Rewterz Threat Alert – Cybersecurity Vendors Impersonated in Malicious Activities

Severity

High

Analysis Summary

A new cyber attack campaign is observed impersonating cyber security vendors and pushing malicious documents portrayed as intelligence of cyber attacks. The campaign drops macros well detected on threat intelligence forums. The document prompts targets to enable content. Below is a preview of such a document that impersonates FireEye. 

Impact

Malicious code execution

Indicators of Compromise

Domain Name

• microsotflogin[.]com
• faecbooklogin[.]com
• facbeookloggin[.]com
• facebokloggin[.]com
• fireeyee[.]com
• kasparksy[.]com

MD5

• c09e58489e3bef464ee7d53c0d609f78
• 6dcdc730eaaca5983a4d5b26bc247c12
• 768ac4379ebd60fbc3207da789c40683
• 3affe13cc587ef7623ddfc15fc26099d
• 844b0e1a8d79c5c3ecbe970e890f6ea1

SHA-256

• 25801b86c6d2f41ea26db2b6508568ac95e0c568cd7f54af74676181e2564a30
• af443079e30d703a97ee1a8db695398b79a57cb5aa43f5fe4f6c0f95b165feca
• e6e2e20237ae757730b10d6deddce3f3711d09f693fe78d6b25bb6e7626079ac
• 7afe9cb3aebbc59fb0517ad7f34c5a5e9510c20e1c215e80d82c36c468ea1f0a
• 2deb003f7297cb6b40320e38aae81f62e338512bdf0acb27fb3ccdf7386b16aa

SHA1

• 41ede30973d6923c5bc786f1296d9b75fceb6f0c
• 7f9d4122cc2d88f7817843060709a5b4d4c86a7b
• 2583a7aa01fdfe427e19d8d5ed3afe2c59ba33fc
• d8d4d2e2c5c79f6ccafb7b41804f6b6ebfe8139f
• 097548237df53b18c40a00803435f0006b1a66f2

Source IP

• 104[.]244[.]78[.]10
• 46[.]165[.]230[.]12

URL

• https[:]//fireeyee[.]com/reports/fireeye_singapore_apt[.]docm
• hxxp[:]//kasparksy[.]com/reports/kaspersky_report_07_2020[.]docm

Remediation

• Block the threat indicators at their respective controls.
• Do not download attachments from untrusted emails. 
• Do not download any cyber security reports from random sources. 
• Always double-check for spelling mistakes in domain names before clicking on any links.