Rewterz Threat Alert – Multiple Malspam Campaigns Dropping Different Malware – IoCs

Severity

Medium

Analysis Summary

Following malspam campaigns have been reported:

• A FormBook Malware Phishing using the subject “Revised document”
• A O365 Themed Phishing Email using the subject “A file has been shared with you”
• A Spear Phishing Email containing a suspicious phishing URL, using the subject “Fed Reporter”
• An Emotet Phishing malspam with PDF attachments containing embedded malicious URLs. It uses the subject “Firstname> Online Payment Summary March 2019”
• An AMEX-themed phishing email with the subject, “Your Account Has Been Flagged !” that contains a malicious PDF.
• An Apple-themed Phishing e-mail with the subject line “[ New Update ] [ Receipt Invoice ] [ #ID8461164 ] Thanks for your order in App store at March 14, 2019”.
• A vacation tours website (niagaratours[.]ca) has been compromised and all the payment and personal information entered into the site is sent to the attacker-controlled domain at handelaar[.]org.
• A Trickbot Malspam campaign using the subject “Deposit 91369724 paid 02/26/2019”

Impact

Phishing

Malware infection

Emotet

Trickbot

Indicators of Compromise

Remediation

• Block the threat indicators at their respective controls.
• Scan for the email subjects and if found, block the related email addresses, URLs, etc.
• Do not download email attachments coming from unknown sources.
• Always scan files downloaded from internet prior to execution.