Rewterz Threat Alert – REvil Ransomware Returns with Gootkit Malware
December 1, 2020Rewterz Threat Alert – APT Groups Kimsuky Konni targets SouthEast Asia
December 2, 2020Rewterz Threat Alert – REvil Ransomware Returns with Gootkit Malware
December 1, 2020Rewterz Threat Alert – APT Groups Kimsuky Konni targets SouthEast Asia
December 2, 2020Severity
High
Analysis Summary
A huge wave of ZLoader samples has been observed in the past 24 hours. ZLoader is also known as Terdot, DELoader, that loads the Zeus malware on victim machines after initial infection. It is a banking trojan. Like other banking trojans, It’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals. Attackers are found targeting victims with Invoice themed spear phishing malicious documents, in order to infect them with ZLoader. This wave of ZLoader samples also consists of files following the invoice-theme. The filenames are usually “invoice” or “case” with a special character like “.”, “-” or “_” followed by four random digits.
The usual target is financial institutions and banks. ZLoader has multiple distribution methods. ZLoader was also found being distributed via malvertising campaigns earlier this September. Another campaign was found distributing ZLoader and other malware via Obfuscated VBScript in June. In April, ZLoader was also found actively targeting financial organizations.
Impact
- Unauthorized Code Execution
- Credential Theft
- Financial Theft
- Data Exfiltration
Indicators of Compromise
Domain Name
- statedauto[.]com
- syracuse[.]best
- skill[.]fashion
Filename
- case_****[.]xls
- invoice-****[.]xls
MD5
- 864acaf448772a84b9ebc94a004d34ba
- 84225acddfe085eae01f367fa09314f6
- 3bd0d92046449ecf506e314508b3b7f5
- 681a8ff2718c745f9d64dfa5472e07c6
- 4c80f70672b0696d53ad69a58b5b15e1
- d03047f37c931684987976f1f34129ab
- d3382eb4bcc01460e21d2c18b89e13bd
- 5ae9c9ffceb256822f4aefb76fac44dd
- 1e389dfd6f2fd06befcfa27ed0814e25
- ef897732729162fe5d922e022a1d24bf
- 88ecf8294352514ff6eeee347a48d874
- 4211d4e068d145fafa0418ee38109897
- 103db66a795dc470b6c1049fa69d804c
- fe7c71ae315b511460bf6562424fcfd7
- d5615aa7ebd573e67f01e62490863807
- b3f04c2025de45cb6c4b20258e56b592
- 329b9fe9183d8fd06c162bfd0659876b
- f758e3c1a79edaa57b17491209ee0f61
SHA-256
- 0715351e4a285f80907d9d2957dcf137408d3e47f94ef1fb5cfd375b3925d186
- aaf44246bca2cd7f7ecb0ff2fca977b5e472354a53180ed8637dfedb332b6b15
- 6af08ebb53785d57975f377b31cd9b144389564df9654ff0c899d24fdd9fe0e6
- ccb553ffa1cf6ae82ff02243cd8eb0cffab60994bb5ae659c136328d4aa29ce7
- 5f2a1f32503df74b23c5086a9296a02d770c453701c491537a94466a308322d0
- 3ea2e1259ed1909ee18fdd85eb0e8f3a724586b160495bc283c2fbce0beb50d0
- 857be31492e667e2c3e22afda694d495774bfc33fce1fb2e70c6d12e91d7ebc5
- 8e466b13ecaf9c77fe340e049e5978ea7480f75736d8f89f098e22573af5f81c
- 576df322fb71673125c0ee98abd8329f47348d9b439d1943144d6157e0e97e54
- 3533afeffc482263e057a198de741a956104b9e54670ec88cf3b6a785dcfbb2e
- 4b25064a7d9d7d5fa9368a1b8e26fa3d2cb17ba1d664b5ca825b695be3926b51
- b6dcad4823cfb8de518e45fb877b58b51c911139944a5dcaeb07698de904717f
- eb31f78af2a07bbc2c938d4b8f85d7c898ffdcb45c28502f59936a97016116ab
- ae90fe62432ec32b5329380274cfc05b451c5aa8422360119687b5c884bb8ec8
- b3517c4d50cdf56d44c5dabc9bd38ff7e0d6754357c734c2ff2c26089113d77d
- bdbf676a1c0b08223b49abb2067d9e32a6738b1a7001c821e6e919dd489a2e4d
- 0285ca51d78f4b98af74db6a9ab9ad18f989faacfb67f33cb7b6194300e4c756
- 0285ca51d78f4b98af74db6a9ab9ad18f989faacfb67f33cb7b6194300e4c756
- 6fa9e036f2e275d2e1b6ced645777c4d02ca80d16e9169787e8bd8b30679aaaf
SHA1
- d865f029391de34790a5802aee8c7cac2c5d8fa4
- 2b8f93a06d15862162b2c90475e61cd2475f9b9a
- bcb5308b499ed239d0921f37505ccc8f96e188d5
- ba45367e686fbe4789be8209ce8b8afb3c9bcd39
- 8cecc761cb3162d0b423ebff080fb355790fb32e
- 5ab6fcfc5acc82e9a62cc44cf5aa64d12877d937
- 8cf5ea8746bd3164b96c1567026084b3b794d1aa
- e2d8e77840bd0296a3346deb9207f60c31a39588
- 4bf3a5b7607f775a6a819388ff6339d616b7f859
- 4264459edf899391719fce82d8af12a572923511
- 17b5f297e397c5f292c2e4a29bedbb73e2bcc329
- 1255da9dee4012e250703d67009fda2f51edef56
- 46d327b87a520395762e822fd024ab9ac9e6b9d8
- 2f31ec3a5d5b76f58f3709c33e032e379ca20f9f
- 5d56618b874348926901dd2cd735992c250b0baf
- ca825bc0cc44ef400fbed48f27776370d0a2a167
- 95fdebbe9047c70e0ce5854acc3ce6d82f05ce72
- bffab4faa31bcc6daebd9386305f269be25803f1
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails, especially the ones using an invoice-theme.
- Do not click on links given in untrusted emails or on untrusted public websites.