

Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020
Rewterz Threat Alert – New Anubis Malware Being Distributed in the Wild
August 28, 2020
Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020
Rewterz Threat Alert – New Anubis Malware Being Distributed in the Wild
August 28, 2020Severity
High
Analysis Summary
Emotet has been used as a loader for other malware for a while. The infection vector remains to be malicious emails that distribute the macro-embedded malicious attachments. In this campaign, Emotet Epoch 3 botnet is seen downloading the Trickbot and Qakbot as a second payload. The first malicious attachment is a file named ‘invoice.doc’, which means this malspam follows the common invoice themed lure.
Impact
- Security Bypass
- Code Execution
- Financial Theft
- Credentials theft
- Exposure of sensitive data
- Account compromise
Indicators of Compromise
Domain Name
- king61tours[.]com
- grzegorzkucharski[.]com
- karaz-sd[.]com
- Filename
- invoice[.]doc
MD5
- 80f08f9a481b39e6f6d33efdec834855
- 8e514dc1be16b12953315b5b6889bc00
- ca8f77c07e02b6065f745d0021396bf1
- 08ee2019e928a4a090edb0e98d073272
SHA-256
- 537cae9dc56e79decd19c95f3558a5f204bb70fe6fa16ac7ef840991803508ac
- ab738270198457f6e7d98c31337280933b09dd563ea6b9bfb73716903a0a7f23
- 482f758d1a5ee81bf89cf7b582d80117520427064ce505246cca7733b4bbde67
- 9206615c27a64e4617f1e3ec11b5584e0510df8b5744581f9e9c5d0136b1e43f
SHA1
- ca01e30acb99809ec08e9f02737e25084215b964
- 921a5af03f919c2ddf9d85e46a0307d75f394d9b
- 4c59d3ee93aaaaa400adedde0798182dee855ee2
- 58963deab813763b36552447878c2fb5f9b96ce0
Source IP
- 194[.]5[.]249[.]157
- 91[.]200[.]103[.]236
- 195[.]123[.]240[.]252
- 107[.]174[.]192[.]219
- 185[.]176[.]40[.]216
- 185[.]81[.]158[.]15
- 82[.]239[.]200[.]118
- 96[.]9[.]73[.]73
- 180[.]211[.]170[.]214
- 203[.]176[.]135[.]102
- 195[.]123[.]241[.]187
- 37[.]247[.]111[.]239
URL
- http[:]//grzegorzkucharski[.]com/cli/92278618/fs8rc5s-001552/
- http[:]//203[.]176[.]135[.]102[:]8082
- http[:]//104[.]236[.]52[.]89[:]8080
- http[:]//king61tours[.]com/pdf/lwuqKsRgijhXw/
- http[:]//185[.]81[.]158[.]15[:]8080
Remediation
- Block the threat indicators at their respective controls.
- Do not download invoice themed attachments in untrusted emails.
- Do not enable macros for untrusted files.