Rewterz Threat Alert – Evilnum Targets Financial Sector With Pyvil RAT
September 4, 2020Rewterz Threat Alert – Pioneer Kitten APT Sells Corporate Network Access, Exploits Vulnerabilities
September 4, 2020Severity
High
Analysis Summary
TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. In the group’s latest campaign, they deploy the Get2 Downloader via Office Template Macros which leads to the malware. This also allow threat actors to to gain access to the compromised network, providing opportunities to steal financial data or install ransomware. This is an active campaign expected to target financial institutions around the world. This threat actor has been highly active in the wild since the second quarter of 2020. After a break of a week or two, TA505 is again targeting financial institutions around the world.
Impact
- Credential Theft
- Unauthorized Access
- Information Theft
- Financial Loss
Indicators of Compromise
Domain Name
- onehub-cdn[.]com
- fosdommtoi[.]com
MD5
- 573e529a3083a7996e09e1b8c5f0999c
- 2bf139894edc43955d839f3260029320
- 077a224e0f73cdb8257066ddd09bb0b1
- 80702fb948d44e2b1a769acb225cb8cf
SHA-256
- 6bc610ff56266525c3e96ab6f87756235f23295ec421bef974d9e163451d938d
- 050c938f352a0dae10d956ac2a97383e8e52ea005a52b9138f4db73c569225cd
- 89a9f09823152d3c5cbe29c667618e128fc8c0677ecec217fb7c2ccae75a7bf2
- 15f64b2fe98bc623c287fbdb9fc254de0f31a0ca7c4fd0cef42879de4c2f53f4
SHA1
- 9c766d80a232a9aec440f87e5ef1cbae98eb0a1f
- 99e2bb0ad169c106be4ece68d16e8067a7d7cb7a
- fd85d44d03817ac4bf6537537befe8542ab615df
- e0c74ee6df5c25899703be4ea6c315b08aba5311
Source IP
- 5[.]188[.]0[.]82
URL
- https[:]//onehub-cdn[.]com/download[.]php
Remediation
- Block the threat indicators at their respective controls.
- Do not download attachments from untrusted emails.