March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky
March 20, 2020Rewterz Threat Alert – Adversary Uses Phishing – Imitates Banking Portal
March 20, 2020Rewterz Threat Alert – COVID themed targeting from North Korean Kimsuky
March 20, 2020Rewterz Threat Alert – Adversary Uses Phishing – Imitates Banking Portal
March 20, 2020
Severity
High
Analysis Summary
Attackers are found targeting victims with Invoice themed spear phishing as well as Corona relief documents, in order to infect them with ZLoader. The usual target is financial institutions and banks. ZLoader is also known as Terdot, DELoader, that loads the Zeus malware on victim machines after initial infection.
Indicators of compromise are given below.
Impact
- Code Execution
- Financial Theft
- Information theft
Indicators of Compromise
Domain Name
- tdvomds[.]pw
- marchadvertisingnetwork[.]com
- marchadvertisingnetwork2[.]com
- marchadvertisingnetwork3[.]com
- marchadvertisingnetwork4[.]com
- marchadvertisingnetwork5[.]com
Email Subject
- March New incoming Invoice
- This is your Overdue Invoice
- This is your New service Invoice ; Fluke Technologies
From Email
- jackson[.]helendies@aol[.]com
- gonzalez[.]lindayd5w@aol[.]com
- brown[.]josephmgiv@aol[.]com
- jones[.]elizabeth0w5u@aol[.]com
- hernandez[.]michelle31bj@aol[.]com
- campbell[.]karene4n5@aol[.]com
- moore[.]kimberlyfoqh@aol[.]com
- smith[.]ruthcbqr@aol[.]com
- edwards[.]jamesbmr6@aol[.]com
- phillips[.]richardw7o8@aol[.]com
- young[.]davidfgr2@aol[.]com
- young[.]mariaaphn@aol[.]com
- hill[.]danielapvr@aol[.]com
- robinson[.]barbaral6lh@aol[.]com
- white[.]paulmtyf@aol[.]com
- miller[.]ruthg5nw@aol[.]com
- davis[.]lauratufo@aol[.]com
- harris[.]brianuea9@aol[.]com
- hernandez[.]anthony9b05@aol[.]com
- garcia[.]dorothyobll@aol[.]com
- harris[.]david1mhf@aol[.]com
- perez[.]josephgl8s@aol[.]com
- mitchell[.]stevenfj9b@aol[.]com
- taylor[.]georgenfp6@aol[.]com
- williams[.]charlesdeza@aol[.]com
- perez[.]sarahzhzn@aol[.]com
- clark[.]markz0kd@aol[.]com
- wright[.]georgexaue@aol[.]com
- brown[.]paulzbkq@aol[.]com
- robinson[.]georgevdnc@aol[.]com
Source IP
- 209[.]141[.]54[.]161
- 34[.]91[.]87[.]40
- 8[.]208[.]28[.]247
- 216[.]119[.]137[.]24
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to untrusted emails and mark similar suspicious emails as spam.