• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Message Hoaxing emerges in Pakistan via ScareWare Messages
December 31, 2018
Rewterz Threat Advisory – Adobe Flash Player Zero-Day vulnerability CVE-2018-15982 exploited in APT Attacks
January 4, 2019

Rewterz Threat Alert – Compromised Email account used for targeting financial organizations

January 1, 2019

SEVERITY: Medium

 

 

CATEGORY: Cyber Crime

 

 

ANALYSIS SUMMARY

 

 

A compromised email account belonging to an employee of the financial sector was used to target another financial organization in Russia. The email contained a malicious Word document, which executed Javascript to drop a Meterpreter payload. The tactical methodology of this email campaign resembles with another campaign called MoneyTaker that emerged in October 2018. Both campaigns target Russian financial organizations and use similar techniques, thereby hinting at a common origin. The email account and the email template used in this campaign belongs to Alfa Capital of Russia.

 

The word document contained in the email was an Office Open XML document, containing an OLE object and JavaScript containing binary data. The JavaScript is hidden behind a PDF icon in the document. As the target clicks the PDF, they receive a prompt to run the file.

 

The Meterpreter payload is downloaded using a HTTP POST request to 185[.]117[.]75[.]73. The SSL certificate for https://185[.]117[.]75[.]73 was issued for the domain cbrrf[.]tech which happens to be the domain for the C&C server used in the October campaign.

 

Peculiar as it is, the SSL certificate presented by 185[.]117[.]75[.]73 was changed in later December to a certificate for files[.]migcredit[.]host, generated via Let’s Encrypt. The domain migcredit[.]host was earlier used in the October campaign and a fresh SSL certificate suggests that it is likely to resurface in upcoming campaigns. The indicators of compromise were retrieved in the concluding week of 2018.

 

 

Indicators of Compromise

 

IP(s) / Hostname(s)

185[.]117[.]75[.]73

 

URLs

  • https://185[.]117[.]75[.]73:443/LGdbmOghX_gtGSwbcQqdUAmyKLQqZKm2G6YD___QRkiZ4C9LEg6xq73ClIrpAe3OgmJxI XUe6YOVnM0VfwI7a5lLVChCdNvFZR/
  • cbrrf[.]tech
  • migcredit[.]host
  • https://185[.]117[.]75[.]73:443/9BTDDrzQPUxjU2JSP0DQUgWrp3ssj79u9A4-85X7JJ9xCVTvfHdMD6WpfeZOJ_pOoG/

 

Malware Hash

  • 7cae71083d2a48217c1e6daa2ecf23656d25f8e1
  • 8a1be90d944b8f6b7f15eb2e67efb876a45b8ead0a496fd44a3f2daf4e65cab4
  • 8958c87cf0d37660b18b050328b1d169
  • 34ed9f1979a3fcf1ff166ea89073a4684c576bec
  • f7d0cca48627a11bfcc3a6845cac09ec8f687a94ba75cf0fa4db042f33607993
  • b26e04c40e740117c70f1fe5821650ce
  • fd7d781dc27be4224c3d40abc721e28d39bfb6b7
  • 071c29fcef473feae536136756c66426f635ee957b50724ee0bffa106f18fdd3
  • a7cb468f17aae8b2f5bc6e0ca15e4285
  • 95b03cc29cfacf86772dfedd867dfb330ef6086e
  • 1e4b3f2118368f4e9aa6c87288b144e07fb1fcc63903f33d98018c6862fe3608
  • febca0710ba10a58672674cf7bd5cacc
  • 55df0445859df73251602144279af233c1cbcef3
  • 8b1d88dec146a22d2efb6460d91ce012b00679c05a4cdcee5d1256cc81900b2e
  • af300509f4190b2a6598333690076e01

 

 

Remediation

 

It is suggested to block the Indicators of Compromise at their respective controls. As more and more sophisticated email spam campaigns are emerging, employee training must be ensured so that they don’t fall victim to such phishing attacks.

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.