Rewterz Threat Alert – TA505/EvilCorp Recent Activity – IoCs
March 22, 2020Rewterz Threat Alert – New Windows zero-day exploited in the wild
March 24, 2020Rewterz Threat Alert – TA505/EvilCorp Recent Activity – IoCs
March 22, 2020Rewterz Threat Alert – New Windows zero-day exploited in the wild
March 24, 2020Severity
Medium
Analysis Summary
Amid the Covid’19 hype, attackers keep introducing new attack campaigns to target victims worldwide. Likewise, the coronavirusandlime domain is leveraging old distribution infrastructure using legacy Malware C2, with new CoronaVirus themes. Investigators have found HTTP transactions & affected URLs with Malware C2 Infrastructure. URL pivots are attributed to UPX (Ultimate Packer for Executables) and Ransomware. Indicators of compromise are given below. |
Impact
- Information Theft
- Files encryption
- Financial loss
Indicators of Compromise
Domain Name
- www[.]pastimefoods[.]com
- pastimefoods[.]com
- mofiaweb[.]com
- resultsystem[.]net
- frc-pr[.]com
- adrive62[.]com
- brokensystem[.]net
- doubletrust[.]net
- myshop[.]lk
- stwholesaleinc[.]com
- abelindia[.]com
- imagescameraclub[.]com
- brokentrust[.]net
- doublehonor[.]net
Source IP
- 50[.]63[.]202[.]51
- 50[.]63[.]202[.]38
URL
- http[:]//doubletrust[.]net/index[.]php
- http[:]//brokentrust[.]net/index[.]php
- http[:]//vk12345[.]ru/index[.]html?r=1662jlulffvs
- http[:]//doublehonor[.]net/index[.]php
- http[:]//myshop[.]lk/6872vf[.]php
- http[:]//frc-pr[.]com/da91li[.]php
- http[:]//brokensystem[.]net/index[.]php
Remediation
- Block the threat indicators at their respective controls.
- Use secure email gateways to filter out phishing emails.
- Maintain secure offline backups for all data.