Rewterz Threat Advisory – Microsoft Windows shell handler code execution
January 29, 2021Rewterz Threat Advisory – CVE-2021-25646 – Apache Druid code execution
February 1, 2021Rewterz Threat Advisory – Microsoft Windows shell handler code execution
January 29, 2021Rewterz Threat Advisory – CVE-2021-25646 – Apache Druid code execution
February 1, 2021Severity
Medium
Analysis Summary
A phishing campaign targeting executives at a variety of organizations. The phishing emails, in most cases, are sent via an RDP service hosted by FireVPS. The body of the email directs a user to click a link in order to prevent their Office365 password from changing. The link leads to a compromised site hosting an Office 365 phishing kit. The URLs used for the phishing kit follow a similar pattern. The phishing kit logs any entered credentials to be retrieved by the attackers. The researchers identified a few phishing kits that were misconfigured, allowing them to view the content of the log files, which included potential attribution information regarding the developer of the phishing kit. Investigating the phishing kit developer, they discovered the kit being advertised and sold on Facebook with the earliest version being released in July 2019. During the course of their research, they also identified credentials of C-level users being sold on both English- and Russian-speaking forums.
Impact
- Credential theft
- Exposure of sensitive data
Indicators of Compromise
URL
- hxxp[:]//19dovecom/well-known/OfficeV4/OfficeV4/
- hxxp[:]//43idaupconcom/well-known/OfficeV4/
- hxxp[:]//abujaprepcom/well-known/OfficeV4/
- hxxp[:]//accelraisingcom/well-known/OfficeV4/
- hxxp[:]//adammmtestdk/well-known/OfficeV4/
- hxxp[:]//afs-sycom/well-known/OfficeV4/
- hxxp[:]//airmate-oceanrichcomtw/well-known/OfficeV4/
- hxxp[:]//aje-ecuadororg/well-known/OfficeV4/
- hxxp[:]//aladabianet/well-known/OfficeV4/
- hxxp[:]//alzebcompk/well-known/OfficeV4/
- hxxp[:]//amberedutechcom/well-known/OfficeV4/
- hxxp[:]//anytextcoil/kl/OfficeV4/
- hxxp[:]//anywherewarmingcom/well-known/OfficeV4/
- hxxp[:]//aprilwightcom/well-known/OfficeV4/
- hxxp[:]//arabic-magcom/well-known/OfficeV4/
- hxxp[:]//artisanbeautytrainingcouk/well-known/OfficeV4/
- hxxp[:]//asantekotokouniversitycom/well-known/OfficeV4/
- hxxp[:]//asatuid/well-known/OfficeV4/
- hxxp[:]//asetkayamascom/well-known/OfficeV4/
- hxxp[:]//aspcomau/well-known/OfficeV4/
- hxxp[:]//avenirhomescom/lk/OfficeV4/
- hxxp[:]//ballaratwideremovalscomau/wellknown/OfficeV4/
- hxxp[:]//balm-hcom/well-known/OfficeV4/
- hxxp[:]//barseyprocomec/well-known/OfficeV4/
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about email sent by unknown senders.
- Never click on links/attachments sent by unknown senders.