April 29, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – BRONZE PRESIDENT Active in South and East Asia
December 31, 2019Rewterz Threat Alert – Emotet Targets Victims With New Email Templates
January 1, 2020Rewterz Threat Alert – BRONZE PRESIDENT Active in South and East Asia
December 31, 2019Rewterz Threat Alert – Emotet Targets Victims With New Email Templates
January 1, 2020
Severity
High
Analysis Summary
Cobalt group activities against financial institutions have been discovered using the CobInt malware family. The malspam e-mail distribution associated with these activities have a direct connection with subsequent successful attacks on the bank’s infrastructure (PCs, card systems, etc.). In particular, there were recorded cases of successful ATM Cashout attacks (substantial withdrawals from ATMs) and ATM jackpotting attacks (unauthorized delivery of funds from bank ATMs with the help of a remote criminal team) in countries within Europe, Eastern Europe, and Central Asia.
Impact
- Theft of financial information
- Fraudulent transactions
Indicators of Compromise
Domain Name
- recreationbike.info
- adminassistance.info
From Email
- service@sonshinellc.com
MD5
- ffb1a030d9f01d6c7f2d9299728dd4b1
- 7901f9317baa81dc6cef72809d003929
- 82fc2a2b268a43b842cf5c0666633642
- 7d339ee10e6561f1fb9de3ab05dd4fb8
- b372fd09864d839112b79b7f0675f7df
- fd6e378ee8e518113893e4f157efe74e
- ab2c0d36529119e91fa84562a03307f7
- 88921c119f409b6db12e7559b0a64066
SHA-256
- a543875233178887968d760b2d16c12ecdf4ff54d1ded8bd8416a0b560b0d3f9
- 614e2555e87052bd095630d408e8217814307a3ad9ddec832414628276e7014f
- cdd87d3cc8807c18d7fb2f67768f4db76506deaabfc57a47ff2f5f5c798e9951
- bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c
- 893339624602c7b3a6f481aed9509b53e4e995d6771c72d726ba5a6b319608a7
- bc504b51563959abb11a456ef926b255d8dd679710cedcc1ed7815e8be4e877c
- fe16a85a3f0094134eef4ba209c188a186ed269de90a6b5a84bcc4b90470cc79
- 2c542c38d15d6e25cf33e742716bf1ca14db791d568686ccd8ca09cadda83c7e
- 1d772438392b1e84d3ce800e181603646ae675e8572f7f741184b83537c5451f
SHA1
- 28f92813a6539d498617131453f18c2905ad3a61
- 72aff6b2e5768d178fe750593f7a2a21013c7148
- c08c1dfafbbf215a545af61626f0f6359fdb4e1f
- eafa2728ee0cb68085444536bf560eea47c6b7f6
Source IP
- 184.154.136.86
- 45.67.57.167
- 193.124.16.34
URL
- hxxps://recreationbike.info/yjviyicynwupyyolyk
- hxxps://recreationbike.info/mlzqrzuopsbrszizfstnhztrztlxvazpriyzezca
- hxxps://recreationbike.info/tzlwxzwwqivsszyqenqfbpyxjtdlwfzuzpvmlpzeba
- hxxps://recreationbike.info/edczvdtvbzequbuzkchpdzsavzegqzuwuzdhgezewzn
- hxxps://adminassistance.info/dyveunetbaioaertfahy
Remediation
- Block the threat indicators at their respective controls.
- Keep all systems and software updated and patched against all known security vulnerabilities.
- Implement real-time monitoring of ATMs to ensure that suspicious activity or processes involving ATM software is identified.
- Keep ATM software patched and up-to-date.
- Work with the ATM vendors to address overall ATM security.
