Rewterz Threat Alert – New Tactics to Bypass Email Spam Filters for Delivering Sextortion Scams
January 2, 2020Rewterz Threat Alert – DeathRansom Ransomware Encrypting Files – IoCs
January 3, 2020Severity
High
Analysis Summary
APT37 has likely been active during most of this decade. It primarily focused on targeting the public and private sectors in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities.
Microsoft has recently taken hold of 50 websites used by suspected North Korean hackers to bolster attempted hacks against government employees, universities and nuclear organizations, among other targets.
Thallium sends phishing emails which direct target victims to malicious websites, where they would be prompted to enter their username and password. A successful effort would provide Thallium access to victimized account data including messages, contact lists and appointments. The IoCs indicate that most of these malicious domains masquerade as legitimate domains with minor typos, often undetected by unsuspecting users.
Microsoft reports that Thallium has been active since 2010, and is known for its use of malicious software known as BabyShark and KimJongRAT.
Impact
- Information Disclosure
- Credential Theft
Indicators of Compromise
Domain name
- intercasher[.]com
- woenxosewdgebc123[.]com
- nuaver[.]com
- interpuber[.]com
- rnailb[.]com
- 163-mail-vertify[.]com
- mail-securiety[.]com
- clientsucceses[.]com
- rnaiil[.]com
- rnailn[.]com
- hanmail[.]net
- rnail-163[.]com
- lnfo-master[.]com
- blockochain[.]info
- webmail-gooqle[.]com
- imap-login[.]com
- webmail-googie[.]com
- dauurn[.]net
- nid2-naver[.]com
- files-downloader[.]net
- rneail[.]com
- rnaeil[.]com
- maingoogle[.]com
- nidhelpnaver[.]com
- yahoo[.]security-lnfo[.]com
- ns096a[.]microsoftinternetsafety[.]net
- inbox-yahoo[.]com
- daily-post[.]com
- app-wallet[.]com
- day-post[.]com
- unite[.]office356-us[.]org
- unite[.]un[.]graphwin[.]com
- outlook[.]mai1[.]info
- never[.]com-change[.]pw
- login[.]hotrnall[.]com
- securitedmode[.]com
- natwpersonal-online[.]com
- mai1[.]info
- smtper[.]org
- nid-login[.]com
- hotrnall[.]com
- dialy-post[.]com
- set-login[.]com
- secrityprocessing[.]com
- drivecheckingcom[.]com
- ctquast[.]com
- filinvestment[.]com
- files-download[.]net
- bigwnet[.]com
- usrchecking[.]com
- sec-live[.]com
- securytingmail[.]com
- reader[.]cash
- foldershareing[.]com
- checkprofie[.]com
- mail-down[.]com
- dataviewering[.]com
- reviewer[.]mobi
- mihomat[.]com
- cloudwebappservice[.]com
- pw-change[.]com
- documentviewingcom[.]com
- change-pw[.]com
- nidlogon[.]com
- seoulhobi[.]biz
- com-serviceround[.]info
- pieceview[.]club
- office365-us[.]org
- rnicrosoft[.]com
- encodingmail[.]com
- lh-logins[.]com
- bitwoll[.]com
- rnailm[.]com
- drog-service[.]com
- dovvn-mail[.]com
- fixcool[.]net
- hanrnaii[.]net
- cexrout[.]com
- down-error[.]com
- matmiho[.]com
- golangapis[.]com
- login-use[.]com
- rnaii[.]com
- outlook[.]doc-view[.]work
- yalnoo[.]com
- imap-login[.]co
- yrnall[.]com
- phlogin[.]com
- navuor[.]com
- lh-logs[.]com
- maingoogie[.]com
- login-sec[.]com
- iinaver[.]com
- ahooc[.]com
- grnaeil[.]com
- helpnaver[.]com
- dounn[.]net
- wallet-vahoo[.]com
- gstaticstorage[.]com
- naerver[.]com
- mofako[.]com
From Email
- tang_guanghui@hotmail[.]com
- snow8949@hotmail[.]com
- roman[.]alex2019@mail[.]ru
- rninchurl@daum[.]net
- okonoki_masao@yahoo[.]co[.]jp
- norelyeverland@hanmail[.]net
- jiahuzong@hotmail[.]com
- infornail[.]noreply@gmail[.]com
- hello-0978@daum[.]net
- bitcoin025@hanmail[.]net
- bitcoin024@hanmail[.]net
- bitcoin018@hanmail[.]net
- wusongha03@gmail[.]com
- tiger199392@daum[.]net
- satoshiman0088@gmail[.]com
- pigcoin2020@hotmail[.]com
- okonoki_masao@yahoo[.]co[.]jp
- bitcoin016@hanmail[.]net
- bitcoin015@hanmail[.]net
- bitcoin014@hanmail[.]net
- bitcoin013@hanmail[.]net
- bitcoin003@hanmail[.]net
Source IP
- 37[.]72[.]175[.]223
- 27[.]102[.]106[.]122
- 52[.]177[.]14[.]24
- 160[.]202[.]162[.]78
- 67[.]215[.]224[.]121
Remediation
- Block the threat indicators at their respective controls.
- Do not click on links attached in untrusted email addresses.
- Do not enter credentials on websites that you’re redirected to by clicking on links.
- Train employees about detecting phishing (typos in domain names, etc.)