March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – TA505 Active Again – IoCs
August 25, 2020Rewterz Threat Alert – DeathStalker APT Targeting Legal and Financial Organizations
August 26, 2020Rewterz Threat Alert – TA505 Active Again – IoCs
August 25, 2020Rewterz Threat Alert – DeathStalker APT Targeting Legal and Financial Organizations
August 26, 2020
Severity
Medium
Analysis Summary
The popular professional networking and job search site, LinkedIn, is currently being used by some threat actors as the lure for a social engineering scheme designed to steal a user’s credentials and spread malicious binaries. The bad actors also used a legitimate site hosting company, called Yola, to host the malicious content in an attempt to further look legitimate. The .NET-based binaries hosted on this site are related to the Agent Tesla malware and another previously unseen in-the-wild malware family. Its major functionality is information stealing and exfiltrating data through SMTP. Agent Tesla has been a frequent occurrence in cyber attack campaigns throughout the second quarter of 2020, and is active again.
Impact
- Credential theft
- Information theft
- Data exfiltration
Indicators of Compromise
Domain Name
- jobsfinder3ee[.]online
- mpivn[.]org
MD5
- f89b4dff6e126e9a5f0a64d590f7b42e
- 072462810ba6e5a7161b35b8535b55bd
- 78d029254cb2350260967feb983d487f
- 8cb05c44406adbe13690d816759658da
- 73ee4b60893b0ccc20079882aae66e2f
- f4755749ad038edc337c3b23c7b065f5
SHA-256
- af167a7b57f801b1572494a2b44d8e5320da45093e4dc3bb6658437b9f809feb
- be0990a7683a879d0ffe1aeb3901bf994c2080eb5ef9c5e55336bbe07f871888
- d5bd4cf398105b08104ea77d804a4163c7f97416a5f23960c40cdc3d4b23d018
- f87573a1d89beeff44902d83af24e8653630bddf37d9f8b40ec04d3ee04ac10b
- e9b819af7e2808e18b14c7ea7d0a634ca4a16e26f244d54f40a1f341439e4f76
- 5afe2c2b05c7d5ab5cb3542650738d31860466c650450a0266ce6f9f23195232
SHA1
- 8507798b3102513c97e63a51615eb49565b2725f
- ad7e6431be53378d5111c782d1c819acc823d01b
- aa1b9665226299fa66ea9b6801f93a9270cacd65
- cee5c6eeef1a1c1a423858612f543a345d22cab5
- 9fe6854715764c713019c3e315c3db5e88f45aeb
- 255588598aaa210f025f41d8b0afbf132c6537e9
URL
- http[:]//mpivn[.]org/LinkedIn-jobs
- https[:]//mpivn[.]org/LinkedIn-jobs/
Remediation
- Block the threat indicators at their respective controls.
- Do not click on untrusted links that tempt you through job lures.
- Practice caution while trying to access the legitimate LinkedIn website.