Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs
August 16, 2021Rewterz Threat Alert – ProtonVPN Scam Campaign – Active IOCs
August 16, 2021Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs
August 16, 2021Rewterz Threat Alert – ProtonVPN Scam Campaign – Active IOCs
August 16, 2021Severity
High
Analysis Summary
Cybercriminals attempt to change tactics as fast as security and protection technologies do. During a year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.
Impact
- Credential Theft
Indicators of Compromise
URL
- hxxps[:]//es-dd[[.]]net/file/excel/document
- hxxps[:]//moneyissues[[.]]ng/wp-content/uploads/2017/10/DHL-LOGO
- hxxps[:]//contactsolution[[.]]com[[.]]ar/wp-admin/ddhlreport
- hxxps[:]//www[[.]]laserskincare[[.]]ae/wp-admin/css/colors/midnight/reportexcel
- hxxp[:]//yourjavascript[[.]]com/40128256202/233232xc3
- hxxp[:]//yourjavascript[[.]]com/84304512244/3232evbe2
- hxxp[:]//yourjavascript[[.]]com/42580115402/768787873
- hxxp[:]//yourjavascript[[.]]com/82182804212/5657667-3
- hxxps[:]//gladiator164[[.]]ru/wp-snapshots/root/0098
- hxxp[:]//yourjavascript[[.]]com/1111559227/7675644
- hxxp[:]//yourjavascript[[.]]com/2512753511/898787786
- hxxp[:]//yourjavascript[[.]]com/1522900921/5400
- hxxp[:]//tokai-lm[[.]]jp/root/4556562332/t7678
- hxxp[:]//yourjavascript[[.]]com/0221119092/65656778
- hxxp[:]//yourjavascript[[.]]com/212116204063/000010887-676
- hxxp[:]//tannamilk[[.]]or[[.]]jp//_products/556788-898989/0888
- hxxp[:]//coollab[[.]]jp/dir/root/p/434
- hxxp[:]//coollab[[.]]jp/dir/root/p/09908
- hxxp[:]//www[[.]]tanikawashuntaro[[.]]com//cgi-bin/root
- hxxp[:]//yourjavascript[[.]]com/4154317425/6899988
- hxxp[:]//www[[.]]atomkraftwerk[[.]]biz/590/dir/354545-89899
- hxxp[:]//yourjavascript[[.]]com/2131036483/989
- hxxp[:]//www[[.]]atomkraftwerk[[.]]biz/590/dir/86767676-899
- hxxp[:]//coollab[[.]]jp/local/70/98988
- hxxps[:]//tannamilk[[.]]or[[.]]jp/cgialfa/545456
- hxxps[:]//mcusercontent[[.]]com/dc967eaa4412707bedd3fe8ab/images/d2d8355d-7adc-4f07-8b80-
- e624edbce6ea[.]png
- hxxps[:]//tannamilk[[.]]or[[.]]jp//js/local/33309900
- hxxp[:]//tokai-lm[[.]]jp//home-30/67700
- hxxp[:]//coollab[[.]]jp/009098-50009/0990/099087776556
- hxxp[:]//yourjavascript[[.]]com/4951929252/45090
- hxxp[:]//tokai-lm[[.]]jp/style/b9899-8857/8890/5456655
- hxxps[:]//maldacollege[[.]]ac[[.]]in/phy/A/actions
- hxxps[:]//jahibtech[[.]]com[[.]]ng/wp-admta/taliban/office
Remediation
- Block all threat indicators at their respective controls
- Search for IOCs in your environment.
- Do not download software and files from unofficial and untrusted sources.