Rewterz Threat Alert – AZORult Latest IOCs
January 28, 2021Rewterz Threat Alert – TA551 (Shathak) Pushing Qakbot
January 28, 2021Rewterz Threat Alert – AZORult Latest IOCs
January 28, 2021Rewterz Threat Alert – TA551 (Shathak) Pushing Qakbot
January 28, 2021Severity
Medium
Analysis Summary
Researchers have published their analysis of a recent Zoom-themed phishing campaign. Zoom themes have been widely used in phishing campaign since the increased utilization of the software during the pandemic. The body of the phishing email claims the recipient’s Zoom account has been suspended and requires verification. What is unique about this campaign as compared to other Zoom phishing campaigns is the use of the legitimate Constant Contact mailer to bypass email defenses. It appears a Constant Contact user’s account was compromised and subsequently used by attackers to send the phishing emails. If a user clicks on the link in the email, they are redirected through a series of URLs beginning with a Constant Contact referrer URL. The final landing page is a copy of the Microsoft Outlook login page. Any entered credentials are exfiltrated to the attacker.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
URL
- hXXp[:]//r20[.]rs6[.]net/tn[.]jsp?f=001SZ-07esJCtmzsTnl-2ahmSsp3CpswNGStwYWGtC_zI013A-LeFdzSawGYz8wUt1zjLruZbLT67G_tPvkDNXRwcoznHPJSK7RS79ZwHLoicSBO6M6TrsPHkQ365MAq327s4IDhxhcGO2259_pUcjNZeRvwUri8p&c=3H_CP9T_hN834FXayT3bJQcfuvdg7UAdRmIAMdqKRos8XzZ8B
- hXXps[:]//sankamilan[.]com//httpd/
- hXXps[:]//fueamgm[.]com[.]br/httd/
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.