Rewterz Threat Alert – Phishing Emails Are Using SharePoint to Attack Banks
September 6, 2019Rewterz Threat Alert – Winnti Malware 4.0 Exploits Vulnerabilities in Linux and Windows
September 6, 2019Severity
Medium
Analysis Summary
A spam campaign that uses compromised devices to attack vulnerable web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to web servers. The script sends an email with an embedded link to a scam site to specific email addresses.
Impact
Credential theft
Indicators of Compromise
URLs
- http[:]//tiny[.]cc/oyxbbz
- http[:]//tiny[.]cc/ekubbz
- http[:]//pkusk[.]com/idkadmin/ckeditor/plugins/link/images/hidpi/libraries/merkzettel/shipping_help/wfidecademail[.]php/zftv/ayeq/?wait=ktw1m012zhw0
- https[:]//cryptonation[.]thesecuretrack[.]pro/en/crypto-nation
- http[:]//guidetti[.]se/wp-snapshots/tmp/handleoptin/countries/encuesta/sharethis/register/commentsmiss/busqueda[.]php/vtsk/sdzh/?higher=1es0xze1hzcxx20
- https[:]//clck[.]ru/HfCrK
- http[:]//bvsa[.]in/publicdeliver/rmareturns[.]php/kbrt/anpx/?spent=1df0b12ububx0f
- https[:]//clck[.]ru/HfCYQ
- https[:]//clck[.]ru/HfBwo
- http[:]//sweetheart-exhibition[.]com/upfiles/gzip_loader[.]php/tka/yxrbh/?8k8s8pu0z2
Malware Hash (MD5/SHA1/SH256)
- 5b6875ebd80c4e922b340aaf22831b58a16dc696
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.