Rewterz Threat Alert – DNS Compromise Attack Phishing Spam

Tuesday, June 11, 2019

Severity

Medium

Analysis Summary

A new finance spam campaign with HTML attachments has been discovered that utilizes Google’s public DNS resolver to retrieve JavaScript commands embedded in a domain’s TXT record. These commands will then redirect a user’s browser to a aggressive trading advertisement site, which has been reported as a scam.

All the emails were very simple emails with a HTML attachment look like this:

Scam Email

All the emails came from IP numbers that have previously been seen to be used by Necurs botnet. The domains listed in the from box do not track back to the IP numbers they came from.

The script in the file looks like:

fake invoic html file

Indicators of Compromise

URLs

  • appteslerapp[.]com
  • fetch[.]bucsgwbno[.]samaste[.]net
  • fetch[.]faonwvzso[.]ourmazdcompany[.]net
  • fetch[.]kkqhoniv[.]baranweddings[.]com
  • fetch[.]nukss[.]hrhuae[.]com
  • fetch[.]pebabsacc[.]sarahelizabethjewelry[.]com
  • fetch[.]qedrbzpzzx[.]baranevents[.]com
  • http[:]//www[.]1835bfg36abp[.]ctifsouteni[.]icu/456[.]xn--html-sw3b
  • http[:]//www[.]14534bfg36abp[.]etapportert[.]icu/5436[.]xn--html-sw3b
  • http[:]//www[.]488bfg36abp[.]ffrirbesoin[.]icu/1446[.]xn--html-sw3b
  • http[:]//www[.]5438bfg36abp[.]ffrirbesoin[.]icu/3643[.]xn--html-sw3b
  • http[:]//www[.]55696bfg36abp[.]ielassocier[.]icu/7467[.]xn--html-sw3b
  • http[:]//www[.]66688bfg36abp[.]ffrirbesoin[.]icu/3161[.]xn--html-sw3b
  • http[:]//www[.]7913bfg36abp[.]etapportert[.]icu/33476[.]xn--html-sw3b
  • http[:]//www[.]81934bfg36abp[.]etapportert[.]icu/3185[.]xn--html-sw3b
  • https[:]//appteslerapp[.]com/
  • ns1[.]firstdnshoster[.]com
  • ns[.]firstdnshoster[.]com
  • www[.]1835bfg36abp[.]ctifsouteni[.]icu
  • www[.]14534bfg36abp[.]etapportert[.]icu
  • www[.]488bfg36abp[.]ffrirbesoin[.]icu
  • www[.]5438bfg36abp[.]ffrirbesoin[.]icu
  • www[.]55696bfg36abp[.]ielassocier[.]icu
  • www[.]66688bfg36abp[.]ffrirbesoin[.]icu
  • www[.]7913bfg36abp[.]etapportert[.]icu
  • www[.]81934bfg36abp[.]etapportert[.]icu

Remediation

  • Block threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 14, June 2019 Rewterz Threat Alert – Advanced Attack Tools Target Non-patched Systems to Distribute Cryptocurrency Miners
  • 14, June 2019 Rewterz Threat Advisory – HP Service Manager Multiple Security Bypass Vulnerabilities
  • 14, June 2019 Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
  • 14, June 2019 Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

Copyright © Rewterz. All rights reserved.