Severity
High
Analysis Summary
Attackers are found targeting victims with Invoice themed spear phishing as well as Corona relief documents, in order to infect them with ZLoader. The usual target is financial institutions and banks. ZLoader is also known as Terdot, DELoader, that loads the Zeus malware on victim machines after initial infection.
Indicators of compromise are given below.
Impact
- Code Execution
- Financial Theft
- Information theft
Indicators of Compromise
Domain Name
- tdvomds[.]pw
- marchadvertisingnetwork[.]com
- marchadvertisingnetwork2[.]com
- marchadvertisingnetwork3[.]com
- marchadvertisingnetwork4[.]com
- marchadvertisingnetwork5[.]com
Email Subject
- March New incoming Invoice
- This is your Overdue Invoice
- This is your New service Invoice ; Fluke Technologies
From Email
- jackson[.]helendies@aol[.]com
- gonzalez[.]lindayd5w@aol[.]com
- brown[.]josephmgiv@aol[.]com
- jones[.]elizabeth0w5u@aol[.]com
- hernandez[.]michelle31bj@aol[.]com
- campbell[.]karene4n5@aol[.]com
- moore[.]kimberlyfoqh@aol[.]com
- smith[.]ruthcbqr@aol[.]com
- edwards[.]jamesbmr6@aol[.]com
- phillips[.]richardw7o8@aol[.]com
- young[.]davidfgr2@aol[.]com
- young[.]mariaaphn@aol[.]com
- hill[.]danielapvr@aol[.]com
- robinson[.]barbaral6lh@aol[.]com
- white[.]paulmtyf@aol[.]com
- miller[.]ruthg5nw@aol[.]com
- davis[.]lauratufo@aol[.]com
- harris[.]brianuea9@aol[.]com
- hernandez[.]anthony9b05@aol[.]com
- garcia[.]dorothyobll@aol[.]com
- harris[.]david1mhf@aol[.]com
- perez[.]josephgl8s@aol[.]com
- mitchell[.]stevenfj9b@aol[.]com
- taylor[.]georgenfp6@aol[.]com
- williams[.]charlesdeza@aol[.]com
- perez[.]sarahzhzn@aol[.]com
- clark[.]markz0kd@aol[.]com
- wright[.]georgexaue@aol[.]com
- brown[.]paulzbkq@aol[.]com
- robinson[.]georgevdnc@aol[.]com
Source IP
- 209[.]141[.]54[.]161
- 34[.]91[.]87[.]40
- 8[.]208[.]28[.]247
- 216[.]119[.]137[.]24
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to untrusted emails and mark similar suspicious emails as spam.