• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Dark Crystal RAT – IoCs
June 19, 2020
Rewterz Threat Alert – AgentTesla Malware – IOCs
June 22, 2020

Rewterz Threat Alert – APT Group- TA505 Latest IOCs

June 21, 2020

Severity

High

Analysis Summary

TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. In the group’s latest campaign, the group is targeting financial institution employees via phishing email luring them to download malicious attachments. In the email is the malware Get2 Downloader which is (aka FRIENDSPEAK; GetAndGo). After successfully installing the malware, it connects to command and control (C2) server and download the SDBot Remote Access Trojan (RAT) and harvest financial data. Data exfiltration is the major goal of this campaign and is currently active and targeting users in different organizations.

Impact

  • Data exfiltration
  • Exposure of sensitive data

Indicators of Compromise

Filename

  • Invoice [0-9]{5} – Due Date _ 12 June
  • 2020 – Client ID [0-9]{7}[.]html
  • PD_304 41237[.]xls
  • libOmio[.]dll
  • [0-9]{8}_Agreement[.]xls
  • libOmio[.]dll
  • Certificate[.]html
  • Certificate_9507[.]xls

From Email

  • admin@gllc[.]vn
  • aecs4@aeg[.]com[.]hk
  • andrea@locksafe[.]eu
  • anna@infowest[.]com
  • calidad@laredo[.]globalpc[.]net
  • chitose@din[.]or[.]jp
  • cristian[.]dabija@econ[.]ubbcluj[.]ro
  • daisei[.]itoh@moltec[.]co[.]jp
  • dybrown@kimbanet[.]com
  • dylan@emmettlam[.]com
  • e[.]garelli@atc[.]torino[.]it
  • ebrown@freestylefund[.]com
  • elfi@jandrisits[.]at
  • encuestas@lamercedpilar[.]com
  • envisep@acimgroup[.]it
  • grigoryanc@prima-group[.]kz
  • haipm@scsc[.]vn
  • home@filingworld[.]com
  • info@de-online-marketing[.]de
  • info@seikatu-k[.]co[.]jp
  • janeinarvestersjo@vabb[.]no
  • jmacias@gpobuenaventura[.]com[.]mx
  • kiara@legalshieldassociate[.]com
  • leigh[.]h@hallfn[.]com[.]au
  • libing@dlcs100[.]com
  • mcgee@legalshieldassociate[.]com
  • mirella@intuition[.]it
  • plumbs@cloudburst9[.]net
  • postmaster@supremespine[.]com
  • pruocco@comune[.]follonica[.]gr[.]it
  • rajender@kaninsure[.]com
  • sem@sadna[.]co[.]il
  • spam@rnbconsultants[.]com
  • william@holein1[.]ie

MD5

  • de515ae373ce70f38a354c38eb566ad1
  • 5a9caa83d88b6ddd7797ffb5f4627f2a
  • 83b02e12a48b092f91788d7c253dd1c2
  • b24573232df8a4bc23094f8f8fc7f6aa
  • e11fa4e6761d28716cab9390810d9bf1
  • b41294d15b96ba28a826711a6bfacea6
  • 39645282244265d9499f025737198d97
  • a8653b87fa1d4f73da86fd962e9c4b95
  • e11fa4e6761d28716cab9390810d9bf1

SHA-256

  • 17d515558faae741a3d0f9ced348e61a39eda6f62e153eb78e44e3ac3a0515b9
  • cfc8fcfbd2f8f4938a2bdd0a0763abfcec3a340f7769f84607b7441bb8f0fdf1
  • e35b9feacfba1df802f9ed242775361f4317c22782f4e9e2dddd095577a72487
  • 4e29416f27ab332ba6f9d40f50bc0ad257f9f495c34a9c190d9041620045bda7
  • 5f39db475fb85cf4a5dce2919fedf61a8e20d0e090cc96743ef128eb17039583
  • e18a16a1bf86180d29e95df285b90bf88fab87f6244e836bd8510515daa0be90
  • dee470720cce3358400e99197cb1f6443966de78559d2cc8825c098561d0c278
  • acd7214a4c37bbfd55ea244080769e4c0daf59edb47b3abcddcf5874cdb3054f
  • 5f39db475fb85cf4a5dce2919fedf61a8e20d0e090cc96743ef128eb17039583

SHA1

  • 779f23b8a99888e9e6c0729bd291c4b666a5f1c2
  • 5aaba4ab168d59884143b45681cdb2682b2c39c6
  • acf4e3c3fd1772c7d4ebec32b38d018cce4e9707
  • f3cb1e5a4e6a1a28150e9d9bf1f59b7614ec689a
  • e1f24b156e83a575b5f134b082a3a22907405bf6
  • 704b7822d8729b6c431a1b84dbe77976312ffaf6
  • 073b432c6e4a1a2f300c48e65f5fbf1429151be2
  • b17b32b567f1a600338f61b27f316f893aad195d
  • e1f24b156e83a575b5f134b082a3a22907405bf6

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your existing environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.