Rewterz Threat Alert – Latest LokiBot Malware – IOCs
July 8, 2020Rewterz Threat Alert – Latest Agent Tesla Infection Chain
July 8, 2020Rewterz Threat Alert – Latest LokiBot Malware – IOCs
July 8, 2020Rewterz Threat Alert – Latest Agent Tesla Infection Chain
July 8, 2020Severity
High
Analysis Summary
TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. In the group’s latest campaign, they deploy the Get2 Downloader via malicious HTML redirectors which leads to the malware. This also allow threat actors to to gain access to the compromised network, providing opportunities to steal financial data or install ransomware. This is an active campaign expected to target financial institutions around the world.
Impact
- Data exfiltration
- Exposure of sensitive data
Indicators of Compromise
Filename
- harvest_expense_report_download[.]html
- harvest_expense_report[.]xls
- libIntel1[.]dll
From Email
- Sherry[.]Levine@delikomat[.]pl
- Carol[.]Croft@valtecnic[.]com
- ashley@primesigns[.]com[.]au
- lfh@huohyow[.]com[.]cn
- matias[.]montejano@valtecnic[.]com
- anita[.]munoz@redsalud[.]gob[.]cl
- ratchanee@ralclegal[.]com
- helen_hong@qz[.]tasia[.]com[.]cn
- feli@rewe-taetzner[.]de
IP
- 91[.]217[.]242[.]14
- 213[.]229[.]130[.]91
- 23[.]83[.]212[.]26
- 218[.]104[.]163[.]90
- 186[.]67[.]179[.]186
- 203[.]156[.]164[.]146
- 211[.]21[.]70[.]202
- 62[.]75[.]145[.]239
MD5
- add0167db22df546afc750d30382ae1b
- 3d901db4c7bf978da9ed00b2320a7442
- 4e828046de52bd609278c51ada23a2e8
- e2719622f7332eca638163963e85a81d
- 022772a1cf9010bf08ee690e1af11cf4
- 87e178a5806fc951a57722eb74f7ab06
- 467c027bb811e3a12896c76f7e50231a
- 832e4cbb9b7c4be753d1625a034e8e9f
- 2b66da476d28e736126f5e0dc43085f4
- e5c7cef7203770247b54dd59edc1d6e8
- 597701ea4a28a882e0be2836a63dce38
- 492978aefc9c62a074c18f18353b3a7f
- c23455be795ae5b1747401ec7e35500c
- 92b77e8d825aca55df04ec26f85550c2
- 1445eee770b4768140156560cc06356f
- b3a3eb99a9ac3d4683b8a64d06ab28d2
SHA-256
- 9bdde916ae5c984d5c0b80122c494201037fae31c90d4ded13e619e47c84f412
- 2eb601d0025201f26375da26a87b251731fbc1c991beb6d085ba7d7537b0f464
- 6c420e8de223903c6a5dc458f7e11fa17d405ce85dd5cc2d1d45b363c866e98d
- 5fd9a547fb26b6ce1a8d6c353d9284654b0785eadf9fc8945734e1fd26d8efdf
- 379ecffcab0c31855e9803c8c4bef5517f18921072eb17dccbe268803359938e
- 2564b544d2c3ee2a39291e575dcb9ba61cb58647097f8f2bf42a42a09d0b1afd
- 266b288e3fed3e560c575a99829d5cccfb33d6831ee7d842cc6f5b8fadf2443f
- 66159933a159971016ec29086bda1a51aaa8e3221830e43b2391fc261427459a
- 9dd13e02121ff016438f0540d169df51ac44527eabc4116143d6e0b569dc1f99
- bbb1e775425b5033816f9a289676ee3f4ee6644c724e9ff0152ed0f5012fa146
- c227a9a4db37fa762ee7064b33cba6289d66d47bdd5c6a6ace5599dfb377f184
- 461c95f4e03b2f0b4ad50d2d8de568b954b5682f6c241692ffd32e7a16db5acc
SHA1
- 724de0c255eeb09eb24dbfa63d8b76b856650c80
- 3a6df0ea98eb15cb3a589631dfe8119627fa36f0
- b80f012ab0099019852d78ec188b690fa4b82ba0
- 074152f716803fbc0b0ac6890e8b3f5cc9532210
- 820ede82a80453d7bb705c1b3a8456ee0186044b
- b499a92d393c1415463a236e94c5e87fe151cfa6
- 3c5d07f824c33f1f50e0e0e6268d834666f2e05d
- eba9a2e8bce2c91e92fcd047be1b89aec9bd2fb5
- c01e03ddf9405f8d5675c9165603c41ab6ed6e1f
- 28a3d3f8fc14d841cb04ef78ad957c76a32566ea
- fd2d86305e385dd53e6c428b88c09532f55af796
- ed2c5eccb8a8c03960a4b5109c3792016e665e4d
URL
- hxxps[:]//d1[.]dropboxscdn[.]com/d/dhd6n3h39f7d/index[.]php
- https[:]//rapid-stores[.]com/nake1
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your existing environment.