Request a Demo
Rewterz
Rewterz Threat Alert – Emotet/TrickBot Malware Recent Samples – IoCs
February 10, 2020
Rewterz
Rewterz Threat Alert – Cracked Software Used to Distribute Malware
February 11, 2020

Rewterz Threat Alert – Espionage Campaign targeting Malaysia Government Officials

Severity

High

Analysis Summary

Researchers observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group. The group motives is believe to be data theft and exfiltration. The group has leveraged previously compromised email addresses or impersonation of emails to send spear-phishing emails. The delivery method was sending spear-phishing emails with malicious attachments although Google Drive has been observed. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organization or non-governmental organization (NGO) asking users to enable macro of Microsoft document with that extract malicious exe to download loader.

Impact

  • Data breach
  • Exposure of sensitive information

Indicators of Compromise

MD5

  • 4114857f9bc888122b53ad0b56d03496
  • 6889c7905df000b874bfc2d782512877
  • 7233ad2ba31d98ff5dd47db1b5a9fe7c
  • 3c43eb86d40ae78037c29bc94b3819b7
  • 89a81ea2b9ee9dd65d0a82b094099b43
  • cf94796a07b6082b9e348eef934de97a
  • 4c47ca6ecf04cfe312eb276022a0c381
  • f744481a4c4a7c811ffc7dee3b58b1ff
  • ae342bf6b1bd0401a42aae374f961fc6
  • 5fe8dcdfe9e3c4e56e004b2eebf50ab3
  • 3cb38f7574e8ea97db53d3857830fcc4
  • 3ca84fe6cec9bf2e2abac5a8f1e0a8d2
  • 8a133a382499e08811dceadcbe07357e
  • a827d521181462a45a7077ae3c20c9b5
  • fe1247780b31bbb9f54a65d3ba17058f
  • b427c7253451268ca97de38be04bf59a
  • 4c89d5d8016581060d9781433cfb0bb5
  • 6e9f0c3f64cd134ad9dfa173e4474399
  • d81db8c4485f79b4b85226cab4f5b8f9
  • 01b5276fdfda2043980cbce19117aaa0

SHA-256

  • fce38b7bb25817ccaf921d5ac96f4e6c9b865fbe020204af5cf34b604868d1fa
  • 4b0a9cbd861b67ad54cab8b46941212bfd1bf1943c7b9942d545a144ffcd5da6
  • f3186dafca8b032f5b942d81b66d3ab631dc41463d3c8d319f1a0a374f809cdf

URL

  • http[:]//152[.]89[.]161[.]5/mpsvc[.]txt
  • http[:]//139[.]162[.]44[.]81/main[.]dotm
  • http[:]//207[.]148[.]79[.]152/main[.]dotm
  • http[:]//167[.]99[.]72[.]82/main[.]dotm
  • http[:]//159[.]65[.]197[.]248/WinWord[.]dotm
  • http[:]//152[.]89[.]161[.]5/msmpeng[.]txt
  • http[:]//195[.]12[.]50[.]168/D2_de2o@sp0/
  • http[:]//dynamics[.]ddnsking[.]com/Word[.]dotm

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders