Severity
Medium
Analysis Summary
TA505 threat group campaign that masquerades as email from “National Tax Inspectorate for interrogation”.
The initial point of infection sources from an email with the subject “National Tax Code”. Example email:
This spreadsheet contains malicious macros that, once enabled, download and execute the first stage malware “wiskkk.exe”. This executable downloads and executes winserv.exe, the final stage malware, also known as RMS (Remote Manipulator System). RMS is a known remote administration tool by TektonIT and allows complete access to the target system.
Impact
Unauthorized system access
Indicators of Compromise
IP(s) / Hostname(s)
217[.]12[.]201[.]159
Malware Hash (MD5/SHA1/SH256)
Email Subject
National Tax Code
Filename
Remediation