November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – New MuddyWater Activities Uncovered
June 11, 2019Rewterz Threat Advisory – CVE-2019-0303 – SAP BusinessObjects BI Administration Console Cross Site Scripting Vulnerability
June 12, 2019Rewterz Threat Alert – New MuddyWater Activities Uncovered
June 11, 2019Rewterz Threat Advisory – CVE-2019-0303 – SAP BusinessObjects BI Administration Console Cross Site Scripting Vulnerability
June 12, 2019
Severity
Medium
Analysis Summary
A new finance spam campaign with HTML attachments has been discovered that utilizes Google’s public DNS resolver to retrieve JavaScript commands embedded in a domain’s TXT record. These commands will then redirect a user’s browser to a aggressive trading advertisement site, which has been reported as a scam.
All the emails were very simple emails with a HTML attachment look like this:
All the emails came from IP numbers that have previously been seen to be used by Necurs botnet. The domains listed in the from box do not track back to the IP numbers they came from.
The script in the file looks like:
Indicators of Compromise
URLs
- appteslerapp[.]com
- fetch[.]bucsgwbno[.]samaste[.]net
- fetch[.]faonwvzso[.]ourmazdcompany[.]net
- fetch[.]kkqhoniv[.]baranweddings[.]com
- fetch[.]nukss[.]hrhuae[.]com
- fetch[.]pebabsacc[.]sarahelizabethjewelry[.]com
- fetch[.]qedrbzpzzx[.]baranevents[.]com
- http[:]//www[.]1835bfg36abp[.]ctifsouteni[.]icu/456[.]xn--html-sw3b
- http[:]//www[.]14534bfg36abp[.]etapportert[.]icu/5436[.]xn--html-sw3b
- http[:]//www[.]488bfg36abp[.]ffrirbesoin[.]icu/1446[.]xn--html-sw3b
- http[:]//www[.]5438bfg36abp[.]ffrirbesoin[.]icu/3643[.]xn--html-sw3b
- http[:]//www[.]55696bfg36abp[.]ielassocier[.]icu/7467[.]xn--html-sw3b
- http[:]//www[.]66688bfg36abp[.]ffrirbesoin[.]icu/3161[.]xn--html-sw3b
- http[:]//www[.]7913bfg36abp[.]etapportert[.]icu/33476[.]xn--html-sw3b
- http[:]//www[.]81934bfg36abp[.]etapportert[.]icu/3185[.]xn--html-sw3b
- https[:]//appteslerapp[.]com/
- ns1[.]firstdnshoster[.]com
- ns[.]firstdnshoster[.]com
- www[.]1835bfg36abp[.]ctifsouteni[.]icu
- www[.]14534bfg36abp[.]etapportert[.]icu
- www[.]488bfg36abp[.]ffrirbesoin[.]icu
- www[.]5438bfg36abp[.]ffrirbesoin[.]icu
- www[.]55696bfg36abp[.]ielassocier[.]icu
- www[.]66688bfg36abp[.]ffrirbesoin[.]icu
- www[.]7913bfg36abp[.]etapportert[.]icu
- www[.]81934bfg36abp[.]etapportert[.]icu
Remediation
- Block threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/ attachments sent by unknown senders.