• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Ttint – An IoT RAT Exploiting Two 0-Days
October 9, 2020
Rewterz Threat Alert – MontysThree; Industrial Espionage with Steganography
October 9, 2020

Rewterz Threat Alert – Agent Tesla and IcedID banking Trojan Malspam Campaigns

October 9, 2020

Severity

Medium

Analysis Summary

Two new malspam campaigns have been detected through which the Agent Tesla malware and the IcedID banking trojan are being distributed. In the first campaign, an e-mail message was detected whose sender pretends to be an Italian company, addressed to Italian users. The theme of this email is a false sending of a purchase order; a .DAT file that contains a malicious .EXE executable file associated with the Agent Tesla malware. It delivers Agent Tesla. 

The second campaign is meant to distribute the IcedID banking trojan. The email is almost devoid of text, suggesting to unzip the attached zip archive (“request.zip”). The archive contains a text document, “particulars_010.20.doc”, which starts the download of the second-stage of the malware through an AutoOpen macro from a domain that appears to be generated randomly. The second-stage, which appears as a file with the extension .cab (or .pdf in other cases), would hide inside a malicious DLL, containing the functionality of the malware.

IceID.png

Impact

  • Information theft
  • Exposure of Sensitive Data
  • Financial Theft

Indicators of Compromise

Domain Name

  • o7s3dv4[.]com

Filename

  • particulars_010[.]20[.]doc

From Email

  • salma[.]moustafa@asass[.]net

MD5

  • 2bddf5266cce123604b0c5ee30717959
  • e7821a93cadcd3d18ad68d1edad4753e
  • a3a0a6cc5cd9044500e0c4eb42095309
  • f735fa3e21883fef1bb8b46b763c167a
  • 2140ca6858e34458ee38a685921a66d5
  • c66df32508807a6c340ac15c0e0ca47e
  • 8ace1dd28ec4d225c08a3e6b6ff1cae2

SHA-256

  • 3c42cb2a57a34b90d18ba754a6229cc52a57dbe5c4b7865a623c6c24787d14af
  • 85b1b4107472284d2e997f008c6cc6f47241b7ef82263f4ffa4504a622136c27
  • c252c80acdc3934df7cdc15d69271c47106ff0f6427c8cb0147eda09fba15daf
  • 0416aa664ff36d93cecc4afdef509e862886247272ee902f297d658dfe1237eb
  • 772370ff4d5de5cebea394f3675112641f7ae5fe69bd2320594ce69e98a1f171
  • 6492cbbf580dc9d37b5d0f91fb8f6425e87b509e2c8b0ddf4ea1632c1acdd32c
  • fcd74a77ddfa71cfa4fe2cbc299d04a79d7e69f0d7ae3d80e9ef83e2b4616bee

SHA1

  • 45f820b5e20883242a24108c12a4169c99f365d5
  • 1f2b4a9c9ef88627329e4261080b9a6ece6fec29
  • 365673a84a4b71ac9a00bcb57d93e1d1454328ce
  • 96c0ba7fffd38dcce6cef0fc4f77692bb39e952b
  • db335b819f8225538ea9cb967da48eba745d536b
  • 2812770ab4a0d7c52820cc54a655981f843d2381
  • a284327bfa89c43b3dae427165ed1bd5a7fe494c

URL

  • http[:]//o7s3dv4[.]com/gosy/dyxyd[.]php?l=zuhag6[.]cab

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download email attachments coming from unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.