Rewterz Threat Alert – AZORult Malware – Active IOCs
March 26, 2021Rewterz Threat Advisory – CVE-2021-1879 – Zero-day Exploit in Apple Devices Gets an Urgent Patch
March 29, 2021Rewterz Threat Alert – AZORult Malware – Active IOCs
March 26, 2021Rewterz Threat Advisory – CVE-2021-1879 – Zero-day Exploit in Apple Devices Gets an Urgent Patch
March 29, 2021Severity
High
Analysis Summary
ZLoader is found being distributed via malspam campaigns. Some of these campaigns are using the Zoho Docs platform to host their malware. ZLoader is a banking trojan that is found distributed from time to time. Zoho Docs is an Online Document Management system where you can store all your files securely in a centralized location and can access them from anywhere and from any device. You can upload, store, create, edit, share, and view any type of file like documents, spreadsheets, presentations, pictures, music, videos, etc.
Impact
- Unauthorized Code Execution
- Credential Theft
- Financial Theft
- Data Exfiltration
Indicators of Compromise
Domain Name
- svilapp[.]svgipsar[.]org
- nadar-gis[.]com
- denatureedutech[.]com
- dainikjahan[.]com
- crown-sign[.]com
- crearqarquitectos[.]com
- alekllemtilaro[.]tk
- electrabeautytools[.]com
MD5
- ee92d3d603247217f74e60ca6178e8d1
- 4209e752839b142cc328261ba570b0d2
- bb4d1959e6a7850a556ebadf69d18508
- 1da1b1f1037bacd1fe8e017a5d52e727
- 7cffa259bf22590169d7375a7c05f7f4
SHA-256
- 95b19f6107e6ed6af9b335d7ceed88a77ec8cb3864b09d70b6ea2f6ca9c13e9a
- 6df88e26b94be01b9a7abcd8473f74b9ea7278282421da4bf7dbffa6a53a2a58
- 61be79c9e47ad894006907c544c0a2d606d8d69c95298ffc5861f20c4b87769e
- 3787d90c7fa9f7b2803b904476eff287d4f59d1fe550f248250e84ca8885065f
- 026003b17c48b67cbd3714c48a0d482275a74f135f3dc27077b5af4564921f88
SHA1
- f40cf6c3a5ab0f61dd6e280ab03ed6f1e490c8df
- 275a712c823e2a5935145c418d2fe2abe38d2eba
- c4a940aa768e97da36393a899775ff7172f66274
- b9b6463219a19632299c5e0fb76715753b6ddd0e
- fa9858ffbb67bf8e62d32f4cf637d1509ccfea6c
URL
- https[:]//svilapp[.]svgipsar[.]org/post[.]php
- https[:]//nadar-gis[.]com/post[.]php
- https[:]//crearqarquitectos[.]com/post[.]php
- https[:]//docs[.]zoho[.]com/downloaddocument[.]do?docId=2nv9ead08316da05c4cfc968b5f38672cb40b
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not click on links given in untrusted emails or on untrusted public websites, even if they look legitimate.