Rewterz Threat Alert – Thanos Ransomware: Destructive Variant
September 7, 2020Rewterz Threat Advisory – Nord VPN code execution Vulnerability
September 8, 2020Severity
Medium
Analysis Summary
Attackers are utilizing targeted company’s homepage as part of a phishing attack aimed at acquiring credentials. This campaign attempts to imitate the technical support team of the employee’s company and claims that the company’s email security service has quarantined three messages, blocking them from entering the inbox. It then prompts that those messages need to be reviewed in order to confirm validity, as two of these emails are considered valid and are being held for deletion. This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails urgently before deletion. Potential loss of important documents or emails could make the employee more inclined to interact with this email.
Hovering over the “Review Messages Now” shows the malicious URL.
Upon interacting with the link, the user will be directed to a phishing page unique to the employees’ company. It’s a login screen on the company website. However, further analysis has determined that the page shown is actually the company’s website home page with a fake login panel covering it. The overlay attempts to prompt the user to sign in to access the company account. The entered credentials are then sent to the threat actor, giving them access to the target’s company account.
Impact
- Credential Theft
- Account Compromise
Indicators of Compromise
Domain Name
- traximgarage[.]com
From Email
- google[.]com@ashousingcompany[.]com
URL
- hxxp[:]//google[.]com@ashousingcompany[.]com/www/?email=
- hxxp[:]//traximgarage[.]com/www/webmail-std/appsuite/1ogin/mai1/
Remediation
- Block the threat indicators at their respective controls.
- If such an email is received, confirm from your technical support team before entering credentials on any page.