March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Emotet – Active IOCs
December 23, 2021Rewterz Threat Alert – LokiBot Malware – Active IOCs
December 23, 2021Rewterz Threat Alert – Emotet – Active IOCs
December 23, 2021Rewterz Threat Alert – LokiBot Malware – Active IOCs
December 23, 2021
Severity
High
Analysis Summary
Dridex is a spam campaign that targets the Windows platform, infecting computers and stealing banking passwords and other personal information to conduct fraudulent money transfers.
The malware’s primary goal is to steal banking credentials, and it’s been linked to the TA505 threat organization (also known as Evil Corp), which has been active since at least Q3 2014. Dridex has employed a variety of vulnerabilities and ways to carry out its attacks, including modifying directory files, leveraging system recovery to escalate privileges, and changing firewall rules to allow peer-to-peer data extraction.
Researchers have found that Dridex and Meterpreter are being installed on Windows and Linux devices, respectively, using Log4j.
Impact
- Remote Code Execution
- Credential Theft
- Financial Loss
- Exposure of Sensitive Data
Indicators of Compromise
Domain Name
- webs-up[.]com
- tabak[.]hr
- sonicrain[.]com
- nderemo[.]co[.]tz
- kylintech[.]in
- kookoo[.]co[.]in
- hllaw[.]com
- ditarbags[.]com
- daftar[.]site
Hostname
- zabbix[.]fenixnetcom[.]com[.]br
- teste[.]spedynet[.]com[.]br
- live[.]kiss13[.]net
MD5
- 9faf1dbcb4942cf3e3578414402180ed
- 016ff855b3964e04310613c998ce4370
SHA-256
- 07d2c7e6ad2f889fc3ab3313b01f2c4fdb698a273309d9674a539bb49e935096
- 6b6d9932ed5de3cace4d33e04af91f45246883a2f752fd511ddc5d23763009ba
SHA-1
- c11db122dcb86a85ca8ca3efa580797016c3943e
- 205cb07e3db47a032e2e30efa44f386a488d1419
URL
- https[:]//tabak[.]hr/o-nama/YRPDO7/fuck_niggers_34[.]hta
- https[:]//tabak[.]hr/o-nama/YBM9Z5/fuck_niggers_26[.]hta
- https[:]//tabak[.]hr/o-nama/WLFNVK/fuck_niggers_33[.]hta
- https[:]//tabak[.]hr/o-nama/U2Y2G/fuck_niggers_21[.]hta
- https[:]//tabak[.]hr/o-nama/PS4U5D/fuck_niggers_2[.]hta
- http[:]//89[.]31[.]56[.]58[:]593
- http[:]//51[.]159[.]52[.]196[:]443
- http[:]//194[.]233[.]68[.]48[:]5228
- http[:]//188[.]166[.]57[.]35[:]1389/Binary
- http[:]//167[.]99[.]115[.]242[:]8001/Binary[.]class
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.