d2619b3

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the link/attachments sent by unknown senders.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.

Request a demo