March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – AveMaria RAT – Active IOCs
July 9, 2022
Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs
July 9, 2022
Rewterz Threat Alert – AveMaria RAT – Active IOCs
July 9, 2022
Rewterz Threat Alert – Qakbot (Qbot) Malware – Active IOCs
July 9, 2022
Severity
High
Analysis Summary
APT group Evilnum aka Jointworm has been seen targeting the financial sector with malicious emails. The group first seen in 2018 with the motivation of information theft and espionage has been active recently in an attempt to rob users of their credentials and gaining sensitive information for their gain. The Evilnum APT group has mostly targeted FinTech (financial services) sector, particularly those in the UK and Europe that deal with trading and compliance. However, in March, 2022, the group targets Intergovernmental organizations that offer assistance related to international migration.
EVILNUM is a JavaScript-based malware family. A heavily obfuscated JavaScript was used in recent campaigns for dropping the payloads and decryption. Compared to previous versions used by EvilNum APT, this JavaScript has significant improvements in the obfuscation technique.
According to researchers, the APT group registered several domain names using particular keywords relating to the industry vertical targeted in each new instance of the campaign.
- Image source:
Impact
- Exposure of Sensitive Data
- Information Theft and Espionage
Indicators of Compromise
Domain Name
- mailservice-ns[.]com
- advertbart[.]com
- inetp-service[.]com
- yomangaw[.]com
- covdd[.]org
- visitaustriaislands[.]com
- traveladvnow[.]com
- tripadvit[.]com
- moreofestonia[.]com
- moretraveladv[.]com
- estoniaforall[.]com
- bookingitnow[.]org
- travelbooknow[.]org
- bookaustriavisit[.]com
- windnetap[.]com
- roblexmeet[.]com
- netrcmapi[.]com
- meetomoves[.]com
MD5
- 63090a9d67ce9534126cfa70716d735f
- f5f9ba063e3fee25e0a298c0e108e2d4
SHA-256
- 16d85f275aa0ce37b23f0b3c31723ae9157d6858a468737b72da8358fd8dd4f9
- 598a2a4ca29cfefad69ea02d465c8ce5254b99ed59f90e1924d210b0772dc2c0
SHA-1
- 7fd599e780f097fc2fe6a12a2206c817f273e0f3
e893fee54452c0203ef05551122abb669723d463
Remediation
- Search for IOCs in your environment.
- Block all threat indications at their respective controls.