Rewterz Threat Alert – Magecart Group Continues Targeting E-Commerce Sites
September 2, 2019Rewterz Threat Alert – Mastercard Priceless Specials Members Data Shared Online
September 3, 2019Severity
High
Analysis Summary
A spear phishing attack was conducted on some of the members of certain cryptocurrency exchanges in Korea. This attack, too , is an extension of the Lazarus campaign, disguised as a vocational document request, which was unveiled on the 20th, and is an extension of the attack vector.
Email screen used in a real attack
In the past, Lazarus threats are characterized by a lure of users with subjects and content that have nothing to do with the recipient, and can be seen as one of irregular social engineering techniques.
Impact
Financial loss
Indicators of Compromise
URLs
- http[:]//www[.]youdermoscopy[.]org/media/fly312[.]avi
- http[:]//alnagm-press[.]com/wp-content/plugins/cloudflare/list[.]php
- https[:]//swedishmassageamsterdam[.]nl/wp-content/themes/top[.]php
- https[:]//elsouq[.]org/aramex/left[.]php
- https[:]//www[.]youdermoscopy[.]org/media/fly[.]avi
- https[:]//alnagm-press[.]com/wp-content/plugins/cloudflare/list[.]php
- https[:]//www[.]youdermoscopy[.]org/media/fly312[.]avi
Filename
100 years dream greeting after 100 years.hwp
Malware Hash (MD5/SHA1/SH256)
- 0af6d9aa7e1d1df68d538fa4bd59fd13
- 89423ec34da7c2f78b80847def65d767
- 9010355538d681a6224ee113ffc89f76
- e43fb78165dad0e2e18de1ae304399b7
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.