February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Two Factor Authentication Bypassed by Chinese Hackers
December 24, 2019Rewterz Threat Alert – Predator The Thief and Team Viewer Hijacking
December 26, 2019Rewterz Threat Alert – Two Factor Authentication Bypassed by Chinese Hackers
December 24, 2019Rewterz Threat Alert – Predator The Thief and Team Viewer Hijacking
December 26, 2019
Severity
Medium
Analysis summary
A Polish language phishing campaign was discovered by Cofense targeting users with DHL-themed emails. The email messages contained XLS attachments used to run malicious macros. The attached spreadsheet entices users to enable macros. If successful, the macros subsequently check to ensure the target system uses the Polish language and, if so, downloads and executes a VBE script. A payload is then repeatedly requested from a remote server and each response is executed as a separate PowerShell script. Upon establishing a connection with the C2 server, PowerShell commands are issued to the host to gather information about the victim host. The scripts downloaded from this C2 server include one that checks anti-virus and then establishes persistence via both the registry and a startup shortcut, one that downloads a DLL (without executing it), and one that execute the previously downloaded DLL. In one case observed by the researchers, this final payload was the Ursnif malware.
Impact
- Credential theft
- Exposure of sensitive information
Indicators of Compromise
MD5
- 712754776baf025993b16846b97a331b
- ab515665320573a21155a6abeb2d54a3
- c53b7ebf5e5459727d80b485d1a964e8
- ef4b91920f1567cc8f6bece2bcd4e010
URL
- https[:]//arethatour[.]icu/372873/corpo1[.]dll
- https[:]//chtroppsoj[.]info[:]443/debug/download/s/DoFH
- https[:]//chtroppsoj[.]info[:]443/debug/download/s/QqTlFT
- https[:]//chtroppsoj[.]info[:]443/debug/download/s/rKD
- https[:]//chtroppsoj[.]info[:]443/debug/download/s/ydFFLg
- https[:]//gillslodss[.]info[:]443/debug/download/s/Gpf
- https[:]//mantoropols[.]xyz/ https[:]//reloffersstart[.]co/ss[.]php?
- https[:]//seioodsoi[.]club[:]443/chkesosod/downs/VhQWr
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
- Always look for legitimate URL of the website you land in, when you click on the link via email.