Rewterz Threat Alert – TA505/EvilCorp Recent Activity – IoCs

Severity

High

Analysis Summary

A campaign is found using malicious files posed as resumes, sent as a job application. The researchers dubbed the campaign “The Curious Case of the Criminal Curriculum Vitae”. The campaign is attributed to a known cybercriminal organization TA505, also known as “Evil Corp.” One of the most infamous campaigns associated with this organization was the necurs botnet, which was recently overtaken by Microsoft.
In this newly discovered campaign from TA505, threat actors targeted German companies with trojanized emails disguised as job applicants. While this activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization worldwide. Once the email attachment was activated, a company’s secure credentials and credit card data could be transmitted covertly to the threat actors. The group TA505 is known to use commercial tools to encrypt all the users files, which suggests this recent activity could also lay the groundwork for an infection vector into the company’s network to encrypt files. They are also capable of fetching an instance of Netsupport, a commercial remote administration tool, hosted on a user’s Google Drive account. This enables a host of actions, including remote file transfer, screen captures, and even voice recordings. Since these threat actors are abusing legitimate binaries such as GPG tools and NetSupport, they are unlikely to be removed by traditional antivirus software. Below information of a target is sent to the C2.

• Determine all the programs names installed on the machine
• Version of the programs,
• Date the programs were installed,
• Determine the computer’s name,
• Determine the computer’s domain.

The threat actor controlled C2 is located at URI hxxp://194.36.189[.]215/firstga990.php. 

Impact

• Unauthorized Remote Access
• Information Theft
• Theft of financial information
• Files encryption
• Remote Files transfer
• Financial loss

Indicators of Compromise

Domain Name

• juristlex[.]com

MD5

• 30b4e109caaebab50007872085e8d208
• 5400daa180669b831383b6cb69bd6e78
• 9572b4c74e3de8e3024c02ca5d62b015
• 391f805e2db1adc93c42dd958c06aeaa
• 17a5810120956fb2f2b097cf64d57972

SHA-256

• 7ecfd68341fe276c17246dc51c5d70ee2c1bbc6801c85201c8a62956c23d872d
• c7d2abc2ff54556bec383afb05c5ae804d07a1fa171ea185c447d9f1e6a79746
• e102806a9a136143e6ddead6bed5214ab4b71026c9a4eb26cc4b973f471b6c12
• df548114eb5b7a56c489f5239f66e0990e1ecacd20bcfff1b2bd677267362ad8
• 0cbaf48d543d06c838ad30e28b7cf92732a93e0507d3f3af4a7ab934890fe2fe

Source IP

• 194[.]36[.]189[.]215
• 23[.]227[.]207[.]138
• 185[.]244[.]150[.]143

URL

• http[:]//185[.]244[.]150[.]143/rrr[.]zzz
• http[:]//juristlex[.]com/photo/photo88326635[.]scr
• http[:]//194[.]36[.]189[.]215/fnb[.]111
• http[:]//23[.]227[.]207[.]138[:]12233/fakeurl[.]htm

Remediation

• Block the threat indicators at their respective controls.
• Use known secure email security solutions.
• Do not download and execute files coming from untrusted sources.
• Ensure segmentation of the corporate network.
• Implement multi-factor authentication policy.