• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – CobaltStrike Beacon Masquerades as VPN Client Installers
August 25, 2020
Rewterz Threat Alert – LinkedIn Phishing Campaign Spreads Agent Tesla
August 26, 2020

Rewterz Threat Alert – TA505 Active Again – IoCs

August 25, 2020

Severity

High

Analysis Summary

TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. In the group’s latest campaign, they deploy the Get2 Downloader via Office Template Macros which leads to the malware. This also allow threat actors to to gain access to the compromised network, providing opportunities to steal financial data or install ransomware. This is an active campaign expected to target financial institutions around the world. This threat actor has been highly active in the wild since the second quarter of 2020. After a break of a week or two, TA505 is again targeting financial institutions around the world.

Impact

  • Credential theft
  • Disclosure of sensitive information
  • Unauthorized access
  • Financial loss

Indicators of Compromise

Domain Name

  • filesharess[.]com
  • onesdrives[.]com
  • backup-place[.]com
  • store-003774-live[.]com
  • store-000846-live[.]com
  • see-back[.]com
  • one-drives[.]com
  • digitals-space[.]com
  • siron-del[.]com
  • transff-reddon[.]com
  • long-space[.]com
  • band-switch[.]com
  • tremd-space[.]com
  • river-store[.]com
  • none-class[.]com
  • dl[.]river-store[.]com
  • definite-limits[.]com
  • mop-shere[.]com
  • nellscorp[.]com
  • direct-space[.]com

MD5

  • 20941b3a0470f338b561b02b64d761e2
  • b73fe5e7b4e01bcfcb76f9aef8dd58a3
  • 366e8412ae4fb43954a23fabe0678f1e
  • a430ae06db49ff2a2a6cb3c64e20d878
  • 8edf39ec6fa723426aff97252b69b2ae
  • 0867def84433e16158bd441715a6da09
  • 4e2b35f2b1e5c54b32c6107c12f0e3a3
  • 7998912a9e1a1d26d6a6e453203acada
  • 873b96a8065bf5a6a389ca69081202a6
  • b94f6017c84b8ddd8d34c1eea68439e1
  • 38faf023f4a588f0ea9e671996556a43
  • bcad76bdb8c7308918c3f5eddd0ee89b
  • 9af3102870ab62e8124dcf7d4e164022
  • e2f9038908576da6b73e68d7f8fcd5f9

SHA-256

  • 4e11400b9a15b912215d46a46353f964e432182d4f0a70a6df1f304733f78c4d
  • e175a9dfe669b9b567851bf17ba7aed9f35ba9cdfa5df63d215cce5570daf631
  • 5c24ba0d7224e27c52058af432794f4b2fb1e05a4960e60ef0bbc8aa7f815f87
  • 44ce89e4cc89cf79cec044643e8b185046340d4825b7bbeb68883777a1584699
  • 2c6f0629707ae81ab6f5870efc27a6cea2918f18744c8c52cf1b1a84d00ed71f
  • 15dea8784771bec543760bdd21ee9d7049359b05b36a73e9f9845bb4258f3243
  • ecb4eb0a3493253c21db5382c2615473651fea857ef15b37645fa6700b4e6025
  • f9509f152d292da195f3e2b18e5d80f1be7dfaaa9e1715a566e9f6a60b31d8cb
  • ce43abb7793ce8051721391a2f5a496a733abc253a67ebbfa71470761b873fe3
  • ccb61568a3fd6f3b5666c7b5efe43b15e257a5423a1fa1388b3c51b310c12e34
  • 7c8f49a71887be9e3584490aeaeb501b7f5cd8861a0fffc1ad5f084fab9f1f53
  • 3c74a24d160bd62ae89eaf502044e95e193acbb785f6db3256ed3f48a7245dc4
  • 3be099019084b985ef1ad350956900f0fd83547e3b2a42986fa1223cbf2ad3a0
  • 36eed2086307f7c6dc261aa714888bc4e3f8e0e2c17ba35addf9df400fff33e7

SHA1

  • 69b0e5808a21d725632df7bdaceb3b02282f3e89
  • 40da701b2acb3950248d6831ebe53342bdd8b3f1
  • 4f9cccb335a7d3b3028326e5c60034280c63f759
  • 3a3629f70cc54ddf672f5329c78f9972349a6734
  • bb05f29e0386ee9acb14403182e7b1faf553a479
  • 18e4ddf73e082821ba967e310b3a2ceb04761ec0
  • cfb09292e20995d347eaf73918f659e89a6d96af
  • b2ae484f98c0e352c73b43fa1d87c73fe249317c
  • 49e4865d71e469dc299ef337bcb70c3b60a39cf7
  • 6d619388378494549273abfb3a157e6f054cdd0e
  • d9482626ff765c64f851380a613e2fd2be742fac
  • 979c039efb4f75c3bdb23027aa8fd6e4e18ab7d0
  • fa98d4e1b413548709e42bbbb847bae5bede7993
  • f60de2a50ad812bff74f998436c54b286774e6fd

URL

  • https[:]//none-class[.]com/class

Remediation

  • Block the threat indicators at their respective controls.
  • Do not downlaod unexpected files coming from untrusted email addresses.
  • Keep all systems and software patched against all known vulnerabilities. 
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.