• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Banking technology FinTech Firm Finastra hit by ransomware
March 21, 2020
Rewterz Threat Alert – Covid-Themed Malware Campaign Distributes Ransomware
March 22, 2020

Rewterz Threat Alert – TA505/EvilCorp Recent Activity – IoCs

March 22, 2020

Severity

High

Analysis Summary

A campaign is found using malicious files posed as resumes, sent as a job application. The researchers dubbed the campaign “The Curious Case of the Criminal Curriculum Vitae”. The campaign is attributed to a known cybercriminal organization TA505, also known as “Evil Corp.” One of the most infamous campaigns associated with this organization was the necurs botnet, which was recently overtaken by Microsoft.
In this newly discovered campaign from TA505, threat actors targeted German companies with trojanized emails disguised as job applicants. While this activity appeared to be geographically based in Germany, these same techniques could easily be applied to any organization worldwide. Once the email attachment was activated, a company’s secure credentials and credit card data could be transmitted covertly to the threat actors. The group TA505 is known to use commercial tools to encrypt all the users files, which suggests this recent activity could also lay the groundwork for an infection vector into the company’s network to encrypt files. They are also capable of fetching an instance of Netsupport, a commercial remote administration tool, hosted on a user’s Google Drive account. This enables a host of actions, including remote file transfer, screen captures, and even voice recordings. Since these threat actors are abusing legitimate binaries such as GPG tools and NetSupport, they are unlikely to be removed by traditional antivirus software. Below information of a target is sent to the C2.

  • Determine all the programs names installed on the machine
  • Version of the programs,
  • Date the programs were installed,
  • Determine the computer’s name,
  • Determine the computer’s domain.

The threat actor controlled C2 is located at URI hxxp://194.36.189[.]215/firstga990.php. 

Impact

  • Unauthorized Remote Access
  • Information Theft
  • Theft of financial information
  • Files encryption
  • Remote Files transfer
  • Financial loss

Indicators of Compromise

Domain Name

  • juristlex[.]com

MD5

  • 30b4e109caaebab50007872085e8d208
  • 5400daa180669b831383b6cb69bd6e78
  • 9572b4c74e3de8e3024c02ca5d62b015
  • 391f805e2db1adc93c42dd958c06aeaa
  • 17a5810120956fb2f2b097cf64d57972

SHA-256

  • 7ecfd68341fe276c17246dc51c5d70ee2c1bbc6801c85201c8a62956c23d872d
  • c7d2abc2ff54556bec383afb05c5ae804d07a1fa171ea185c447d9f1e6a79746
  • e102806a9a136143e6ddead6bed5214ab4b71026c9a4eb26cc4b973f471b6c12
  • df548114eb5b7a56c489f5239f66e0990e1ecacd20bcfff1b2bd677267362ad8
  • 0cbaf48d543d06c838ad30e28b7cf92732a93e0507d3f3af4a7ab934890fe2fe

Source IP

  • 194[.]36[.]189[.]215
  • 23[.]227[.]207[.]138
  • 185[.]244[.]150[.]143

URL

  • http[:]//185[.]244[.]150[.]143/rrr[.]zzz
  • http[:]//juristlex[.]com/photo/photo88326635[.]scr
  • http[:]//194[.]36[.]189[.]215/fnb[.]111
  • http[:]//23[.]227[.]207[.]138[:]12233/fakeurl[.]htm

Remediation

  • Block the threat indicators at their respective controls.
  • Use known secure email security solutions.
  • Do not download and execute files coming from untrusted sources.
  • Ensure segmentation of the corporate network.
  • Implement multi-factor authentication policy.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.