Rewterz Threat Advisory – CVE-2019-1649 – Cisco Secure Boot Hardware Tampering Vulnerability, also known as Thrangrycat
May 21, 2019Rewterz Threat Alert – Trickbot Banking Trojan Arrival via Redirection URL
May 22, 2019Rewterz Threat Advisory – CVE-2019-1649 – Cisco Secure Boot Hardware Tampering Vulnerability, also known as Thrangrycat
May 21, 2019Rewterz Threat Alert – Trickbot Banking Trojan Arrival via Redirection URL
May 22, 2019Severity
Medium
Analysis Summary
- Multiple emails were reported by multiple bank employees, pretending to be coming from Dubai Islamic Bank. The sender email addresses were random and used multiple fake domains. The subject used was “DIBPAK Account Locked”. The email contains a malicious phishing URL that leads to a fake login page demanding an email address and password.
Upon closer analysis, we found that the phishing page did not demand validations. The URL was different from that of the legitimate site of Dubai Islamic Bank. Different fonts had been used, which are not detectable by unsuspecting victims.
- Some other spoofing emails sent to bank employees were detected, pretending to be coming from HBL. The sender email address is compromised and the domain belongs to a German University “Flensburg University of Applied Science”. The email subject used is “HBL Access Locked” and the URL attached in the email is also a compromised URL, detected as malicious on Virustotal. The URL leads to a phishing page asking for credentials and pin numbers. The email looks like this:
The fake login page asks for the following information:
Impact
- Credential Theft
- Financial loss
Indicators of Compromise
IP(s) / Hostname(s)
192[.]254[.]234[.]118
URLs
- hxxps[:]//webh24[.]it/uconfig/premier/legal/dpk/indx[.]html
- hxxps://chaneyarchitects[.]com/wp-content/upgrade/hbl/hbl[.]html
Email Address
- braas[@]hs-flensburg[.]de
Email Subject
- HBL Access Locked
- DIBPAK Account Locked
Remediation
- Block the threat indicators at their respective controls.
- Do not click on links attached in emails coming from untrusted sources.
- Do not enter information on login pages which you are redirected to, through untrusted links.
- Closely monitor emails with these subjects, if found.