Rewterz Threat Alert – Dark Crystal RAT – IoCs
June 19, 2020Rewterz Threat Alert – AgentTesla Malware – IOCs
June 22, 2020Rewterz Threat Alert – Dark Crystal RAT – IoCs
June 19, 2020Rewterz Threat Alert – AgentTesla Malware – IOCs
June 22, 2020Severity
High
Analysis Summary
TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. In the group’s latest campaign, the group is targeting financial institution employees via phishing email luring them to download malicious attachments. In the email is the malware Get2 Downloader which is (aka FRIENDSPEAK; GetAndGo). After successfully installing the malware, it connects to command and control (C2) server and download the SDBot Remote Access Trojan (RAT) and harvest financial data. Data exfiltration is the major goal of this campaign and is currently active and targeting users in different organizations.
Impact
- Data exfiltration
- Exposure of sensitive data
Indicators of Compromise
Filename
- Invoice [0-9]{5} – Due Date _ 12 June
- 2020 – Client ID [0-9]{7}[.]html
- PD_304 41237[.]xls
- libOmio[.]dll
- [0-9]{8}_Agreement[.]xls
- libOmio[.]dll
- Certificate[.]html
- Certificate_9507[.]xls
From Email
- admin@gllc[.]vn
- aecs4@aeg[.]com[.]hk
- andrea@locksafe[.]eu
- anna@infowest[.]com
- calidad@laredo[.]globalpc[.]net
- chitose@din[.]or[.]jp
- cristian[.]dabija@econ[.]ubbcluj[.]ro
- daisei[.]itoh@moltec[.]co[.]jp
- dybrown@kimbanet[.]com
- dylan@emmettlam[.]com
- e[.]garelli@atc[.]torino[.]it
- ebrown@freestylefund[.]com
- elfi@jandrisits[.]at
- encuestas@lamercedpilar[.]com
- envisep@acimgroup[.]it
- grigoryanc@prima-group[.]kz
- haipm@scsc[.]vn
- home@filingworld[.]com
- info@de-online-marketing[.]de
- info@seikatu-k[.]co[.]jp
- janeinarvestersjo@vabb[.]no
- jmacias@gpobuenaventura[.]com[.]mx
- kiara@legalshieldassociate[.]com
- leigh[.]h@hallfn[.]com[.]au
- libing@dlcs100[.]com
- mcgee@legalshieldassociate[.]com
- mirella@intuition[.]it
- plumbs@cloudburst9[.]net
- postmaster@supremespine[.]com
- pruocco@comune[.]follonica[.]gr[.]it
- rajender@kaninsure[.]com
- sem@sadna[.]co[.]il
- spam@rnbconsultants[.]com
- william@holein1[.]ie
MD5
- de515ae373ce70f38a354c38eb566ad1
- 5a9caa83d88b6ddd7797ffb5f4627f2a
- 83b02e12a48b092f91788d7c253dd1c2
- b24573232df8a4bc23094f8f8fc7f6aa
- e11fa4e6761d28716cab9390810d9bf1
- b41294d15b96ba28a826711a6bfacea6
- 39645282244265d9499f025737198d97
- a8653b87fa1d4f73da86fd962e9c4b95
- e11fa4e6761d28716cab9390810d9bf1
SHA-256
- 17d515558faae741a3d0f9ced348e61a39eda6f62e153eb78e44e3ac3a0515b9
- cfc8fcfbd2f8f4938a2bdd0a0763abfcec3a340f7769f84607b7441bb8f0fdf1
- e35b9feacfba1df802f9ed242775361f4317c22782f4e9e2dddd095577a72487
- 4e29416f27ab332ba6f9d40f50bc0ad257f9f495c34a9c190d9041620045bda7
- 5f39db475fb85cf4a5dce2919fedf61a8e20d0e090cc96743ef128eb17039583
- e18a16a1bf86180d29e95df285b90bf88fab87f6244e836bd8510515daa0be90
- dee470720cce3358400e99197cb1f6443966de78559d2cc8825c098561d0c278
- acd7214a4c37bbfd55ea244080769e4c0daf59edb47b3abcddcf5874cdb3054f
- 5f39db475fb85cf4a5dce2919fedf61a8e20d0e090cc96743ef128eb17039583
SHA1
- 779f23b8a99888e9e6c0729bd291c4b666a5f1c2
- 5aaba4ab168d59884143b45681cdb2682b2c39c6
- acf4e3c3fd1772c7d4ebec32b38d018cce4e9707
- f3cb1e5a4e6a1a28150e9d9bf1f59b7614ec689a
- e1f24b156e83a575b5f134b082a3a22907405bf6
- 704b7822d8729b6c431a1b84dbe77976312ffaf6
- 073b432c6e4a1a2f300c48e65f5fbf1429151be2
- b17b32b567f1a600338f61b27f316f893aad195d
- e1f24b156e83a575b5f134b082a3a22907405bf6
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your existing environment.