March 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Malware Leveraging XMRig Miner
October 26, 2020Rewterz Threat Alert – New RAT Malware Gets Commands via Discord
October 26, 2020Rewterz Threat Alert – Malware Leveraging XMRig Miner
October 26, 2020Rewterz Threat Alert – New RAT Malware Gets Commands via Discord
October 26, 2020
Severity
Medium
Analysis Summary
A campaign is discovered that uses shipping-themed emails to deliver the Agent Tesla malware. The email contains shipping information usually found on a bill of lading and contains specific information such as the captain’s name, type of vessel, and other particulars. Victims are encouraged to download the attachment, in this case a .CAB file, and give the file a certain naming scheme. The actor uses an imposter email address to add credibility to the email; additionally, the actor also uses actual ship names in the email. The area reported as the destination matches the actual area of shipment for that particular ship. The attachments are usually between 500k and 1.5m in size and could either have zero detections in VirusTotal or more than 50 depending on the attachment. There have been several hundred different samples obtained. Stolen data is exfiltrated via HTTPS or SMTPS (using port 587). It is also revealed that the email addresses used for exfiltration are often legitimate email addresses within the shipping companies mentioned, indicating success in obtaining credentials for compromised email accounts. Agent Tesla exfiltrates stolen data via HTTPS, and more commonly, over email (SMTPS, tcp/587). While the former (HTTPS) destinations tend to be rather random, the latter (email) destinations are often hosted on email domains that also belong to shipping companies. This indicates that the campaign is likely successful to some extent, and over the months in fact has managed to steal valid email credentials (and probably more than that) from firms in the shipping and logistics sector.
Impact
- Credential Theft
- Data Exfiltration
- Information Disclosure
Indicators of Compromise
Domain Name
- smtp[.]hyshippingcn[.]com
- smtp[.]t7global-my[.]com
MD5
- 15f65230fb7dafdad1ca727fa7a3dd5bb132fe51
- f00fadbb5208ce7cdfe655c99c3d0cd4e13b688b
- e0be943cd75bbab62768510aaa1547a90ee41ab0
SHA-256
- e54a6b286a3f878d2141127a361b210de1f80733f13a7c146729740315cace60
- 3f9740d946f6881e2b2dfb54d2fe1a39bc7e0d6263d0ff0b0f792fd6c1297ab1
- b557b1f52acc68c6be8a10a51e68a3afc2880bac970421a572faefb4b589c5e1
SHA1
- 15f65230fb7dafdad1ca727fa7a3dd5bb132fe51
- f00fadbb5208ce7cdfe655c99c3d0cd4e13b688b
- e0be943cd75bbab62768510aaa1547a90ee41ab0
Remediation
- Block the threat indicators at their respective controls.
- Do not download files from unexpected emails even if the sender looks legitimate.