Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
December 23, 2021Rewterz Threat Advisory – CVE-2021-4144 – TP-Link TL-WR802N WiFi router
December 24, 2021Rewterz Threat Alert – SmokeLoader Malware – Active IOCs
December 23, 2021Rewterz Threat Advisory – CVE-2021-4144 – TP-Link TL-WR802N WiFi router
December 24, 2021Severity
High
Analysis Summary
APT group Evilnum aka Jointworm has been seen targeting the financial sector with malicious emails. The group first seen in 2018 with the motivation of information theft and espionage has been active recently in an attempt to rob users of their credentials and gaining sensitive information for their gain. The group has primarily targeted fintech organizations based in Israel. These attacks have a possible relationship between Cardinal RAT and another malware family named EVILNUM. EVILNUM is a JavaScript-based malware family that is used in attacks against similar organizations.
Impact
- Credential Theft
- Financial Loss
- Exposure of Sensitive Data
Indicators of Compromise
Filename
- HANSENThomasPassport[.]pdf[.]lnk
MD5
- 6b08457ccb9323dea938f6b097011f46
- b5af9624434cc642e1bcc0e09e0baf26
- eddb6385adcc3b7a58e85b03cac7b94b
SHA-256
- c35e76cbd4b2f6c8869566b2a7ea181dbd98dce251a611e03bb5a2fe1ee8708a
- 0e760e5a7fa21627d83c9a9f5f68d0c5f6ecfade4d6c89d84b8680f67b33262c
- 5e3ec2eae509b51930010aab4ce74804a70ceba5bce1a427548aff1b3f423d5d
SHA-1
- a929ee14a7611cadc6783aea2aef3e329fa4d9db
- 8a22435ec0f9185b6c1ea384ad8c690039a42622
- 5aeb24b023787877cbfb70d7e006271926339f57
URL
- https[:]//cdn[.]jsanalys[.]com/community/02/comm[.]png
- https[:]//cdn[.]cjsassets[.]com/wp-content/uploads/2021/08/202109[.]png
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.
- Search for IOCs in your environment.