• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – New MuddyWater Activities Uncovered
June 11, 2019
Rewterz Threat Advisory – CVE-2019-0303 – SAP BusinessObjects BI Administration Console Cross Site Scripting Vulnerability
June 12, 2019

Rewterz Threat Alert – DNS Compromise Attack Phishing Spam

June 11, 2019

Severity

Medium

Analysis Summary

A new finance spam campaign with HTML attachments has been discovered that utilizes Google’s public DNS resolver to retrieve JavaScript commands embedded in a domain’s TXT record. These commands will then redirect a user’s browser to a aggressive trading advertisement site, which has been reported as a scam.

All the emails were very simple emails with a HTML attachment look like this:

Scam Email

All the emails came from IP numbers that have previously been seen to be used by Necurs botnet. The domains listed in the from box do not track back to the IP numbers they came from.

The script in the file looks like:

fake invoic html file

Indicators of Compromise

URLs

  • appteslerapp[.]com
  • fetch[.]bucsgwbno[.]samaste[.]net
  • fetch[.]faonwvzso[.]ourmazdcompany[.]net
  • fetch[.]kkqhoniv[.]baranweddings[.]com
  • fetch[.]nukss[.]hrhuae[.]com
  • fetch[.]pebabsacc[.]sarahelizabethjewelry[.]com
  • fetch[.]qedrbzpzzx[.]baranevents[.]com
  • http[:]//www[.]1835bfg36abp[.]ctifsouteni[.]icu/456[.]xn--html-sw3b
  • http[:]//www[.]14534bfg36abp[.]etapportert[.]icu/5436[.]xn--html-sw3b
  • http[:]//www[.]488bfg36abp[.]ffrirbesoin[.]icu/1446[.]xn--html-sw3b
  • http[:]//www[.]5438bfg36abp[.]ffrirbesoin[.]icu/3643[.]xn--html-sw3b
  • http[:]//www[.]55696bfg36abp[.]ielassocier[.]icu/7467[.]xn--html-sw3b
  • http[:]//www[.]66688bfg36abp[.]ffrirbesoin[.]icu/3161[.]xn--html-sw3b
  • http[:]//www[.]7913bfg36abp[.]etapportert[.]icu/33476[.]xn--html-sw3b
  • http[:]//www[.]81934bfg36abp[.]etapportert[.]icu/3185[.]xn--html-sw3b
  • https[:]//appteslerapp[.]com/
  • ns1[.]firstdnshoster[.]com
  • ns[.]firstdnshoster[.]com
  • www[.]1835bfg36abp[.]ctifsouteni[.]icu
  • www[.]14534bfg36abp[.]etapportert[.]icu
  • www[.]488bfg36abp[.]ffrirbesoin[.]icu
  • www[.]5438bfg36abp[.]ffrirbesoin[.]icu
  • www[.]55696bfg36abp[.]ielassocier[.]icu
  • www[.]66688bfg36abp[.]ffrirbesoin[.]icu
  • www[.]7913bfg36abp[.]etapportert[.]icu
  • www[.]81934bfg36abp[.]etapportert[.]icu

Remediation

  • Block threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.