Request a Demo
Rewterz
Rewterz Threat Alert – New Tactics to Bypass Email Spam Filters for Delivering Sextortion Scams
January 2, 2020
Rewterz
Rewterz Threat Alert – DeathRansom Ransomware Encrypting Files – IoCs
January 3, 2020

Rewterz Threat Alert – APT37 Thallium Broadens Target Industries Around the Globe

Severity

High

Analysis Summary

APT37 has likely been active during most of this decade. It primarily focused on targeting the public and private sectors in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities.
Microsoft has recently taken hold of 50 websites used by suspected North Korean hackers to bolster attempted hacks against government employees, universities and nuclear organizations, among other targets. 
Thallium sends phishing emails which direct target victims to malicious websites, where they would be prompted to enter their username and password. A successful effort would provide Thallium access to victimized account data including messages, contact lists and appointments. The IoCs indicate that most of these malicious domains masquerade as legitimate domains with minor typos, often undetected by unsuspecting users.

Microsoft reports that Thallium has been active since 2010, and is known for its use of malicious software known as BabyShark and KimJongRAT.

Impact

  • Information Disclosure
  • Credential Theft

Indicators of Compromise

Domain name

  • intercasher[.]com
  • woenxosewdgebc123[.]com
  • nuaver[.]com
  • interpuber[.]com
  • rnailb[.]com
  • 163-mail-vertify[.]com
  • mail-securiety[.]com
  • clientsucceses[.]com
  • rnaiil[.]com
  • rnailn[.]com
  • hanmail[.]net
  • rnail-163[.]com
  • lnfo-master[.]com
  • blockochain[.]info
  • webmail-gooqle[.]com
  • imap-login[.]com
  • webmail-googie[.]com
  • dauurn[.]net
  • nid2-naver[.]com
  • files-downloader[.]net
  • rneail[.]com
  • rnaeil[.]com
  • maingoogle[.]com
  • nidhelpnaver[.]com
  • yahoo[.]security-lnfo[.]com
  • ns096a[.]microsoftinternetsafety[.]net
  • inbox-yahoo[.]com
  • daily-post[.]com
  • app-wallet[.]com
  • day-post[.]com
  • unite[.]office356-us[.]org
  • unite[.]un[.]graphwin[.]com
  • outlook[.]mai1[.]info
  • never[.]com-change[.]pw
  • login[.]hotrnall[.]com
  • securitedmode[.]com
  • natwpersonal-online[.]com
  • mai1[.]info
  • smtper[.]org
  • nid-login[.]com
  • hotrnall[.]com
  • dialy-post[.]com
  • set-login[.]com
  • secrityprocessing[.]com
  • drivecheckingcom[.]com
  • ctquast[.]com
  • filinvestment[.]com
  • files-download[.]net
  • bigwnet[.]com
  • usrchecking[.]com
  • sec-live[.]com
  • securytingmail[.]com
  • reader[.]cash
  • foldershareing[.]com
  • checkprofie[.]com
  • mail-down[.]com
  • dataviewering[.]com
  • reviewer[.]mobi
  • mihomat[.]com
  • cloudwebappservice[.]com
  • pw-change[.]com
  • documentviewingcom[.]com
  • change-pw[.]com
  • nidlogon[.]com
  • seoulhobi[.]biz
  • com-serviceround[.]info
  • pieceview[.]club
  • office365-us[.]org
  • rnicrosoft[.]com
  • encodingmail[.]com
  • lh-logins[.]com
  • bitwoll[.]com
  • rnailm[.]com
  • drog-service[.]com
  • dovvn-mail[.]com
  • fixcool[.]net
  • hanrnaii[.]net
  • cexrout[.]com
  • down-error[.]com
  • matmiho[.]com
  • golangapis[.]com
  • login-use[.]com
  • rnaii[.]com
  • outlook[.]doc-view[.]work
  • yalnoo[.]com
  • imap-login[.]co
  • yrnall[.]com
  • phlogin[.]com
  • navuor[.]com
  • lh-logs[.]com
  • maingoogie[.]com
  • login-sec[.]com
  • iinaver[.]com
  • ahooc[.]com
  • grnaeil[.]com
  • helpnaver[.]com
  • dounn[.]net
  • wallet-vahoo[.]com
  • gstaticstorage[.]com
  • naerver[.]com
  • mofako[.]com

From Email

  • tang_guanghui@hotmail[.]com
  • snow8949@hotmail[.]com
  • roman[.]alex2019@mail[.]ru
  • rninchurl@daum[.]net
  • okonoki_masao@yahoo[.]co[.]jp
  • norelyeverland@hanmail[.]net
  • jiahuzong@hotmail[.]com
  • infornail[.]noreply@gmail[.]com
  • hello-0978@daum[.]net
  • bitcoin025@hanmail[.]net
  • bitcoin024@hanmail[.]net
  • bitcoin018@hanmail[.]net
  • wusongha03@gmail[.]com
  • tiger199392@daum[.]net
  • satoshiman0088@gmail[.]com
  • pigcoin2020@hotmail[.]com
  • okonoki_masao@yahoo[.]co[.]jp
  • bitcoin016@hanmail[.]net
  • bitcoin015@hanmail[.]net
  • bitcoin014@hanmail[.]net
  • bitcoin013@hanmail[.]net
  • bitcoin003@hanmail[.]net

Source IP

  • 37[.]72[.]175[.]223
  • 27[.]102[.]106[.]122
  • 52[.]177[.]14[.]24
  • 160[.]202[.]162[.]78
  • 67[.]215[.]224[.]121

Remediation

  • Block the threat indicators at their respective controls.
  • Do not click on links attached in untrusted email addresses.
  • Do not enter credentials on websites that you’re redirected to by clicking on links.
  • Train employees about detecting phishing (typos in domain names, etc.)