March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – ZLoader Targeting Financial Organizations – IoCs
March 20, 2020Rewterz Threat Alert – Koadic RAT – Multistage Malware Distributed through COVID’19 Document
March 20, 2020Rewterz Threat Alert – ZLoader Targeting Financial Organizations – IoCs
March 20, 2020Rewterz Threat Alert – Koadic RAT – Multistage Malware Distributed through COVID’19 Document
March 20, 2020
Severity
High
Analysis Summary
Mimicking ABSA’s online banking portal, the adversaries attempt to steal users’ online banking credentials to gain access to their bank accounts. The phishing email presents the end user with a couple of lines of text informing him/her of pending transfers from another bank that need authorization. The user must download and open the htm attachment “IBPAYDOC.htm” in order to connect to the online portal. The email does not present any indication of an attempt to imitate a legitimate ABSA communication, completely relying instead on the user’s misplaced curiosity. Upon opening the htm file, the user is directed to a fake ABSA online banking portal at hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php, which is almost identical to the legitimate ABSA portal. The user is prompted to provide an “access account” number, PIN and user number that are then posted to the C2 server. Adversaries have hijacked the ahmadnawaz[.]org domain on which the fraudulent ABSA portal is hosted, belonging to Pakistani education activist Ahmed Nawaz, and created the “/ched” directory to store their php files and subdirectories.
The user is then directed to hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php, where a 60- second timer is displayed. Once it reaches zero, the user is instructed to provide a phone number and a code from the ABSA app. Verification messages are normally sent to the ABSA banking app. In this case, however, no such code is sent because the user is not accessing ABSA’s legitimate portal. The threat actors likely rely on curious or frustrated users who decide, nonetheless, to proceed with the login process despite not receiving a verification request, allowing them to steal additional personal information from the end user. The phone number and app code are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php.
Impact
- Credential Theft
- Theft of financial information
- Fraudulent transactions
Indicators of Compromise
Hostname
www[.]ahmadnawaz[.]org
URL
- https[:]//www[.]ahmadnawaz[.]org/ched/pass[.]php
- https[:]//www[.]ahmadnawaz[.]org/ched/mail1[.]php
- https[:]//www[.]ahmadnawaz[.]org/ched/profile[.]php
- https[:]//www[.]ahmadnawaz[.]org/ched/mail3[.]php
- https[:]//www[.]ahmadnawaz[.]org/ched/tnop[.]php
- https[:]//www[.]ahmadnawaz[.]org/ched/mail2[.]php
- https[:]//www[.]ahmadnawaz[.]org/ched/finish[.]php
Remediation
- Block the threat indicators at their respective controls.
- Verify legitimacy of online transactions before proceeding.
- Ensure employee/customer awareness regarding phishing and financial frauds.