November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – Fraudulent Phishing Emails – IoCs
February 21, 2019Rewterz Threat Alert – Oceansalt APT Group targets Finance, Education, Telecommunications and Agricultural sectors
February 22, 2019Rewterz Threat Alert – Fraudulent Phishing Emails – IoCs
February 21, 2019Rewterz Threat Alert – Oceansalt APT Group targets Finance, Education, Telecommunications and Agricultural sectors
February 22, 2019
Severity: High
Analysis Summary
Multiple Phishing campaigns have been observed targeting multiple organizations, to deliver AZORult Malware, Trickbot banking Trojan and Emotet Malware.
While Trickbot and Emotet are previously known, the AZORult is an information stealer that can harvest credentials from several software applications, enumerate & grab files from Desktop, capture saved data from browsers (e.g. cookies, passwords, saved credit card information), steal Skype information, and steal cryptocurrency wallet information.
Collective threat indicators are given below. Many of these threat indicators were not detected by any of the Virus Total engines as malicious.
Impact
- Credential Theft
- Data Manipulation
- Information Disclosure
- Malware Infection
Indicators of Compromise
IP(s) / Hostname(s)
79[.]104[.]212[.]85
104.211.157[.]67
47.254.177[.]121
URLs
- hxxp://pgusa[.]ru/js/
- hxxps://www.dropbox[.]com/s/yk7m01jp5xq67bz/confirm_invoice.zip?dl=1
- googlex.alibobomoneyman[.]xyz
- voicewaves[.]com/abnow/usa/myway/index2.php.
- voicewaves[.]com/abnow/
- voicewaves[.]com/verifyab/
- voicemail-listen[.]com
- voicewaves[.]com/verifyab/mthemes/approval/phpcaptcha1a/demo.php?mail= ata-modenna[.]com
- hxxp://ata-modenna[.]com/dubai/index.php
- hxxp://ata-modenna[.]com/dubai/panel/admin.php
- hxxp://ata-modenna[.]com/gerad/index.php
- hxxp://ata-modenna[.]com/morise/index.php
- hxxp://ata-modenna[.]com/gerad/panel/admin.php
- hxxp://ata-modenna[.]com/morise/panel/admin.php
- hxxps://www[.]icann[.]org/epp#clientTransferProhibited
Filename
- NEW ORDER.IMG
- NEW ORDER.exe
Email Address
- linda[@]alliedmortgage[.]com
- ap[@]voicemail-listen[.]com
- elisa.nunes[@]konecranes[.]com
Email Subject
- Lynda Sivils Transaction for eInvoice
- AT&T payment update
- RE: Revised Order No. 2019 – 1562.IMG
- Quick Submission: Microsoft/Google
- FW: Confirm account status
Malware Hash (MD5/SHA1/SH256)
- cfd7c140e37c9a6ff608205f087b8325
- 37210ce95cd3faa0a757d67f06d8e4af
- e915921cde02710eb33692c22770a908
- 13a18c622e98aad0ae73f611abca035c
- e915921cde02710eb33692c22770a908
- 00b651e5bde9e813d96272c5dd8c74057b2240b0
- ef41281c3fee12a9bc24c84fa2d59ff9b13bcb3ba4866240b3111f96830ac223
- 13a18c622e98aad0ae73f611abca035c
- 9bec01e4e097f33a2ce76c23313cba2ccae719ca
- 0f0250aacc18657b66da72f6e2b5bdf01087cc7775d69492d8db86ce5c172d00
Remediation
- These MalSpam campaigns are not only prevalent but are also increasing in frequency day by day.
- It is recommended to block the threat indicators at their respective controls.
- Employees must not open spam emails that do not look relevant.
- Never download files received in emails from unknown sources.
- Never click on links attached in unexpected emails. Never ‘enable macros’ or enable content, if a file fails to open online.