Rewterz Threat Alert – Ttint – An IoT RAT Exploiting Two 0-Days
October 9, 2020Rewterz Threat Alert – MontysThree; Industrial Espionage with Steganography
October 9, 2020Rewterz Threat Alert – Ttint – An IoT RAT Exploiting Two 0-Days
October 9, 2020Rewterz Threat Alert – MontysThree; Industrial Espionage with Steganography
October 9, 2020Severity
Medium
Analysis Summary
Two new malspam campaigns have been detected through which the Agent Tesla malware and the IcedID banking trojan are being distributed. In the first campaign, an e-mail message was detected whose sender pretends to be an Italian company, addressed to Italian users. The theme of this email is a false sending of a purchase order; a .DAT file that contains a malicious .EXE executable file associated with the Agent Tesla malware. It delivers Agent Tesla.
The second campaign is meant to distribute the IcedID banking trojan. The email is almost devoid of text, suggesting to unzip the attached zip archive (“request.zip”). The archive contains a text document, “particulars_010.20.doc”, which starts the download of the second-stage of the malware through an AutoOpen macro from a domain that appears to be generated randomly. The second-stage, which appears as a file with the extension .cab (or .pdf in other cases), would hide inside a malicious DLL, containing the functionality of the malware.
Impact
- Information theft
- Exposure of Sensitive Data
- Financial Theft
Indicators of Compromise
Domain Name
- o7s3dv4[.]com
Filename
- particulars_010[.]20[.]doc
From Email
- salma[.]moustafa@asass[.]net
MD5
- 2bddf5266cce123604b0c5ee30717959
- e7821a93cadcd3d18ad68d1edad4753e
- a3a0a6cc5cd9044500e0c4eb42095309
- f735fa3e21883fef1bb8b46b763c167a
- 2140ca6858e34458ee38a685921a66d5
- c66df32508807a6c340ac15c0e0ca47e
- 8ace1dd28ec4d225c08a3e6b6ff1cae2
SHA-256
- 3c42cb2a57a34b90d18ba754a6229cc52a57dbe5c4b7865a623c6c24787d14af
- 85b1b4107472284d2e997f008c6cc6f47241b7ef82263f4ffa4504a622136c27
- c252c80acdc3934df7cdc15d69271c47106ff0f6427c8cb0147eda09fba15daf
- 0416aa664ff36d93cecc4afdef509e862886247272ee902f297d658dfe1237eb
- 772370ff4d5de5cebea394f3675112641f7ae5fe69bd2320594ce69e98a1f171
- 6492cbbf580dc9d37b5d0f91fb8f6425e87b509e2c8b0ddf4ea1632c1acdd32c
- fcd74a77ddfa71cfa4fe2cbc299d04a79d7e69f0d7ae3d80e9ef83e2b4616bee
SHA1
- 45f820b5e20883242a24108c12a4169c99f365d5
- 1f2b4a9c9ef88627329e4261080b9a6ece6fec29
- 365673a84a4b71ac9a00bcb57d93e1d1454328ce
- 96c0ba7fffd38dcce6cef0fc4f77692bb39e952b
- db335b819f8225538ea9cb967da48eba745d536b
- 2812770ab4a0d7c52820cc54a655981f843d2381
- a284327bfa89c43b3dae427165ed1bd5a7fe494c
URL
- http[:]//o7s3dv4[.]com/gosy/dyxyd[.]php?l=zuhag6[.]cab
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from unknown senders.