Rewterz Threat Alert – Heodo Malware – Active IOCs
November 30, 2022Rewterz Threat Advisory – ICS: Mitsubishi Electric MELSEC and MELIPC Series Vulnerabilities
November 30, 2022Severity
High
Analysis Summary
ZLoader is also known as Terdot, DELoader, that loads the Zeus malware on victim machines after initial infection. It is a banking trojan. Like other banking trojans, It’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. Attackers are found targeting victims with Invoice themed spear phishing malicious documents, in order to infect them with ZLoader. This wave of ZLoader samples also consists of files following the invoice-theme. The filenames are usually “invoice” or “case” with a special character like “.”, “-” or “_” followed by four random digits. The usual target is financial institutions and banks. ZLoader has multiple distribution methods, it was also found to be distributed via malvertising campaigns in September 2021. Another campaign was found distributing ZLoader and other malware via Obfuscated VBScript in June
Impact
- Credential Theft
- Financial Theft
- Data Exfiltration
Indicators of Compromise
MD5
62b87f0de1b006eebd9bb87b4ea514e7
SHA-256
d5ef0be8d27ece5a28435984a68b647b1bcf511a31aa62ad7564f4b7832cb8d7
SHA-1
89fd37fca2187ad7d25e9f44c1a297a17aaa55ef
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.