March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Emotet – IoCs
September 16, 2020Rewterz Threat Alert – Trickbot IOCs
September 17, 2020Rewterz Threat Alert – Emotet – IoCs
September 16, 2020Rewterz Threat Alert – Trickbot IOCs
September 17, 2020
Severity
High
Analysis Summary
A creative phishing campaign is found using an email template that pretends to be a reminder to complete security awareness training from a well-known security company. With more awareness, threat actors need very creative baits to trick their target users into providing their login credentials. In this campaign, threat actors send emails that pretend to be from KnowBe4, an email security company which offers phishing training and simulation tests. The email reminds the users to log in and take their phishing training. These emails use the subject “Training Reminder: Due Date” and tell the recipient to log in to their “Security Awareness Training” before it expires within 24 hours. The email also warns that the link will not be on the standard phishing training platform but on an external site. This means, the attackers are trying to trick suspicious users again by making them feel informed. If a user clicks on the URL, they will be brought to a URL using the Russia .ru TLD that asks them to login with their Outlook credentials to supposedly begin the training. Once they login, they will be asked to enter further information such as their username, email, name, birthday, address, and once again, their password.
Now that the attackers have collected both the victim’s email address, password, and personal information, they can use it in further targeted attacks such as BEC scams or to access a victim’s network.
Impact
- Credential Theft
- Unauthorized Access
Indicators of Compromise
Domain Name
- docentes[.]uto[.]edu[.]bo
- msk[.]turbolider[.]ru
Email Subject
- Training Reminder[:] Due Date
URL
- https[:]//msk[.]turbolider[.]ru/
- https[:]//msk[.]turbolider[.]ru/wp-includes/bid/login[.]php
- https[:]//docentes[.]uto[.]edu[.]bo/abaltazarc/bid/login[.]php
- http[:]//docentes[.]uto[.]edu[.]bo/abaltazarc/bid/login[.]php
Remediation
- Block the threat indicators at their respective controls.
- Search for IoCs in your environment.
- If a security awareness email looks very legitimate, do not respond to it without confirming legitimacy from network administrators.