Rewterz Threat Alert – TA505 APT Group – Latest IOCs

Severity

High

Analysis Summary

TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. In the group’s latest campaign, they deploy the Get2 Downloader via malicious HTML redirectors which leads to the malware. This also allow threat actors to to gain access to the compromised network, providing opportunities to steal financial data or install ransomware. This is an active campaign expected to target financial institutions around the world.

Impact

• Data exfiltration
• Exposure of sensitive data

Indicators of Compromise

Filename

• harvest_expense_report_download[.]html
• harvest_expense_report[.]xls
• libIntel1[.]dll

From Email

• Sherry[.]Levine@delikomat[.]pl
• Carol[.]Croft@valtecnic[.]com
• ashley@primesigns[.]com[.]au
• lfh@huohyow[.]com[.]cn
• matias[.]montejano@valtecnic[.]com
• anita[.]munoz@redsalud[.]gob[.]cl
• ratchanee@ralclegal[.]com
• helen_hong@qz[.]tasia[.]com[.]cn
• feli@rewe-taetzner[.]de

IP

• 91[.]217[.]242[.]14
• 213[.]229[.]130[.]91
• 23[.]83[.]212[.]26
• 218[.]104[.]163[.]90
• 186[.]67[.]179[.]186
• 203[.]156[.]164[.]146
• 211[.]21[.]70[.]202
• 62[.]75[.]145[.]239

MD5

• add0167db22df546afc750d30382ae1b
• 3d901db4c7bf978da9ed00b2320a7442
• 4e828046de52bd609278c51ada23a2e8
• e2719622f7332eca638163963e85a81d
• 022772a1cf9010bf08ee690e1af11cf4
• 87e178a5806fc951a57722eb74f7ab06
• 467c027bb811e3a12896c76f7e50231a
• 832e4cbb9b7c4be753d1625a034e8e9f
• 2b66da476d28e736126f5e0dc43085f4
• e5c7cef7203770247b54dd59edc1d6e8
• 597701ea4a28a882e0be2836a63dce38
• 492978aefc9c62a074c18f18353b3a7f
• c23455be795ae5b1747401ec7e35500c
• 92b77e8d825aca55df04ec26f85550c2
• 1445eee770b4768140156560cc06356f
• b3a3eb99a9ac3d4683b8a64d06ab28d2

SHA-256

• 9bdde916ae5c984d5c0b80122c494201037fae31c90d4ded13e619e47c84f412
• 2eb601d0025201f26375da26a87b251731fbc1c991beb6d085ba7d7537b0f464
• 6c420e8de223903c6a5dc458f7e11fa17d405ce85dd5cc2d1d45b363c866e98d
• 5fd9a547fb26b6ce1a8d6c353d9284654b0785eadf9fc8945734e1fd26d8efdf
• 379ecffcab0c31855e9803c8c4bef5517f18921072eb17dccbe268803359938e
• 2564b544d2c3ee2a39291e575dcb9ba61cb58647097f8f2bf42a42a09d0b1afd
• 266b288e3fed3e560c575a99829d5cccfb33d6831ee7d842cc6f5b8fadf2443f
• 66159933a159971016ec29086bda1a51aaa8e3221830e43b2391fc261427459a
• 9dd13e02121ff016438f0540d169df51ac44527eabc4116143d6e0b569dc1f99
• bbb1e775425b5033816f9a289676ee3f4ee6644c724e9ff0152ed0f5012fa146
• c227a9a4db37fa762ee7064b33cba6289d66d47bdd5c6a6ace5599dfb377f184
• 461c95f4e03b2f0b4ad50d2d8de568b954b5682f6c241692ffd32e7a16db5acc

SHA1

• 724de0c255eeb09eb24dbfa63d8b76b856650c80
• 3a6df0ea98eb15cb3a589631dfe8119627fa36f0
• b80f012ab0099019852d78ec188b690fa4b82ba0
• 074152f716803fbc0b0ac6890e8b3f5cc9532210
• 820ede82a80453d7bb705c1b3a8456ee0186044b
• b499a92d393c1415463a236e94c5e87fe151cfa6
• 3c5d07f824c33f1f50e0e0e6268d834666f2e05d
• eba9a2e8bce2c91e92fcd047be1b89aec9bd2fb5
• c01e03ddf9405f8d5675c9165603c41ab6ed6e1f
• 28a3d3f8fc14d841cb04ef78ad957c76a32566ea
• fd2d86305e385dd53e6c428b88c09532f55af796
• ed2c5eccb8a8c03960a4b5109c3792016e665e4d

URL

• hxxps[:]//d1[.]dropboxscdn[.]com/d/dhd6n3h39f7d/index[.]php
• https[:]//rapid-stores[.]com/nake1

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your existing environment.