Rewterz Threat Alert – Emotet/TrickBot Malware Recent Samples – IoCs
February 10, 2020Rewterz Threat Alert – Cracked Software Used to Distribute Malware
February 11, 2020Rewterz Threat Alert – Emotet/TrickBot Malware Recent Samples – IoCs
February 10, 2020Rewterz Threat Alert – Cracked Software Used to Distribute Malware
February 11, 2020Severity
High
Analysis Summary
Researchers observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group. The group motives is believe to be data theft and exfiltration. The group has leveraged previously compromised email addresses or impersonation of emails to send spear-phishing emails. The delivery method was sending spear-phishing emails with malicious attachments although Google Drive has been observed. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organization or non-governmental organization (NGO) asking users to enable macro of Microsoft document with that extract malicious exe to download loader.
Impact
- Data breach
- Exposure of sensitive information
Indicators of Compromise
MD5
- 4114857f9bc888122b53ad0b56d03496
- 6889c7905df000b874bfc2d782512877
- 7233ad2ba31d98ff5dd47db1b5a9fe7c
- 3c43eb86d40ae78037c29bc94b3819b7
- 89a81ea2b9ee9dd65d0a82b094099b43
- cf94796a07b6082b9e348eef934de97a
- 4c47ca6ecf04cfe312eb276022a0c381
- f744481a4c4a7c811ffc7dee3b58b1ff
- ae342bf6b1bd0401a42aae374f961fc6
- 5fe8dcdfe9e3c4e56e004b2eebf50ab3
- 3cb38f7574e8ea97db53d3857830fcc4
- 3ca84fe6cec9bf2e2abac5a8f1e0a8d2
- 8a133a382499e08811dceadcbe07357e
- a827d521181462a45a7077ae3c20c9b5
- fe1247780b31bbb9f54a65d3ba17058f
- b427c7253451268ca97de38be04bf59a
- 4c89d5d8016581060d9781433cfb0bb5
- 6e9f0c3f64cd134ad9dfa173e4474399
- d81db8c4485f79b4b85226cab4f5b8f9
- 01b5276fdfda2043980cbce19117aaa0
SHA-256
- fce38b7bb25817ccaf921d5ac96f4e6c9b865fbe020204af5cf34b604868d1fa
- 4b0a9cbd861b67ad54cab8b46941212bfd1bf1943c7b9942d545a144ffcd5da6
- f3186dafca8b032f5b942d81b66d3ab631dc41463d3c8d319f1a0a374f809cdf
URL
- http[:]//152[.]89[.]161[.]5/mpsvc[.]txt
- http[:]//139[.]162[.]44[.]81/main[.]dotm
- http[:]//207[.]148[.]79[.]152/main[.]dotm
- http[:]//167[.]99[.]72[.]82/main[.]dotm
- http[:]//159[.]65[.]197[.]248/WinWord[.]dotm
- http[:]//152[.]89[.]161[.]5/msmpeng[.]txt
- http[:]//195[.]12[.]50[.]168/D2_de2o@sp0/
- http[:]//dynamics[.]ddnsking[.]com/Word[.]dotm
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders