Rewterz Threat Alert – TrickBot Banking Trojan – Latest IOC’s
April 20, 2020Sidewinder APT Group Campaign Analysis
April 20, 2020Rewterz Threat Alert – TrickBot Banking Trojan – Latest IOC’s
April 20, 2020Sidewinder APT Group Campaign Analysis
April 20, 2020Severity
High
Analysis Summary
ZLoader is also known as Terdot, DELoader, that loads the Zeus malware on victim machines after initial infection is a banking trojan. Like other banking trojans, It’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals.
Attackers are found targeting victims with Invoice themed spear phishing malicious documents, in order to infect them with ZLoader. The usual target is financial institutions and banks. Indicators of compromise are given in the alert.
Impact
- Code Execution
- Financial Theft
- Information theft
Indicators of Compromise
Email Subject
- Account invoice-#553438 tip
- Apr[.] Incoming Invoice Number #71097
- Karma hive
- Case 137201[:] improper information in the sent document
- Case 151047[:] improper information in the accepted statement
- Lawsuit formed – missed payment #129746
- Lawsuit formed – missed payment #529257
- The copy of given invoice #539735
- This is your Customer Invoice
- Your New service Invoice – Number #92820
- Your Service Invoice Number #94618
- Monthly bill-#697717 tip
- Monthly bill-#957318 notification
- Recent invoice-#299841 reminder
- Recent invoice-#414650 notification
- Recent invoice-#781702 notice
- Recent invoice-#820597 tip
From Email
- abid[.]ricog1983@o2[.]pl
- alaf[.]mibut1986@o2[.]pl
- anis[.]imsmar1971@o2[.]pl
- atnis[.]adno1978@o2[.]pl
- bahla[.]gilgie1970@o2[.]pl
- beoloo[.]odos1988@o2[.]pl
- blasog[.]suni1977@o2[.]pl
- bucon[.]menha1988@o2[.]pl
- concu[.]noncu1973@o2[.]pl
- createv[.]asar1973@o2[.]pl
- diabrus[.]mata1983@o2[.]pl
- fasma[.]bnadland1985@o2[.]pl
- fichan[.]trantant1971@o2[.]pl
- flumta[.]joysweat1988@o2[.]pl
- gagnus[.]telilmaldurv@aol[.]com
- gbeatto[.]oriz1977@o2[.]pl
URL
- http[:]//reneixer[.]org/wp/wp-content/themes/calliope/wp_data[.]php
- http[:]//saidulhussen[.]com/wp-content/themes/calliope/wp-front[.]php
- http[:]//sarkarjewells[.]com/wp-content/themes/calliope/wp-front[.]php
- http[:]//semplyusya[.]ru/wp-content/themes/calliope/wp_data[.]php
Remediation
- Block all threat indicators at your respective controls.
- Check for IOC’s in your existing environment.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.