• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – SAP NetWeaver Business Client Unspecified Vulnerabilities
March 19, 2019
Rewterz Threat Alert – Malicious IPs and Domains
March 19, 2019

Rewterz Threat Alert – Multiple Malspam Campaigns Dropping Different Malware – IoCs

March 19, 2019

Severity

Medium

Analysis Summary

Following malspam campaigns have been reported:

  • A FormBook Malware Phishing using the subject “Revised document”
  • A O365 Themed Phishing Email using the subject “A file has been shared with you”
  • A Spear Phishing Email containing a suspicious phishing URL, using the subject “Fed Reporter”
  • An Emotet Phishing malspam with PDF attachments containing embedded malicious URLs. It uses the subject “Firstname> Online Payment Summary March 2019”
  • An AMEX-themed phishing email with the subject, “Your Account Has Been Flagged !” that contains a malicious PDF.
  • An Apple-themed Phishing e-mail with the subject line “[ New Update ] [ Receipt Invoice ] [ #ID8461164 ] Thanks for your order in App store at March 14, 2019”.
  • A vacation tours website (niagaratours[.]ca) has been compromised and all the payment and personal information entered into the site is sent to the attacker-controlled domain at handelaar[.]org.
  • A Trickbot Malspam campaign using the subject “Deposit 91369724 paid 02/26/2019”

Impact

Phishing

Malware infection

Emotet

Trickbot

Indicators of Compromise

IP(s) / Hostname(s) 109.74.194[.]49
URLs niagaratours[.]ca
handelaar[.]org
hxxp://niagaratours[.]ca/niagara/
hxxp://handelaar[.]org/validation[.]php?image_id=
Email Subject A file has been shared with you
Revised document
Fed Reporter
Online Payment Summary March 2019
Your Account Has Been Flagged !
[ New Update ] [ Receipt Invoice ] [ #ID8461164 ] Thanks for your order in App store at March 14, 2019
Deposit 91369724 paid 02/26/2019

Remediation

  • Block the threat indicators at their respective controls.
  • Scan for the email subjects and if found, block the related email addresses, URLs, etc.
  • Do not download email attachments coming from unknown sources.
  • Always scan files downloaded from internet prior to execution.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.