Rewterz Threat Alert – Subpoena Malspam Campaigns Deliver Predator the Thief Malware
November 8, 2019Rewterz Threat Alert – Emotet Malware – IoCs
November 11, 2019Rewterz Threat Alert – Subpoena Malspam Campaigns Deliver Predator the Thief Malware
November 8, 2019Rewterz Threat Alert – Emotet Malware – IoCs
November 11, 2019Severity
High
Analysis Summary
Trickbot operators are launching personalized and targeted spear phishing campaigns to lure victims into downloading Trickbot. The malspam campaign uses YOUR NAME (or Organization name) + PROVOCATIVE ADJECTIVES/VERB that will definitely get your attention. The Tricky tricksters from TrickBot used OSINT (Open-source intelligence) data (full name, their company, phone number, job title) to target professional at medium to large enterprise companies. Below is the email content.
Dear *Name_of_Victim*,
Private and Confidential
One of your workmates at Victim’s Workplace, has lodged a complaint with the Palos Hills division of the Equal Employment Opportunity Commission that you manifested behavior considered as sexual harrassment.
Seeing one’s name and organization’s name in an email doubles the likelihood of victims clicking on the malicious links attached in these malspam campaigns.I
Impact
- Information Disclosure
- Credential Theft
- Website Takeover
- Financial Loss
Indicators of Compromise
Domain Name
ftpthedocgrp[.]com
Email Subject
Attn: Name_of_Victim – A grievance raised against you.
Filename
Name_of_Victim – Harassment complaint letter (phone 111-222-3333).doc
MD5
- 71c459ea520c0e55fa144cd5a16a566b
- 52d3428965a5f9001754a30fa6ea163d
- 3afbe45c12cbd6e856a1cb23a1ca29ec
- 363ddb3b8f096161f9162e14b9b97348
- 10f3c410a07ff5b8ad5fcb6e2c12f675
- 03e359ba82bcf4dbc2e40fcb78bade7a
- f524e3256e6ea4fb7c11e5ce6672c0de
SH256
- 5b08241e83eb4b0188b3052a107bd796b3c32b84b882e23715f4d12ce318368c
- ddae2b31b8bd170957dd5efc46bd5e9414181277fde2c95c8e792ee762433ebd
- fb3909076f570782604a67a57f7b50b3a3fde18274a0d59557dded3da6f40dc5
- 6af150fdbc685171ad222648a6011fa77084b4f26c1c85106f896b98efa24043
- 6b2ddd65039d42efb0110b8f198d01f0d5abf67cf43b17021486d87396136c32
- 4533f6a69614dcbb8c1ea9aa48dec41dd935df14d468603bac44c8978f0f91b7
- 5f24c41aa68951f744c9204344d2cae0f276e57ddd91442e02d1911d7c16d138
Source IP
- 108.167.140[.]193
- 195.133.145[.]141
URL
hxxp[:]//ftpthedocgrp[.]com/backup[.]msi%20/q
Remediation
- Block the threat indicators at their respective controls.
- Minimize your personally identifiable information available online.
- Do not respond to emails coming from untrusted email addresses.