Rewterz Threat Alert – Defense Contractor Themed Spearphishing

Severity

Medium

Analysis Summary

Defense Contractor themed phishing campaign has been active lately and targeting different organizations. This campaign has been previously active as well, mainly targeting defense / military infrastructure and try to sneak into as much possible as they can by luring users for their credentials.  

The spear phishing attacks appear to be a part of a broad campaign targeting defense contractors, several universities and security firms. The malware operates as a remote access tool and initially was detected by only a minimal number of antivirus vendors.

Impact

• Credential theft
• Exposure of sensitive information

Indicators of Compromise

URLs

• https[:]//mtcareers[.]myftp[.]org[:]4343/ManTech/hta/index[.]html
• http[:]//213[.]252[.]246[.]80[:]8888/asd123
• http[:]//213[.]252[.]246[.]80[:]8888/asd123[.]
• http[:]//ngcareers[.]myvnc[.]com/
• http[:]//mantechcareers[.]serveftp[.]com/
• http[:]//8933-16423[.]bacloud[.]info/
• https[:]//213[.]252[.]246[.]80[:]448/business/retail-business/
• http[:]//213[.]252[.]246[.]80/
• http[:]//mtcareers[.]myftp[.]org/
• https[:]//213[.]252[.]246[.]80/business/retail-business/
• http[:]//8933-16423[.]bacloud[.]info/mantech/index[.]php
• http[:]//213[.]252[.]246[.]80[:]8888/asd123?A1GROUQBOO=a2e5bce1092e47188db4826e7a6adac3;5E1O9L3YWI=;

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the link/attachments sent by unknown senders.