Rewterz Threat Alert – LokiBot – Active IOCs
March 17, 2021Rewterz Threat Advisory – CVE-2021-26987 – Multiple NetApp products code execution
March 18, 2021Rewterz Threat Alert – LokiBot – Active IOCs
March 17, 2021Rewterz Threat Advisory – CVE-2021-26987 – Multiple NetApp products code execution
March 18, 2021Severity
Medium
Analysis Summary
AZORult is a Trojan stealer that collects various data on infected computers and sends it to the C&C server, including browser history, login credentials, cookies, files from folders as specified by the C&C server (for example, all TXT files from the Desktop folder), cryptowallet files, etc. The malware can also be used as a loader to download other malware.
Impact
- Information theft
- Credential theft
- Exposure of sensitive data
Indicators of Compromise
URL
- http[:]//45[.]85[.]90[.]188/az1/wuvc/index[.]php
- http[:]//lexusgx[.]tk/prosper/index[.]php
- http[:]//validation[.]wootraining[.]certificacion[.]cl/BvCu/index[.]php
- http[:]//18[.]157[.]168[.]193/index[.]php
- http[:]//crmmanivela[.]com/dd[.]exe
- http[:]//elovisboy[.]com/PL341/index[.]php
- http[:]//binatonezx[.]ga/prosper/index[.]php
- http[:]//74[.]208[.]88[.]51/index[.]php
- http[:]//70[.]35[.]205[.]100/index[.]php
- http[:]//mkontakt[.]az/obi[.]exe
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.