Request a Demo
Rewterz
Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs
August 16, 2021
Rewterz
Rewterz Threat Alert – ProtonVPN Scam Campaign – Active IOCs
August 16, 2021

Rewterz Threat Alert – XLS HTML Phishing Campaign – Active IOCs

Severity

High

Analysis Summary

Cybercriminals attempt to change tactics as fast as security and protection technologies do. During a year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.

Impact

  • Credential Theft

Indicators of Compromise

URL

  • hxxps[:]//es-dd[[.]]net/file/excel/document
  • hxxps[:]//moneyissues[[.]]ng/wp-content/uploads/2017/10/DHL-LOGO
  • hxxps[:]//contactsolution[[.]]com[[.]]ar/wp-admin/ddhlreport
  • hxxps[:]//www[[.]]laserskincare[[.]]ae/wp-admin/css/colors/midnight/reportexcel
  • hxxp[:]//yourjavascript[[.]]com/40128256202/233232xc3
  • hxxp[:]//yourjavascript[[.]]com/84304512244/3232evbe2
  • hxxp[:]//yourjavascript[[.]]com/42580115402/768787873
  • hxxp[:]//yourjavascript[[.]]com/82182804212/5657667-3
  • hxxps[:]//gladiator164[[.]]ru/wp-snapshots/root/0098
  • hxxp[:]//yourjavascript[[.]]com/1111559227/7675644
  • hxxp[:]//yourjavascript[[.]]com/2512753511/898787786
  • hxxp[:]//yourjavascript[[.]]com/1522900921/5400
  • hxxp[:]//tokai-lm[[.]]jp/root/4556562332/t7678
  • hxxp[:]//yourjavascript[[.]]com/0221119092/65656778
  • hxxp[:]//yourjavascript[[.]]com/212116204063/000010887-676
  • hxxp[:]//tannamilk[[.]]or[[.]]jp//_products/556788-898989/0888
  • hxxp[:]//coollab[[.]]jp/dir/root/p/434
  • hxxp[:]//coollab[[.]]jp/dir/root/p/09908
  • hxxp[:]//www[[.]]tanikawashuntaro[[.]]com//cgi-bin/root
  • hxxp[:]//yourjavascript[[.]]com/4154317425/6899988
  • hxxp[:]//www[[.]]atomkraftwerk[[.]]biz/590/dir/354545-89899
  • hxxp[:]//yourjavascript[[.]]com/2131036483/989
  • hxxp[:]//www[[.]]atomkraftwerk[[.]]biz/590/dir/86767676-899
  • hxxp[:]//coollab[[.]]jp/local/70/98988
  • hxxps[:]//tannamilk[[.]]or[[.]]jp/cgialfa/545456
  • hxxps[:]//mcusercontent[[.]]com/dc967eaa4412707bedd3fe8ab/images/d2d8355d-7adc-4f07-8b80-
  • e624edbce6ea[.]png
  • hxxps[:]//tannamilk[[.]]or[[.]]jp//js/local/33309900
  • hxxp[:]//tokai-lm[[.]]jp//home-30/67700
  • hxxp[:]//coollab[[.]]jp/009098-50009/0990/099087776556
  • hxxp[:]//yourjavascript[[.]]com/4951929252/45090
  • hxxp[:]//tokai-lm[[.]]jp/style/b9899-8857/8890/5456655
  • hxxps[:]//maldacollege[[.]]ac[[.]]in/phy/A/actions
  • hxxps[:]//jahibtech[[.]]com[[.]]ng/wp-admta/taliban/office

Remediation

  • Block all threat indicators at their respective controls
  • Search for IOCs in your environment.
  • Do not download software and files from unofficial and untrusted sources.