Archive for category Threats

Rewterz Threat Alert – Chase Business Themed Phishing Campaign – IoCs

Severity

Medium

Analysis Summary

A phishing campaign is actively running with the name of Chase Business and dropping malicious files to different users. Threat indicators are provided. 

The email looks like this :  

–Begin Message–

We have temporarily suspended your Chase, N.A. account for the funds transfer service.
Here are your account details:
hxxps://securemail.chase[.]com/formpostdir/securereader?id=33779538249&brand=65313164.
Please contact Member Services to re-activate your suspended account.
Sincerely, Member Services

–End Message–
 

Indicators of Compromise

IP(s) / Hostname(s)

  • 103.27.62[.]50 
  • 133.130.90[.]158 
  • 187.131.96[.]128 
  • 35.173.204[.]6 
  • 62.129.197[.]71 
  • 84.16.92[.]183 
  • 94.73.147[.]165

URLs

  • 1lorawicz[.]pl
  • alparslansenturk[.]com
  • financialdiscourse[.]com
  • giangocngan[.]com
  • kkk-3712[.]com
  • zymogen[.]net
  • hxxps://securemail.chase[.]com/formpostdir/securereader?id=33779538249&brand=65313164

Filename

  • Chase_Acc_BMO_823244.pdf
  • IJHE08527555667463100.doc

Email Address

  • business[@]e-creatorz[.]com

Malware Hash (MD5/SHA1/SH256)

453ae71569c49be9931836de1975dbe6391f599db93ebf1d25dde287b6a7b4e0
99d2309a864b760721d719840f56e37bfc58c3b573291c68a28a7edc236e3f16


Rewterz Threat Alert – Scanning & Exploiting IPs Observed

Severity

Medium

Analysis Summary

This is a list of IP addresses associated with scanning and exploit activity.  Threat indicators are provided. 

Impact

  • SSH Scan
  • SSH Brute Force Attempt
  • Oracle WebLogic Exploitation Attempt
  • JBoss Exploitation Attempt

Indicators of Compromise

IP(s) / Hostname(s)

  • 36[.]156[.]24[.]94
  • 36[.]156[.]24[.]97
  • 61[.]184[.]247[.]2
  • 61[.]184[.]247[.]3
  • 61[.]184[.]247[.]5
  • 61[.]184[.]247[.]7
  • 61[.]184[.]247[.]11
  • 122[.]226[.]181[.]164
  • 122[.]226[.]181[.]167
  • 125[.]65[.]42[.]187
  • 125[.]65[.]42[.]192
  • 185[.]234[.]218[.]248
  • 218[.]92[.]1[.]132
  • 223[.]111[.]139[.]210
  • 223[.]111[.]139[.]247
  • 36[.]156[.]24[.]96
  • 36[.]156[.]24[.]96
  • 36[.]156[.]24[.]99
  • 61[.]184[.]247[.]6
  • 115[.]238[.]245[.]14
  • 125[.]65[.]42[.]192
  • 179[.]60[.]146[.]9
  • 36[.]156[.]24[.]97
  • 115[.]238[.]245[.]4
  • 115[.]238[.]245[.]8
  • 118[.]123[.]15[.]142
  • 179[.]60[.]146[.]9
  • 222[.]186[.]30[.]71
  • 223[.]111[.]139[.]211
  • 223[.]111[.]139[.]247
  • 36[.]156[.]24[.]94
  • 36[.]156[.]24[.]95
  • 36[.]156[.]24[.]98
  • 36[.]156[.]24[.]99
  • 61[.]184[.]247[.]2
  • 61[.]184[.]247[.]6
  • 61[.]184[.]247[.]10
  • 122[.]226[.]181[.]165
  • 223[.]111[.]139[.]211
  • 61[.]184[.]247[.]3
  • 61[.]184[.]247[.]8
  • 61[.]184[.]247[.]8
  • 61[.]184[.]247[.]11
  • 115[.]238[.]245[.]4
  • 118[.]123[.]15[.]142
  • 122[.]226[.]181[.]164
  • 122[.]226[.]181[.]166
  • 125[.]65[.]42[.]187
  • 192[.]99[.]142[.]251
  • 218[.]92[.]1[.]132
  • 223[.]111[.]139[.]210
  • 61[.]184[.]247[.]4
  • 61[.]184[.]247[.]5
  • 61[.]184[.]247[.]7
  • 116[.]31[.]116[.]5
  • 122[.]226[.]181[.]165
  • 218[.]92[.]1[.]131
  • 222[.]186[.]30[.]71
  • 103[.]207[.]36[.]144
  • 115[.]238[.]245[.]2
  • 115[.]238[.]245[.]2
  • 115[.]238[.]245[.]8
  • 115[.]238[.]245[.]14
  • 122[.]226[.]181[.]166
  • 158[.]69[.]133[.]20
  • 218[.]92[.]1[.]131
  • 223[.]111[.]139[.]244
  • 223[.]111[.]139[.]244
  • 36[.]156[.]24[.]95
  • 36[.]156[.]24[.]98
  • 61[.]184[.]247[.]4
  • 61[.]184[.]247[.]10
  • 61[.]184[.]247[.]12
  • 61[.]184[.]247[.]12
  • 116[.]31[.]116[.]5
  • 122[.]226[.]181[.]167

Remediation

  • Consider blocking and alerting on these IP addresses as they have been logged attempting to exploit vulnerabilities or otherwise gain access or information about SLTT network resources.
  • Investigate any logged activity from the noted IP addresses for signs of successful exploitation.


Rewterz Threat Alert – Multi-stage Fileless Banking Trojan – IoCs

Severity

Medium

Analysis Summary

A multi-staged fileless banking trojan has been seen targeting the financial sector, It has the capability to function as a downloader dropping various payloads such as banking trojans, info-stealers, and remote access trojans. Threat indicators are provided. 

Impact

Temporary or permanent loss of sensitive or proprietary customer information.

Indicators of Compromise

URLs

  • hxxp://35[.]227[.]52[.]26/loads/20938092830482
  • hxxp://35[.]227[.]52[.]26/mods/al/md[.]zip
  • chadikaysora[.]com
  • hxxps://lt99[.]ddns[.]net/al/index.php
  • hxxps://lt99[.]ddns[.]net/logsD/index.php?CHLG

Malware Hash (MD5/SHA1/SH256)

  • adfcac0a7af10c1a85ae2b8663905ba3f3fd7cf4d276c967bd26f8a3ba82a7f2
  • 85ec67bc6c10feb5d4e03a62ea0fb98fadb47afbae4aa66f29297786ca53abb8
  • ae75cbae5597e6f4e16ce430c9e6ef0e599e05c7b1e1c2b095a0218aaab4309a

Remediation

  • Block threat indicators at respective controls
  • Always be aware of the suspicious emails sent by unknown senders
  • Never click on the link/attachments sent by unknown senders

Rewterz Threat Alert – Anubis Banking Trojan – Indicators of Compromise

Analysis Summary

Anubis banking was developed in 2016 and the malware has been utilized as a trojan, keylogger, and ransomware. Recent Anubis malware samples utilize a mobile device’s accelerometer to avoid detection.

Fraudulent system update alerts and push notifications are used to trick the user into disabling security controls to achieve full exploitation of the device, for additional malware installation.

The malware’s logic detects installed financial applications and impersonates them.

Impact

Anubis banking trojan

Indicators of Compromise

URLs

  • b1k51[.]gdn
  • b1j3aas[.]life
  • wechaatt[.]gdn
  • 10as05[.]gdn
  • ch0ck4[.]life
  • fatur1s[.]life
  • b5k31[.]gdn
  • erd0[.]gdn
  • b1v2a5[.]gdn
  • b1502b[.]gdn
  • elsssee[.]gdn
  • kvp41[.]life
  • servertestapi[.]ltd
  • taxii[.]gdn
  • p0w3r[.]gdn
  • 4r3a[.]gdn
  • areadozemode[.]space
  • selectnew25mode[.]space
  • twethujsnu[.]cc
  • project2anub[.]xyz
  • taiprotectsq[.]xyz
  • uwannaplaygame[.]space

Malware Hash (MD5/SHA1/SH256)

  • 34D70B6A2C2B1B07128726499FAC19B1 
  • 4D51687ADB3B75DD18DD68A70204AE56 
  • FEFACA64DFE0BF6D7081CBBF6A05CCD5 
  • 210B717194C265739F055B9D8BF4F5F2 
  • 0F996382F01E4502BCA36EF48A87BE86 
  • 069BF2F0B21DA3579F7C76EF2B9284D1 
  • 5d68069e8d258c796af5011e27c11423 
  • 832ABF77D80FD9A204ABBEB7E7CA9E4A 
  • F4A0D659C8F7F79D0CD629296CA95478 
  • 3AE09A3D86BC1083A7B67C7827F510B1 
  • 69D0286289A18A2BCF8C1BAFD431B2B7 
  • A36FA1C70BB238A83547580ED013F8F7 
  • A1007FCB2F238B1A0E63E6B195446086 
  • F16FE16ACD942AA1AF79BE2BD1C1F923 
  • B534F3CA69BBDE1299CCDDDCB3591E5B 
  • F59D91BCF3CFC8C94E4345C218D9E41C 
  • 9515BA4A7D3E9113402DE9F858E001A4 
  • 9698340576e27fd11643e6869a192bd0 
  • DF22128F3C66BCC8074538E47DEC7544 
  • A543A7FE67C99EAC11F5E6B8C5F6B5FB 
  • b0ff12e875d1c32bd05dde6bb34e9805 
  • bc53a5857b1e29bef175d64fbec0c186 
  • e6714a332e58e7e92b4eb72c7db8756253538cc0 
  • 49dd6e33d64835152152b09b763e3603395b99de 
  • 27806e7f4a4a5e3236d52e432e982915ce636da4 
  • 4D417C850C114F2791E839D47566500971668C41C47E290C8D7AEFADDC62F84C 
  • 6FD52E78902ED225647AFB87EB1E533412505B97A82EAA7CC9BA30BE6E658C0E 
  • AE0C7562F50E640B81646B3553EB0A6381DAC66D015BAA0FA95E136D2DC855F7 
  • CF46FDC278DC9D29C66E40352340717B841EAF447F4BEDDF33A2A21678B64138 
  • DE2367C1DCD67C97FCF085C58C15B9A3311E61C122649A53DEF31FB689E1356F 
  • 89f537cb4495a50b082758b34e54bd1024463176d7d2f4a445cf859f5a33e38f 
  • d93e03c833bac1a29f49fa5c3060a04298e7811e4fb0994afc05a25c24a3e6dc 
  • 3a3c5328347fa52383406b6d6ca31337442659ae8fafdff0972703cb49d97ac2 
  • 138e3199d53dbbaa01db40742153775d54934433e999b9c7fcfa2fea2474ce8d 
  • c1720011300d8851bc30589063425799e4cce9bb972b3b32b6e30c21ce72b9b6 
  • bb932ca35651624fba2820d657bb10556aba66f15c053142a5645aa8fc31bbd0 
  • 9a2149648d9f56e999bd5af599d041f00c3130fca282ec47430a3aa575a73dcd 
  • e5ac8b77e264c68a38be42bd16b1253b7cf96a1258444040ed6046c9096ecd08 
  • 451b4cf00e36bf164b4e721d02eab366caf85690d243a539eba5a4bbd1f9e5fa 
  • 48bd70850a04a26db239e47611ce7e660c2b08b2dd56d81ed7a608e2659e1d7c 
  • 7960bb11e52516134774e8a262c6d78e5683ba9814015eb12b076e7d4e188c4b 
  • c5fbf3f7ddf354a99abbb7652254032d11682106d004373b509981c7a77d1bef 
  • f4db61ab1a314955e4134ec6fdcf9bd47ff8141928a1e467c052876327e4ef8b 
  • ab27065953ff7329c261a27149e2ce63e9a170714df7619b011db89eb5f68069 
  • 5126bd2a0e6b74178994c17102e4e18ffe1ab6f398a69225913f60eccef7a652 
  • e56acc1eedc47854c89a02b93ae5bd078e91001dd85e2c7739b649beddbee885 
  • aa63ce659eb3054f00656b2a4fa4bbc14f421d7b2ccb99d333f619613d75fc8f 
  • 20e838966993b73f2d65df993fb21d85ab186702a6b1732aba1ea3a98a79b22a 
  • f8de1e8ed70f77dd792035e0cdd3e5c026feece6790f6e2266f8d5f37198b8fa 
  • 43c26e071d22e3e14efb669705ba9113067894e9035a051b76b3632330ef8884 
  • d7699cb3c4ec67f3cbe04701360da36622408b70b8d5ec413474d2a83b7172d9 
  • a3ad2f7e3fc04db4e1c919f9df4235b8a1728ef4f4d2e5bb30905262719bbde5 
  • 453ba4a1d229049b6bd415192cafda79238a4f2b1e4d1450174903284a304d33 
  • c59a2b3bdb8363d9610ed3bc5cd707ee25a2384e3e2e74bd1ad5bd16b69fa014 
  • ee83ac9a851638f77693eea48ba8034c6d15e630ddb9ad19e204bfa3fe881dc6 
  • 26827b3db72e07ab7649bb21b89dbb5376fcf76de1849ae41265965f80d5ecf7 
  • 501e88a12be8fdba7d25472f08437308c313dd70aaeac4d162bbb6836ff4bc4a 
  • 09e897341d910b44884a9e6d9d2f0bc39dcf2a50e0f35062b07c5f946e5c5b66 
  • 876fa3268d5f15be13f9e6021133811062b90d6830f25b8b297be98f27d747f0 
  • e02112cf09522ee7231229dabf331bf725531945d56865416355211d45ddb849 
  • 1ab4e5a08f4bf5f95b2462ee12da893851a715b5569603fb95d5f2f7bf2293de 
  • 38b5f8c4ddcb2b53aaa33d19efdb6ea6e489aafa0e906da57345c3ca5f01ffa7 
  • c17cfc49391472ad0a85e0bde934bf289d1402c86cf8353ce5c9296c350a73d6 
  • ef1ae5f0ed8a8216dda6ed2dec979e799bfd58fb548a8acb941407b950673ae9 
  • db2d7ca6c1317e5697d0bc61f67bc38316888d20ee9dba32f7165bf23f177061 
  • fe26d6a0e3425d9622b2aef7c4199b0d9569f849453b12cb75ba42e5f002dd67 
  • e3b764ba2795af097efc554331bd9c8a804b5a030dfd495cc8169ce331ac5cad 
  • 009220919c4ecf5e72f7be4886a454d11b951dbc488656a811cd7517ad4c0c35 
  • 804fc95f250dc275e805fdabd862bcc3a2b60796915c3da575722015f64adf4e 
  • 15d31751bd91ee0082f75f581f099e2f986a7c7ccc2748cdd8a0adf9320d748a 
  • 8a8fe94c0e4f3fcaaf1f49aa27b13908c01a7574d31a84d55683f9cd1854d211 
  • 27c4263d9030435a6f107878c0ba50998cf82d5852618b989acab9843df55d62 
  • 39de72ff4b93565cd25fa303b8f17dcaabff101c138a0a5282c747d15b70053f 
  • 31c33f8102669b5ffc117ebd076646cefb0ae6b7ea12d1779ebd9d64a2de70d3 
  • f532275eb109ffb5ef35ec42c5445b6e9cdaadad099c977aab8841664cdab292 
  • d2ffa12048169cf9eba113dbb47b78708e83d9b5e778276a40100617e0dbbbdc 
  • 3c35f97b9000d55a2854c86eb201bd467702100a314486ff1dbee9774223bf0e 
  • e01ed0befbc50eeedcde5b5c07bf8a51ab39c5b20ee6e1f5afe04e161d072f1d 
  • 79c29b79f119a453efd27117c641f73cab4aad76f1f94d9ae538c0a4d4f85ca7 
  • dd60d79c08b5eb50de4ec47cb1e52a1a6c1a5abc25a302db9b2ab1685730203d
  • deb319019ba88acf8e5fb1b594525f28487e111e6fd641c7dbb23551f7925570 
  • 074ae028bd3204a7e7e7a510ad0f88c49cb780fa07e91944f111af146c39c91c 
  • 5a6f9ac189dc65dad3744005644a251f73ff2a8022a70431bf90945fc7da021b 
  • b012eb5538ad1d56c5bdf9fe9562791a163dffa4 
  • bc87c9fffcdac4eea1b84c62842ce1138fd90ed6 
  • 7e025e21d445be9b6b12a9181ada4bab3db5819c 
  • e29c814c2527ebbac11398877beea2bc75b58ffd 
  • 16fc9bc96f58ba35a04ade2d961b0108d135caa5 
  • 48b93f6e4c6717bb87eb60129cc5ef07733f63e94f19cd2fa8214e89f6a61fdc 
  • 4b410fc2a49c822b0d4df3419087d9eb6fea6df7e1b5d21ca575c7b83f1a490f 
  • 9bb207a05703406f05f5749299b4c68f0de159be06550588ef1415c181401241 
  • 5555a4226d3db9549a6d2b73a988f1ec0e399d766c2cae0727670b4fb0bd6de3 
  • b3a4df38699300c2acb3efb3a29d5eb152e35ed1eb293fedb6d262441463421b 
  • 381b86843f3ebd8d4e4cf7aaa9b4b23dc64507d853745d54a65061250ea88b35

Remediation

  • Block threat indicators at respective controls 
  • Always be aware of the suspicious emails sent by unknown senders 
  • Never click on the link/attachments sent by unknown senders
  • Keep software and operating systems up to date, as many malware variants prey on older, insecure versions.
  • Exercise caution even when installing from official stores. Only follow links to applications from trusted sites, and if you’re in any doubt, don’t install.

Rewterz Threat Alert – Phishing Related to Etihad Group Of Companies

Analysis Summary

Fraudsters are luring victims by posing as big, UAE-based companies that are offering them a job and then asking for fees up front or their bank account details. The websites are cloned and redirected to the different URL, tricking the public into believing that the job offer is real. In exchange, the scammer will ask for upfront payment to cover travel and visa fee for a job that does not exist.

The email looks like this:

Dear user, 

We are hereby to inform you that you applied for a job on job seeking website, we went through your resume, because of which the ERT (Etihad Recruitment Team) are highly impressed with your background and approach and would love to formally offer you a position as a Assistant Supervisor at Etihad Group of Companies, by considering your resume that you have uploaded on job seeking website. We would like to inform you that you were shortlisted by the Etihad Group Of Companies, established in Dubai – United Arab Emirates since 2001. We would like to point out that the Etihad Group of Companies, set out with the goal of providing Job opportunities in Expo 2020 Dubai with free visa, free air ticket, free accommodation, free quality food and also free medical Insurance in Dubai. We are happy to inform you that, you have been selected as a Assistant Supervisor and we offering you 4500 AED Salary per month and all other benefits / terms & conditions are mentioned in below:: Benefits / Terms & Conditions Designation Assistant Supervisor. Salary 4500 AED per month. Job Responsibilities Supervisors give instructions to and oversee the work of other employees and may be charged with making sure great customer service is provided. Unlike managers, they do not typically have the responsibility of hiring or firing employees. Period of Contract Two (2) year/s (renewable). Place of Employment Dubai – United Arab Emirates. Employment Visa Provided by the company. Air Ticket Joining and return air ticket after completion of two year contract provided by the company. Working Hours Eight (8) hours daily, Six (6) day/s a week. Over Time As per UAE labor law. Accommodation Provided by the company. Food Provided by the company. Water, Electricity and Gas Provided by the company. Medical & Insurance in Dubai Provided by the company. Transportation Provided by the company. Annual Leave Thirty (30) day/s with salary after 1 year. All other terms & conditions shall be in accordance with UAE labor laws. IF YOU ACCEPT OUR JOB PROPOSAL THEN PLEASE CLICK BELOW BUTTON ACCEPT JOB PROPOSAL     Should you have any questions email us hrdepartment@etihadgroupofcompanies.com /ert@etihadgroupcareer.com www.etihadgroupofficial.com Thank you! Best Regards Oleksandr Buryma (HR Manager) Etihad Recruitment Team (ERT) Copyright Etihad Group Of Companies .

Additionally, users are being sent text messages that further lures them to believe that the job offer is real and authentic. 

image-1554358690.png

Indicators of Compromise

URLs

www.etihadgroupofficial[.]com

Email Address

  • hrdepartment@etihadgroupofcompanies[.]com
  • ert@etihadgroupcareer[.]com

Email Subject

Etihad Group Of Companies Congratulate The Lucky Candidate Who Upload There Resume On Job Seeking Website!

Remediation

  • Block threat indicators at respective controls
  • Always be aware of the suspicious emails sent by unknown senders
  • Never click on the link/attachments sent by unknown senders

Rewterz Threat Alert – Lazarus Group – Indicators of Compromise

Analysis Summary

APT group Lazarus continues to target the financial world with their enhanced techniques and tools and are currently active supplying malware. The group uses customized PowerShell scripts on Windows systems. These scripts connect to the command and control infrastructure and await commands. The scripts disguise themselves with names that appear to be WordPress files or other open-source-based file names.

Impact

Malware infection

Indicators of Compromise

IP(s)/ Hostname(s)

  • http[.]//115[.]28[.]160[.]20[.]443 
  • http[.]//bluecreekrobotics[.]com/wp-includes/common[.]php 
  • http[.]//dev[.]microcravate[.]com/wp-includes/common[.]php 
  • http[.]//dev[.]whatsyourcrunch[.]com/wp-includes/common[.]php 
  • http[.]//enterpriseheroes[.]com[.]ng/wp-includes/common[.]php 
  • http[.]//hrgp[.]asselsolutions[.]com/wp-includes/common[.]php 
  • http[.]//nzssdm[.]com/assets/mt[.]dat 
  • http[.]//nzssdm[.]com/assets/wwtm[.]dat 
  • https[.]//baseballcharlemagnelegardeur[.]com/wp-content/languages/common[.]php 
  • https[.]//bogorcenter[.]com/wp-content/themes/index2[.]php 
  • https[.]//eventum[.]cwsdev3[.]bi[.]com/wp-includes/common[.]php 
  • https[.]//streamf[.]ru/wp-content/index2[.]php 
  • https[.]//towingoperations[.]com/chat/chat[.]php 
  • https[.]//vinhsake[.]com//wp-content/uploads/index2[.]php 
  • https[.]//www[.]tangowithcolette[.]com/pages/common[.]php 
  • nzssdm[.]com

Malware Hash (MD5/SHA1/SH256)

  • 0316f6067bc02c23c1975d83c659da21 
  • 171b9135540f89bf727b690b9e587a4e 
  • 29a37c6d9fae5664946c6607f351a8dc 
  • 35e38d023b253c0cd9bd3e16afc362a7 
  • 4345798b2a09fc782901e176bd0c69b6 
  • 4cbd45fe6d65f513447beb4509a9ae3d 
  • 5182e7a2037717f2f9bbf6ba298c48fb 
  • 668d5b5761755c9d061da74cb21a8b75 
  • 6a0f3abd05bc75edbfb862739865a4cc 
  • 72fe869aa394ef0a62bb8324857770dd 
  • 86d3c1b354ce696e454c42d8dc6df1b7 
  • Da4981df65cc8b5263594bb71a0720a1 
  • F392492ef5ea1b399b4c0af38810b0d6 
  • a18bc8bc82bca8245838274907e64631 
  • ad3f966d48f18b5e7b23a579a926c7e8 
  • cb713385655e9af0a2fc10da5c0256f5 
  • e6d5363091e63e35490ad2d76b72e851 
  • e9a6a945803722be1556fd120ee81199

Remediation

  • Block threat indicators at respective controls 
  • Always be aware of the suspicious emails sent by unknown senders 
  • Never click on the link/attachments sent by unknown senders

Copyright © Rewterz. All rights reserved.