• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – New Tactics to Bypass Email Spam Filters for Delivering Sextortion Scams
January 2, 2020
Rewterz Threat Alert – DeathRansom Ransomware Encrypting Files – IoCs
January 3, 2020

Rewterz Threat Alert – APT37 Thallium Broadens Target Industries Around the Globe

January 2, 2020

Severity

High

Analysis Summary

APT37 has likely been active during most of this decade. It primarily focused on targeting the public and private sectors in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities.
Microsoft has recently taken hold of 50 websites used by suspected North Korean hackers to bolster attempted hacks against government employees, universities and nuclear organizations, among other targets. 
Thallium sends phishing emails which direct target victims to malicious websites, where they would be prompted to enter their username and password. A successful effort would provide Thallium access to victimized account data including messages, contact lists and appointments. The IoCs indicate that most of these malicious domains masquerade as legitimate domains with minor typos, often undetected by unsuspecting users.

Microsoft reports that Thallium has been active since 2010, and is known for its use of malicious software known as BabyShark and KimJongRAT.

Impact

  • Information Disclosure
  • Credential Theft

Indicators of Compromise

Domain name

  • intercasher[.]com
  • woenxosewdgebc123[.]com
  • nuaver[.]com
  • interpuber[.]com
  • rnailb[.]com
  • 163-mail-vertify[.]com
  • mail-securiety[.]com
  • clientsucceses[.]com
  • rnaiil[.]com
  • rnailn[.]com
  • hanmail[.]net
  • rnail-163[.]com
  • lnfo-master[.]com
  • blockochain[.]info
  • webmail-gooqle[.]com
  • imap-login[.]com
  • webmail-googie[.]com
  • dauurn[.]net
  • nid2-naver[.]com
  • files-downloader[.]net
  • rneail[.]com
  • rnaeil[.]com
  • maingoogle[.]com
  • nidhelpnaver[.]com
  • yahoo[.]security-lnfo[.]com
  • ns096a[.]microsoftinternetsafety[.]net
  • inbox-yahoo[.]com
  • daily-post[.]com
  • app-wallet[.]com
  • day-post[.]com
  • unite[.]office356-us[.]org
  • unite[.]un[.]graphwin[.]com
  • outlook[.]mai1[.]info
  • never[.]com-change[.]pw
  • login[.]hotrnall[.]com
  • securitedmode[.]com
  • natwpersonal-online[.]com
  • mai1[.]info
  • smtper[.]org
  • nid-login[.]com
  • hotrnall[.]com
  • dialy-post[.]com
  • set-login[.]com
  • secrityprocessing[.]com
  • drivecheckingcom[.]com
  • ctquast[.]com
  • filinvestment[.]com
  • files-download[.]net
  • bigwnet[.]com
  • usrchecking[.]com
  • sec-live[.]com
  • securytingmail[.]com
  • reader[.]cash
  • foldershareing[.]com
  • checkprofie[.]com
  • mail-down[.]com
  • dataviewering[.]com
  • reviewer[.]mobi
  • mihomat[.]com
  • cloudwebappservice[.]com
  • pw-change[.]com
  • documentviewingcom[.]com
  • change-pw[.]com
  • nidlogon[.]com
  • seoulhobi[.]biz
  • com-serviceround[.]info
  • pieceview[.]club
  • office365-us[.]org
  • rnicrosoft[.]com
  • encodingmail[.]com
  • lh-logins[.]com
  • bitwoll[.]com
  • rnailm[.]com
  • drog-service[.]com
  • dovvn-mail[.]com
  • fixcool[.]net
  • hanrnaii[.]net
  • cexrout[.]com
  • down-error[.]com
  • matmiho[.]com
  • golangapis[.]com
  • login-use[.]com
  • rnaii[.]com
  • outlook[.]doc-view[.]work
  • yalnoo[.]com
  • imap-login[.]co
  • yrnall[.]com
  • phlogin[.]com
  • navuor[.]com
  • lh-logs[.]com
  • maingoogie[.]com
  • login-sec[.]com
  • iinaver[.]com
  • ahooc[.]com
  • grnaeil[.]com
  • helpnaver[.]com
  • dounn[.]net
  • wallet-vahoo[.]com
  • gstaticstorage[.]com
  • naerver[.]com
  • mofako[.]com

From Email

  • tang_guanghui@hotmail[.]com
  • snow8949@hotmail[.]com
  • roman[.]alex2019@mail[.]ru
  • rninchurl@daum[.]net
  • okonoki_masao@yahoo[.]co[.]jp
  • norelyeverland@hanmail[.]net
  • jiahuzong@hotmail[.]com
  • infornail[.]noreply@gmail[.]com
  • hello-0978@daum[.]net
  • bitcoin025@hanmail[.]net
  • bitcoin024@hanmail[.]net
  • bitcoin018@hanmail[.]net
  • wusongha03@gmail[.]com
  • tiger199392@daum[.]net
  • satoshiman0088@gmail[.]com
  • pigcoin2020@hotmail[.]com
  • okonoki_masao@yahoo[.]co[.]jp
  • bitcoin016@hanmail[.]net
  • bitcoin015@hanmail[.]net
  • bitcoin014@hanmail[.]net
  • bitcoin013@hanmail[.]net
  • bitcoin003@hanmail[.]net

Source IP

  • 37[.]72[.]175[.]223
  • 27[.]102[.]106[.]122
  • 52[.]177[.]14[.]24
  • 160[.]202[.]162[.]78
  • 67[.]215[.]224[.]121

Remediation

  • Block the threat indicators at their respective controls.
  • Do not click on links attached in untrusted email addresses.
  • Do not enter credentials on websites that you’re redirected to by clicking on links.
  • Train employees about detecting phishing (typos in domain names, etc.)
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.