Sidewinder APT Group Campaign Analysis

April 20, 2020
Rewterz

Rewterz Threat Alert – Spear Phishing Campaign Delivering HawkEye Infostealer

April 20, 2020

Rewterz Threat Alert – Trickbot delivered via Covid 19 Phishing Emails

Severity

Medium

Analysis Summary

TrickBot is, at the moment, the malware showing up in the highest number of unique COVID-19 related malicious emails and attachments delivered to potential victims. Thousands of Covid 19 phishing emails have been sent to the users as a message from a non-profit offering free COVID-19 test.

Trickbot sample

TrickBot was recently spotted while using a malicious Android app for bypassing two-factor authentication (2FA) protection used by various banks after stealing transaction authentication numbers and also deployed as a spam campaign in campaign that impersonated a doctor at the World Health Organization (WHO) to take advantage of the public’s fears surrounding the coronavirus pandemic to target users.

Regular Malware Update

TrickBot was initially developed as modular banking malware and continuously upgraded by its authors with new modules and capabilities since October 2016 when it was initially spotted in the wild. Even though at first it was used only for harvesting and exfiltrating sensitive data, TrickBot has now evolved into a popular malware dropper that will further compromise infected systems by delivering other, usually a lot more dangerous, malware payloads.

Emotet dropping Trickbot

Impact

  • Credential theft
  • Exposure of sensitive data
  • Financial loss

Indicators of Compromise

Email Subject

Free Codiv -19 Testing

Remediation

  • Block all threat indicators at your respective controls.
  • Always be  suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.