Rewterz Threat Alert – Dragonfly Targets ICS Systems Using Man on the Side Attacks
July 25, 2019Rewterz Threat Alert – Phobos Ransomware Threat Indicators
July 26, 2019Severity
Medium
Analysis Summary
Threat actor TA505 is impersonating Airlines disguising as domestic e-ticket (e-ticket) certificates from the morning of July 25, ahead of the summer vacation season.
The attacker is the ‘** Airline e-Ticket Certificate.’ , And using the sophisticated Korean language in the body of the e-mail content, the e-mail recipient is encouraged to open the attached file.
Attached file is’ e-ticket (random number) .iso ‘file name is attached to the compressed file, the icon and extension when decompressed as a PDF document disguised as a screen saver file’ e-ticket certificate _66016630.pdf. scr ‘or’ L207123.lnk ‘will be downloaded.
The ‘e-ticket voucher _66016630.pdf.scr’ file is malicious code based on .Net. The C2 server acts as an additional payload download.
Impact
- System Access
- Exposure of sensitive information
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 0571bb4ecf3dbf5d5185eabd7d03d455
- 1d87a127b31c8a67f6902bdc6366374b
- 22e41b97813c028fd7c4ae6d32572534
- 279215fc358060825372c2de68dd5c4f
- 3f45a8fbec15305de1d4a296006c5b01
- 44215ae4681773954b404ddfae416248
- 4d0511050aa5e48d3cac0e697e168fb3
- 57484338303a48dffadf466f74db4bab
- 5f6c61cccf8cb547a3979e1d49a7ef81
- 62b1ad72a7cb1699cebe7b71518f65be
- 7928e36c8a45f98d5adf2016740b77eb
- 91bce06fe0ee40afb9ba7ea12ae00a77
- ad78c04d0e7990d32d09becb82426d37
- c3e961ad583d9c4bd3892456eb6516d5
- c43496f70be5263a4bab6c853e610951
- c9ce180f2fa6097798224c7cc3abdfaf
- cf07da2872c29a4682380a66080fcd61
- d6438345c12dd000ff2d55a7a3b8ccb6
- deb3a3d09a656ac14eb83574d2fcd2b3
- f834018fee0597d8be54b7174bc5048d
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.