Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023
Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
June 2, 2023Severity High Analysis Summary Shuckworm APT – aka Actinium, Armageddon, Primitive Bear, Gamaredon, and Trident Ursa – is a Russia-backed advanced persistent threat (APT) that has […]June 2, 2023Severity High Analysis Summary StormKitty information stealer is designed to compromise sensitive data from infected systems, such as login credentials, passwords, cryptocurrency wallets, and other valuable […]June 2, 2023Severity High Analysis Summary Tofsee malware has been around since 2016. Once installed on a compromised computer, it can be used to send spam emails and […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Cisco Firepower Management Center FTP Security Bypass Vulnerability
July 7, 2018Rewterz Threat Advisory – CVE-2018-5007 and CVE-2018-5008 Microsoft Windows Adobe Flash Player Multiple Vulnerabilities
July 10, 2018
This is an advisory on SWIFT-themed phishing emails containing a malicious URL that leads to a malicious zip file.
IMPACT: NORMAL
PUBLISH DATE: 10-07-2018
OVERVIEW
A member has reported SWIFT-themed phishing emails containing a URL. Clicking on the URL redirects to a Date-SWIFTMessageType-themed (i.e: 10_07_18_MT103_Copy) malicious zip file.
BACKGROUND INFORMATION
SWIFT-themed emails involve emails about remittance from banks. These emails may include subjects like “A percentage of your paid tax is being refunded. Please login to check” or “Your refund request expires today. Login here to claim it”. The email usually contains a URL leading to a SWIFT login page.
Phishing emails are malicious emails used by attackers to harvest credentials from a user.
Once the user enters credentials on the fake SWIFT login page, the attackers can use the credentials to transfer unauthorized funds from their original account.
WORK ANALYSIS
These phishing emails may be meant to drop payloads. There are several kinds of cyber attacks involving phishing emails. These can be used to steal sensitive information like passwords or may drop malicious files and payloads which further execute cyber attacks through remote code execution.
The payloads observed in the samples have the following details:
Payload URL
hxxp://irontech.ind[.]br/10_07_18_MT103_Copy.zip
VT – Detection Ratio 3 / 68
URLVoid – Safety Reputation 0/35
Domain 1st Registered Unknown
Server Location (BR) Brazil
ASN AS27715
ASN Owner LocaWeb Ltd
Payload Zip
10_07_18_MT103_Copy.zip
VT – Detection Ratio 17/62
MD5 03ab4e91c30a55bd13a1a008401e72f7
SHA1 3764911740702a30924990b0265c3eac53f1db82
SHA256 efce38cf340ef2de620e025147c75de667f9f0d495b23c61c4d75bfe9e60ac45
File type ZIP
File size 154.0 KB (157724 bytes)
Analyst Note: The MT103 is a SWIFT message format used for making payments.
Payload
10_07_18_MT103_Copy.exe
VT – Detection Ratio 29/68
MD5 4a629ccf87f24ac4720d890b1292da82
SHA1 291ff2f443e03ccf0b44ae227110f69a62f68d22
SHA256 127663c557f11c8571b6c73cd58f673ab705bff8ab273bd087480f215eb09ea7
File type Win32 EXE
File size 568.0 KB (581632 bytes)
C2s
newlogs1.hopto[.]org:2730
VT – Detection Ratio 2/67
URLVoid – Safety Reputation 1/35
Domain 1st Registered Unknown
Server Location (CH) Switzerland
ASN AS48971
ASN Owner DATAWIRE AG
newlogs.ddnsgeek[.]com:2730 VT – Detection Ratio 1/67
URLVoid – Safety Reputation 1/35
Domain 1st Registered Unknown
Server Location (AL) Albania
ASN AS197706 ASN Owner KemiNet Ltd.
THREAT INDICATORS
- laux-prien[@]t-online[.]de
- hxxp://irontech.ind[.]br/10_07_18_MT103_Copy.zip
- 03ab4e91c30a55bd13a1a008401e72f7
- 3764911740702a30924990b0265c3eac53f1db82
- efce38cf340ef2de620e025147c75de667f9f0d495b23c61c4d75bfe9e60ac45
- 4a629ccf87f24ac4720d890b1292da82
- 291ff2f443e03ccf0b44ae227110f69a62f68d22
- 127663c557f11c8571b6c73cd58f673ab705bff8ab273bd087480f215eb09ea7
RESOLVE
Organizations may consider blocking the threat indicators mentioned above. It is recommended to conduct training sessions for employees, explaining them to avoid clicking links or files attached with such phishing.
If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.