Rewterz

Rewterz Threat Alert – APT-C-41 StrongPity – Active IOCs

August 16, 2021
Rewterz

Rewterz Threat Alert – ProtonVPN Scam Campaign – Active IOCs

August 16, 2021

Rewterz Threat Alert – XLS HTML Phishing Campaign – Active IOCs

Severity

High

Analysis Summary

Cybercriminals attempt to change tactics as fast as security and protection technologies do. During a year-long investigation of a targeted, invoice-themed XLS.HTML phishing campaign, attackers changed obfuscation and encryption mechanisms every 37 days on average, demonstrating high motivation and skill to constantly evade detection and keep the credential theft operation running.

Impact

  • Credential Theft

Indicators of Compromise

URL

  • hxxps[:]//es-dd[[.]]net/file/excel/document
  • hxxps[:]//moneyissues[[.]]ng/wp-content/uploads/2017/10/DHL-LOGO
  • hxxps[:]//contactsolution[[.]]com[[.]]ar/wp-admin/ddhlreport
  • hxxps[:]//www[[.]]laserskincare[[.]]ae/wp-admin/css/colors/midnight/reportexcel
  • hxxp[:]//yourjavascript[[.]]com/40128256202/233232xc3
  • hxxp[:]//yourjavascript[[.]]com/84304512244/3232evbe2
  • hxxp[:]//yourjavascript[[.]]com/42580115402/768787873
  • hxxp[:]//yourjavascript[[.]]com/82182804212/5657667-3
  • hxxps[:]//gladiator164[[.]]ru/wp-snapshots/root/0098
  • hxxp[:]//yourjavascript[[.]]com/1111559227/7675644
  • hxxp[:]//yourjavascript[[.]]com/2512753511/898787786
  • hxxp[:]//yourjavascript[[.]]com/1522900921/5400
  • hxxp[:]//tokai-lm[[.]]jp/root/4556562332/t7678
  • hxxp[:]//yourjavascript[[.]]com/0221119092/65656778
  • hxxp[:]//yourjavascript[[.]]com/212116204063/000010887-676
  • hxxp[:]//tannamilk[[.]]or[[.]]jp//_products/556788-898989/0888
  • hxxp[:]//coollab[[.]]jp/dir/root/p/434
  • hxxp[:]//coollab[[.]]jp/dir/root/p/09908
  • hxxp[:]//www[[.]]tanikawashuntaro[[.]]com//cgi-bin/root
  • hxxp[:]//yourjavascript[[.]]com/4154317425/6899988
  • hxxp[:]//www[[.]]atomkraftwerk[[.]]biz/590/dir/354545-89899
  • hxxp[:]//yourjavascript[[.]]com/2131036483/989
  • hxxp[:]//www[[.]]atomkraftwerk[[.]]biz/590/dir/86767676-899
  • hxxp[:]//coollab[[.]]jp/local/70/98988
  • hxxps[:]//tannamilk[[.]]or[[.]]jp/cgialfa/545456
  • hxxps[:]//mcusercontent[[.]]com/dc967eaa4412707bedd3fe8ab/images/d2d8355d-7adc-4f07-8b80-
  • e624edbce6ea[.]png
  • hxxps[:]//tannamilk[[.]]or[[.]]jp//js/local/33309900
  • hxxp[:]//tokai-lm[[.]]jp//home-30/67700
  • hxxp[:]//coollab[[.]]jp/009098-50009/0990/099087776556
  • hxxp[:]//yourjavascript[[.]]com/4951929252/45090
  • hxxp[:]//tokai-lm[[.]]jp/style/b9899-8857/8890/5456655
  • hxxps[:]//maldacollege[[.]]ac[[.]]in/phy/A/actions
  • hxxps[:]//jahibtech[[.]]com[[.]]ng/wp-admta/taliban/office

Remediation

  • Block all threat indicators at their respective controls
  • Search for IOCs in your environment.
  • Do not download software and files from unofficial and untrusted sources.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.