Rewterz Threat Advisory – Diebold and NCR ATMs contain ‘Deposit Forgery’ Vulnerabilities

August 21, 2020

Rewterz Threat Alert – Qakbot (Qbot) Maldoc Campaign – IoCs

August 21, 2020

Rewterz Threat Alert – Microsoft Excel used to Spread New Dridex Trojan Variant

August 21, 2020

Severity

High

Analysis Summary

A phishing campaign is detected in which a malicious Microsoft Excel document delivered as an email attachment was spreading a new variant of Dridex. Dridex is a Trojan malware, also known as Bugat and Cridex, that is capable of stealing a victim’s online banking and system information from an infected machine.

The email was disguised as a payment request email with a fake Excel invoice file attached. If a victim double-clicks the attached file, Microsoft Office Excel opens it. Microsoft Excel displays a yellow bar with a Security Warning message, which means the opened file contains risky active content like a VBA Macro. Once the victim hits the “Enable Content” button, however, the risky content is loaded and even executed automatically. The Excel document deliberately shows a vague invoice in the file to drive the victim to click the button to get a clearer look at the invoice.

Figure 1.2. Opening the attachment in the Office Excel process

This file contains a malicious Macro (VBA code) that can be executed in two ways. The first is by clicking the green “All-Open and pay” button to execute the malicious VBA code. The other way is when a Layout event occurs, it has a private Formsa_Layout() function to handle such an event that executes the malicious VBA code. Such a Layout event occurs many times while the victim is working on the file.The Dridex developer puts all of its malicious work in the function DllRegisterServer(), which can be thought of as the Main() function to other normal processes.

Many anti-analysis techniques are observed in the core Dridex to prevent its code from being analyzed.

Impact

Theft of sensitive information
Financial loss

Indicators of Compromise

Domain Name

ayobergerak[.]id
lovecryst[.]com
satyasumamarketers[.]in
policelifeline[.]in
americanhomedoctors[.]com
nativated[.]com
dreamerrs[.]com
mengshuzhai[.]com
umeskin[.]com
bobbydhillonfilmdirector[.]com
limitlessadviser[.]com
vimacorrugados[.]com[.]mx
lescousettesdewouavie[.]com
plasconpackaging[.]co[.]uk
caissefamilylaw[.]com
zajacwogrodzie[.]pl
gds-korea[.]com
juiceslam[.]com
helasverigesamlas[.]se

MD5

df7c6e463ce7c9180238705d216b1a69
36d6caa7639fa761ec5408b1cdc8cad7

SHA-256

3F5AC9186AF10E92859996A4A778CD9C56828A68BE6C8CAA42BC449C745A8BAA
519312A969094294202A2EBE197BB4C563BA506FFFBD45000F0F9CC2923695CE

SHA1

e040d36370fc9d5b0f7855d8747c29fa505bce84
18c80387be8a342467a6d126a4ba4f6b2ef64307

URL

hxxps[:]//helasverigesamlas[.]se/ukef26[.]txt
hxxps[:]//helasverigesamlas[.]se/y0bvsc[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/ib9tfm[.]txt
hxxps[:]//lescousettesdewouavie[.]com/p8yljj[.]txt
hxxps[:]//zajacwogrodzie[.]pl/ge9arn[.]txt
hxxps[:]//lescousettesdewouavie[.]com/x4mkyo[.]pdf
hxxps[:]//zajacwogrodzie[.]pl/v7f6l4[.]pdf
hxxps[:]//helasverigesamlas[.]se/fojik1[.]rar
hxxps[:]//bobbydhillonfilmdirector[.]com/e6xbxo[.]pdf
hxxps[:]//gds-korea[.]com/j7sumb[.]txt
hxxps[:]//lescousettesdewouavie[.]com/legxmb[.]rar
hxxps[:]//bobbydhillonfilmdirector[.]com/nqd7dd[.]rar
hxxps[:]//zajacwogrodzie[.]pl/knpyhq[.]rar
hxxps[:]//policelifeline[.]in/3zqpkh[.]txt
hxxps[:]//limitlessadviser[.]com/1zg5cb[.]txt
hxxps[:]//plasconpackaging[.]co[.]uk/5v3k2o[.]txt
hxxps[:]//helasverigesamlas[.]se/g8mtcq[.]rar
hxxps[:]//nativated[.]com/xtfi4j[.]txt
hxxps[:]//lovecryst[.]com/rkhmzt[.]txt
hxxps[:]//malaysia[.]hadatha[.]net/wpn57i[.]txt
hxxps[:]//ayobergerak[.]id/uvtvur[.]txt
hxxps[:]//vimacorrugados[.]com[.]mx/ine9y1[.]txt
hxxps[:]//juiceslam[.]com/js6tlz[.]txt
hxxps[:]//mengshuzhai[.]com/bupcqu[.]rar
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/j3wbla[.]txt
hxxps[:]//lescousettesdewouavie[.]com/khp6tv[.]rar
hxxps[:]//m[.]am-clinica[.]ru/egqrzg[.]txt
hxxps[:]//bobbydhillonfilmdirector[.]com/yujwl6[.]rar
hxxps[:]//helasverigesamlas[.]se/5sdkiq[.]pdf
hxxps[:]//satyasumamarketers[.]in/u7sjvs[.]txt
hxxps[:]//zajacwogrodzie[.]pl/r0n2ad[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/9srpo9[.]pdf
hxxps[:]//limitlessadviser[.]com/ccokdx[.]pdf
hxxps[:]//dreamerrs[.]com/erjawd[.]txt
hxxps[:]//lescousettesdewouavie[.]com/ocqzrj[.]pdf
hxxps[:]//lovecryst[.]com/3kjg9x[.]pdf
hxxps[:]//helasverigesamlas[.]se/goueak[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/2oyr8b[.]pdf
hxxps[:]//policelifeline[.]in/uhdyoc[.]pdf
hxxps[:]//malaysia[.]hadatha[.]net/beysbq[.]pdf
hxxps[:]//vimacorrugados[.]com[.]mx/h3zlwl[.]pdf
hxxps[:]//gds-korea[.]com/6gczpy[.]rar
hxxps[:]//zajacwogrodzie[.]pl/qkjtlj[.]pdf
hxxps[:]//limitlessadviser[.]com/gvcr6i[.]rar
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/kupdkk[.]pdf
hxxps[:]//ayobergerak[.]id/xh9gpx[.]pdf
hxxps[:]//lescousettesdewouavie[.]com/oeyq8b[.]pdf
hxxps[:]//plasconpackaging[.]co[.]uk/e6x6d4[.]rar
hxxps[:]//m[.]am-clinica[.]ru/1n5pyb[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/rbcvdl[.]pdf
hxxps[:]//lovecryst[.]com/85lh50[.]rar
hxxps[:]//helasverigesamlas[.]se/1pjfdo[.]rar
hxxps[:]//dreamerrs[.]com/q27mzd[.]pdf
hxxps[:]//zajacwogrodzie[.]pl/fdsvdi[.]pdf
hxxps[:]//helasverigesamlas[.]se/ih22hv[.]pdf
hxxps[:]//limitlessadviser[.]com/d54nnr[.]rar
hxxps[:]//lescousettesdewouavie[.]com/2k0ncn[.]rar
hxxps[:]//nativated[.]com/dsczgy[.]rar
hxxps[:]//gds-korea[.]com/7aumml[.]rar
hxxps[:]//mengshuzhai[.]com/7aqvw0[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/pfxahf[.]rar
hxxps[:]//helasverigesamlas[.]se/n7splg[.]rar
hxxps[:]//lovecryst[.]com/2y9dum[.]rar
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/s7bt9w[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/92icz9[.]rar
hxxps[:]//zajacwogrodzie[.]pl/qpipqx[.]rar
hxxps[:]//ayobergerak[.]id/arebeo[.]rar
hxxps[:]//lescousettesdewouavie[.]com/pthz9d[.]pdf
hxxps[:]//helasverigesamlas[.]se/4qdibt[.]txt
hxxps[:]//limitlessadviser[.]com/2w2ks3[.]pdf
hxxps[:]//satyasumamarketers[.]in/wpe2b1[.]rar
hxxps[:]//mengshuzhai[.]com/bxjotq[.]pdf
hxxps[:]//m[.]am-clinica[.]ru/n73qhk[.]rar
hxxps[:]//dreamerrs[.]com/5hftea[.]rar
hxxps[:]//bobbydhillonfilmdirector[.]com/h3uqyd[.]pdf
hxxps[:]//lescousettesdewouavie[.]com/egee1u[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/wqnehw[.]pdf
hxxps[:]//umeskin[.]com/llqzxb[.]txt
hxxps[:]//lovecryst[.]com/fefpbd[.]pdf
hxxps[:]//helasverigesamlas[.]se/o9y2f3[.]jpg
hxxps[:]//gds-korea[.]com/w2voij[.]pdf
hxxps[:]//zajacwogrodzie[.]pl/6fcdud[.]pdf
hxxps[:]//nativated[.]com/lazp9f[.]rar
hxxps[:]//limitlessadviser[.]com/tfqegv[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/uuj9jc[.]rar
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/igmysc[.]rar
hxxps[:]//malaysia[.]hadatha[.]net/zrxrqy[.]rar
hxxps[:]//dreamerrs[.]com/c2igom[.]rar
hxxps[:]//juiceslam[.]com/kllmw3[.]rar
hxxps[:]//helasverigesamlas[.]se/bca1ww[.]rar
hxxps[:]//ayobergerak[.]id/8ikgkh[.]rar
hxxps[:]//lescousettesdewouavie[.]com/rmlxyi[.]txt
hxxps[:]//satyasumamarketers[.]in/px8ddp[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/2fz42f[.]pdf
hxxps[:]//m[.]am-clinica[.]ru/jgyual[.]rar
hxxps[:]//zajacwogrodzie[.]pl/jrmuk7[.]rar
hxxps[:]//bobbydhillonfilmdirector[.]com/dtrwi4[.]txt
hxxps[:]//helasverigesamlas[.]se/plr6yv[.]jpg
hxxps[:]//mengshuzhai[.]com/plzi5h[.]pdf
hxxps[:]//gds-korea[.]com/nmluap[.]pdf
hxxps[:]//nativated[.]com/lr25xt[.]pdf
hxxps[:]//limitlessadviser[.]com/3scwyr[.]rar
hxxps[:]//lescousettesdewouavie[.]com/ckqfw9[.]jpg
hxxps[:]//lovecryst[.]com/4lzzhj[.]pdf
hxxps[:]//helasverigesamlas[.]se/ucjv9u[.]txt
hxxps[:]//malaysia[.]hadatha[.]net/ajlfui[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/vgr6ow[.]jpg
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/y2mbjv[.]pdf
hxxps[:]//zajacwogrodzie[.]pl/upa3jg[.]txt
hxxps[:]//ayobergerak[.]id/2td7dc[.]pdf
hxxps[:]//helasverigesamlas[.]se/khrvax[.]txt
hxxps[:]//mengshuzhai[.]com/or7xje[.]rar
hxxps[:]//dreamerrs[.]com/lj00wc[.]pdf
hxxps[:]//lescousettesdewouavie[.]com/lm88em[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/pypzaj[.]rar
hxxps[:]//m[.]am-clinica[.]ru/ksshm8[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/dzcqk9[.]rar
hxxps[:]//satyasumamarketers[.]in/3ayj2v[.]pdf
hxxps[:]//helasverigesamlas[.]se/cmwtcv[.]txt
hxxps[:]//zajacwogrodzie[.]pl/qbvt7o[.]jpg
hxxps[:]//limitlessadviser[.]com/gcbomc[.]pdf
hxxps[:]//nativated[.]com/b4rpqe[.]pdf
hxxps[:]//lovecryst[.]com/obyxwn[.]rar
hxxps[:]//gds-korea[.]com/6vvyvy[.]rar
hxxps[:]//mengshuzhai[.]com/caozwy[.]txt
hxxps[:]//malaysia[.]hadatha[.]net/v7hqvb[.]pdf
hxxps[:]//lescousettesdewouavie[.]com/w25bjz[.]jpg
hxxps[:]//zajacwogrodzie[.]pl/zdchkl[.]rar
hxxps[:]//bobbydhillonfilmdirector[.]com/itfonf[.]jpg
hxxps[:]//ayobergerak[.]id/uq8fpu[.]pdf
hxxps[:]//dreamerrs[.]com/sao43r[.]pdf
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/kpesan[.]pdf
hxxps[:]//juiceslam[.]com/xqhnoc[.]pdf
hxxps[:]//lescousettesdewouavie[.]com/clhvma[.]txt
hxxps[:]//zajacwogrodzie[.]pl/n8orwp[.]jpg
hxxps[:]//lovecryst[.]com/dl3yr3[.]pdf
hxxps[:]//gds-korea[.]com/czqfpm[.]pdf
hxxps[:]//m[.]am-clinica[.]ru/l0qcdb[.]pdf
hxxps[:]//bobbydhillonfilmdirector[.]com/tqlwgh[.]txt
hxxps[:]//mengshuzhai[.]com/eqlbuj[.]jpg
hxxps[:]//nativated[.]com/8chckx[.]rar
hxxps[:]//limitlessadviser[.]com/9ekq6i[.]txt
hxxps[:]//lescousettesdewouavie[.]com/petr84[.]txt
hxxps[:]//ayobergerak[.]id/rnoihf[.]rar
hxxps[:]//lovecryst[.]com/a96qmc[.]rar
hxxps[:]//zajacwogrodzie[.]pl/ab9uer[.]txt
hxxps[:]//plasconpackaging[.]co[.]uk/t774od[.]rar
hxxps[:]//bobbydhillonfilmdirector[.]com/namexs[.]txt
hxxps[:]//dreamerrs[.]com/y1efzu[.]rar
hxxps[:]//mengshuzhai[.]com/uhrahv[.]rar
hxxps[:]//limitlessadviser[.]com/thbutn[.]jpg
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/veoyu1[.]rar
hxxps[:]//m[.]am-clinica[.]ru/n9vpzt[.]rar
hxxps[:]//lescousettesdewouavie[.]com/cyijck[.]txt
hxxps[:]//gds-korea[.]com/v5teug[.]rar
hxxps[:]//zajacwogrodzie[.]pl/il6hlg[.]txt
hxxps[:]//umeskin[.]com/axbky9[.]rar
hxxps[:]//bobbydhillonfilmdirector[.]com/jejv9v[.]txt
hxxps[:]//americanhomedoctors[.]com/nvu6yj[.]txt
hxxps[:]//ayobergerak[.]id/wq9dek[.]pdf
hxxps[:]//mengshuzhai[.]com/lbdcxn[.]jpg
hxxps[:]//limitlessadviser[.]com/obawsh[.]rar
hxxps[:]//zajacwogrodzie[.]pl/bu7wnz[.]txt
hxxps[:]//dreamerrs[.]com/wlrh5p[.]pdf
hxxps[:]//juiceslam[.]com/3swseh[.]pdf
hxxps[:]//plasconpackaging[.]co[.]uk/quie2e[.]txt
hxxps[:]//m[.]am-clinica[.]ru/6t6q7a[.]pdf
hxxps[:]//malaysia[.]hadatha[.]net/yyx51c[.]pdf
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/b7i904[.]pdf
hxxps[:]//nativated[.]com/5yr9lu[.]rar
hxxps[:]//mengshuzhai[.]com/yqhge9[.]txt
hxxps[:]//americanhomedoctors[.]com/clpldk[.]pdf
hxxps[:]//limitlessadviser[.]com/yi10g3[.]jpg
hxxps[:]//malaysia[.]hadatha[.]net/fjbims[.]rar
hxxps[:]//ayobergerak[.]id/rzpfra[.]rar
hxxps[:]//dreamerrs[.]com/gai3zz[.]rar
hxxps[:]//juiceslam[.]com/qrm1n9[.]rar
hxxps[:]//m[.]am-clinica[.]ru/5kdjmx[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/z0b0xa[.]jpg
hxxps[:]//umeskin[.]com/4i1sgz[.]pdf
hxxps[:]//malaysia[.]hadatha[.]net/uhcvkd[.]txt
hxxps[:]//americanhomedoctors[.]com/u3jc7q[.]rar
hxxps[:]//limitlessadviser[.]com/567z4r[.]txt
hxxps[:]//nativated[.]com/7ineq7[.]txt
hxxps[:]//mengshuzhai[.]com/mnljwc[.]txt
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/fvvqqs[.]rar
hxxps[:]//ayobergerak[.]id/svhsrj[.]txt
hxxps[:]//satyasumamarketers[.]in/0m1hcn[.]pdf
hxxps[:]//lovecryst[.]com/gjtdqm[.]jpg
hxxps[:]//juiceslam[.]com/va0pr7[.]txt
hxxps[:]//mengshuzhai[.]com/21s5dk[.]txt
hxxps[:]//americanhomedoctors[.]com/zhredi[.]rar
hxxps[:]//limitlessadviser[.]com/felysh[.]txt
hxxps[:]//m[.]am-clinica[.]ru/6swgox[.]txt
hxxps[:]//nativated[.]com/m681f6[.]jpg
hxxps[:]//ayobergerak[.]id/2lftdo[.]jpg
hxxps[:]//plasconpackaging[.]co[.]uk/tqew67[.]rar
hxxps[:]//gds-korea[.]com/nzsa2r[.]rar
hxxps[:]//malaysia[.]hadatha[.]net/xxfmbb[.]jpg
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/yz193v[.]txt
hxxps[:]//lovecryst[.]com/hiyv3r[.]rar
hxxps[:]//caissefamilylaw[.]com/wepe4o[.]txt
hxxps[:]//nativated[.]com/blkhax[.]rar
hxxps[:]//limitlessadviser[.]com/awunl8[.]txt
hxxps[:]//gds-korea[.]com/phxu3e[.]jpg
hxxps[:]//juiceslam[.]com/sobkyn[.]jpg
hxxps[:]//plasconpackaging[.]co[.]uk/4kli3j[.]jpg
hxxps[:]//lovecryst[.]com/6ztj1b[.]jpg
hxxps[:]//ayobergerak[.]id/7qxwgf[.]rar
hxxps[:]//malaysia[.]hadatha[.]net/5ecazk[.]rar
hxxps[:]//m[.]am-clinica[.]ru/wqsxbh[.]jpg
hxxps[:]//caissefamilylaw[.]com/iufrd8[.]pdf
hxxps[:]//nativated[.]com/gvni7l[.]jpg
hxxps[:]//lovecryst[.]com/lmomof[.]txt
hxxps[:]//juiceslam[.]com/ydvqrh[.]rar
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/cdu5wf[.]jpg
hxxps[:]//gds-korea[.]com/rvuyar[.]txt
hxxps[:]//americanhomedoctors[.]com/s5qy9y[.]pdf
hxxps[:]//m[.]am-clinica[.]ru/pounyb[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/hhz1qm[.]txt
hxxps[:]//ayobergerak[.]id/f0h5ie[.]jpg
hxxps[:]//malaysia[.]hadatha[.]net/npegid[.]jpg
hxxps[:]//lovecryst[.]com/euuufi[.]txt
hxxps[:]//dreamerrs[.]com/mv9tgh[.]jpg
hxxps[:]//nativated[.]com/6k6aua[.]txt
hxxps[:]//juiceslam[.]com/6pyyik[.]jpg
hxxps[:]//americanhomedoctors[.]com/li1ove[.]rar
hxxps[:]//m[.]am-clinica[.]ru/sp9raz[.]jpg
hxxps[:]//caissefamilylaw[.]com/opwspg[.]rar
hxxps[:]//gds-korea[.]com/vh0xwe[.]txt
hxxps[:]//lovecryst[.]com/aqj2h2[.]txt
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/jdpst4[.]rar
hxxps[:]//malaysia[.]hadatha[.]net/smur2v[.]txt
hxxps[:]//ayobergerak[.]id/zc7ifi[.]txt
hxxps[:]//dreamerrs[.]com/sdyb3e[.]rar
hxxps[:]//plasconpackaging[.]co[.]uk/3y5ef0[.]txt
hxxps[:]//americanhomedoctors[.]com/kh7b3t[.]pdf
hxxps[:]//nativated[.]com/33b2s3[.]txt
hxxps[:]//gds-korea[.]com/9zjyth[.]txt
hxxps[:]//juiceslam[.]com/djspsy[.]txt
hxxps[:]//m[.]am-clinica[.]ru/h82tkk[.]txt
hxxps[:]//ayobergerak[.]id/2esx1t[.]txt
hxxps[:]//satyasumamarketers[.]in/cb9met[.]jpg
hxxps[:]//malaysia[.]hadatha[.]net/q170rq[.]txt
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/sl5qbv[.]jpg
hxxps[:]//vimacorrugados[.]com[.]mx/gvv8mm[.]jpg
hxxps[:]//plasconpackaging[.]co[.]uk/9lgfbu[.]txt
hxxps[:]//dreamerrs[.]com/qvtlvd[.]jpg
hxxps[:]//americanhomedoctors[.]com/pgnaq4[.]rar
hxxps[:]//caissefamilylaw[.]com/haxztp[.]rar
hxxps[:]//nativated[.]com/41tihp[.]txt
hxxps[:]//m[.]am-clinica[.]ru/ecnosl[.]txt
hxxps[:]//ayobergerak[.]id/nvzzdp[.]txt
hxxps[:]//malaysia[.]hadatha[.]net/x6duub[.]txt
hxxps[:]//umeskin[.]com/hc56ql[.]rar
hxxps[:]//satyasumamarketers[.]in/xovuli[.]rar
hxxps[:]//dreamerrs[.]com/0xil1h[.]txt
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/2ogr8k[.]txt
hxxps[:]//americanhomedoctors[.]com/eso7ky[.]txt
hxxps[:]//vimacorrugados[.]com[.]mx/htbd13[.]rar
hxxps[:]//m[.]am-clinica[.]ru/xhqgzb[.]txt
hxxps[:]//juiceslam[.]com/mioi9l[.]txt
hxxps[:]//satyasumamarketers[.]in/grnmal[.]jpg
hxxps[:]//dreamerrs[.]com/rmtmuq[.]txt
hxxps[:]//vimacorrugados[.]com[.]mx/ncmdpv[.]jpg
hxxps[:]//satyasumamarketers[.]in/v5jxaz[.]txt
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/9exj0e[.]txt
hxxps[:]//dreamerrs[.]com/f0pzfy[.]txt
hxxps[:]//satyasumamarketers[.]in/iesytp[.]txt
hxxps[:]//vimacorrugados[.]com[.]mx/3qqbjr[.]txt
hxxps[:]//musei[.]basilicata[.]beniculturali[.]it/sbnhzv[.]txt
hxxps[:]//satyasumamarketers[.]in/yxzbeq[.]txt
hxxps[:]//policelifeline[.]in/9hapi2[.]rar
hxxps[:]//policelifeline[.]in/heno5b[.]jpg
hxxps[:]//caissefamilylaw[.]com/rusjrs[.]pdf
hxxps[:]//umeskin[.]com/x13p7x[.]jpg
hxxps[:]//caissefamilylaw[.]com/6alzup[.]rar
hxxps[:]//caissefamilylaw[.]com/w41fok[.]txt
hxxps[:]//caissefamilylaw[.]com/iu8gld[.]jpg
hxxps[:]//caissefamilylaw[.]com/oj9fkj[.]rar
hxxps[:]//caissefamilylaw[.]com/vrpatn[.]jpg
hxxps[:]//americanhomedoctors[.]com/mz2gnd[.]jpg
hxxps[:]//caissefamilylaw[.]com/8ohgs5[.]txt
hxxps[:]//umeskin[.]com/htiowj[.]txt
hxxps[:]//americanhomedoctors[.]com/fxqqib[.]txt
hxxps[:]//americanhomedoctors[.]com/8ejdob[.]txt
hxxps[:]//caissefamilylaw[.]com/pdrnkg[.]txt
hxxps[:]//americanhomedoctors[.]com/botpcr[.]txt
hxxps[:]//caissefamilylaw[.]com/qy2d5q[.]txt

Remediation

Block the threat indicators at their respective controls.
Do not open unexpected emails from untrusted sources.
Do not enable macros for untrusted files.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Revenge RAT aka Revetrat – Active IOCs

Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Revenge RAT aka Revetrat – Active IOCs

Rewterz Threat Alert – North Korea Linked Konni APT Group – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us