

Rewterz Threat Alert – Purple fox Trojan – IOCs
December 4, 2019
Rewterz Threat Alert – Malspam Pushing Ursnif Infection with Dridex Trojan
December 4, 2019
Rewterz Threat Alert – Purple fox Trojan – IOCs
December 4, 2019
Rewterz Threat Alert – Malspam Pushing Ursnif Infection with Dridex Trojan
December 4, 2019Severity
High
Analysis Summary
Croatia’s cyber-security agency warns of new spear-phishing campaign spreading BalkanRAT. In this malspam campaign, the body of the email contains a link to the malicious site hxxps: //www.porezna-uprava.org/edge.php. and the site is located at IP address 145.249.104.207 on a Dedicated Server in the Netherlands. The malspam uses the subject ‘Application Notice’ and the text begins with ‘NOTICE OF APPLICATION OF ARTICLE 54b. (Exemption from Accountability) GENERAL TAX LAW ‘The link fetches a BalkanDoor / BalkanRAT malware that communicates with malicious C&C servers: zagrebseba.net , amsterdamtodubrovnik.com (not detected on VT), lizardgreat.co
Impact
- Unauthorized Remote Access
- Complete System Takeover
- Financial loss
Indicators of Compromise
Domain Name
- zagrebseba[.]net
- amsterdamtodubrovnik[.]com
- lizardgreat[.]co
Email Subject
Application Notice
From Email
Tax Administration Information [@] Tax Administration [.] Org
Source IP
145.249.104[.]207
URL
https[:]//www[.]porezna-uprava[.]org/edge.php
Remediation
- Block the threat indicators at their respective controls.
- Do not download untrusted email attachments.
- Do not follow URLs attached in untrusted emails.