• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – TrickBot Banking Trojan – Latest IOC’s
April 20, 2020
Sidewinder APT Group Campaign Analysis
April 20, 2020

Rewterz Threat Alert – ZLoader Actively Targeting Financial Organizations – IoCs

April 20, 2020

Severity

High

Analysis Summary

 ZLoader is also known as Terdot, DELoader, that loads the Zeus malware on victim machines after initial infection is a banking trojan. Like other banking trojans, It’s core capability is to harvest online account credentials for online banking sites (and some other services). When infected users land on a targeted online banking portal, malware dynamically fetches web injections from its command-and-control (C2) server to modify the page that the user sees, so that the information that the user enters into the log-in fields is sent to the cybercriminals.

Attackers are found targeting victims with Invoice themed spear phishing malicious documents, in order to infect them with ZLoader. The usual target is financial institutions and banks. Indicators of compromise are given in the alert.

Impact

  • Code Execution
  • Financial Theft
  • Information theft

Indicators of Compromise

Email Subject

  • Account invoice-#553438 tip
  • Apr[.] Incoming Invoice Number #71097
  • Karma hive
  • Case 137201[:] improper information in the sent document
  • Case 151047[:] improper information in the accepted statement
  • Lawsuit formed – missed payment #129746
  • Lawsuit formed – missed payment #529257
  • The copy of given invoice #539735
  • This is your Customer Invoice
  • Your New service Invoice – Number #92820
  • Your Service Invoice Number #94618
  • Monthly bill-#697717 tip
  • Monthly bill-#957318 notification
  • Recent invoice-#299841 reminder
  • Recent invoice-#414650 notification
  • Recent invoice-#781702 notice
  • Recent invoice-#820597 tip

From Email

  • abid[.]ricog1983@o2[.]pl
  • alaf[.]mibut1986@o2[.]pl
  • anis[.]imsmar1971@o2[.]pl
  • atnis[.]adno1978@o2[.]pl
  • bahla[.]gilgie1970@o2[.]pl
  • beoloo[.]odos1988@o2[.]pl
  • blasog[.]suni1977@o2[.]pl
  • bucon[.]menha1988@o2[.]pl
  • concu[.]noncu1973@o2[.]pl
  • createv[.]asar1973@o2[.]pl
  • diabrus[.]mata1983@o2[.]pl
  • fasma[.]bnadland1985@o2[.]pl
  • fichan[.]trantant1971@o2[.]pl
  • flumta[.]joysweat1988@o2[.]pl
  • gagnus[.]telilmaldurv@aol[.]com
  • gbeatto[.]oriz1977@o2[.]pl

URL

  • http[:]//reneixer[.]org/wp/wp-content/themes/calliope/wp_data[.]php
  • http[:]//saidulhussen[.]com/wp-content/themes/calliope/wp-front[.]php
  • http[:]//sarkarjewells[.]com/wp-content/themes/calliope/wp-front[.]php
  • http[:]//semplyusya[.]ru/wp-content/themes/calliope/wp_data[.]php

Remediation

  • Block all threat indicators at your respective controls.
  • Check for IOC’s in your existing environment.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.