Rewterz Threat Advisory – SWIFT-themed Phishing Emails

This is an advisory on SWIFT-themed phishing emails containing a malicious URL that leads to a malicious zip file.

IMPACT:  NORMAL

PUBLISH DATE:  10-07-2018

OVERVIEW

A member has reported SWIFT-themed phishing emails containing a URL. Clicking on the URL redirects to a Date-SWIFTMessageType-themed (i.e: 10_07_18_MT103_Copy) malicious zip file.

BACKGROUND INFORMATION

SWIFT-themed emails involve emails about remittance from banks. These emails may include subjects like “A percentage of your paid tax is being refunded. Please login to check” or “Your refund request expires today. Login here to claim it”. The email usually contains a URL leading to a SWIFT login page.

Phishing emails are malicious emails used by attackers to harvest credentials from a user.

Once the user enters credentials on the fake SWIFT login page, the attackers can use the credentials to transfer unauthorized funds from their original account.

WORK ANALYSIS

These phishing emails may be meant to drop payloads. There are several kinds of cyber attacks involving phishing emails. These can be used to steal sensitive information like passwords or may drop malicious files and payloads which further execute cyber attacks through remote code execution.

The payloads observed in the samples have the following details:

Payload URL

hxxp://irontech.ind[.]br/10_07_18_MT103_Copy.zip

VT – Detection Ratio 3 / 68

URLVoid – Safety Reputation 0/35

Domain 1st Registered Unknown

Server Location (BR) Brazil

ASN AS27715

ASN Owner LocaWeb Ltd

Payload Zip

10_07_18_MT103_Copy.zip

VT – Detection Ratio 17/62

MD5 03ab4e91c30a55bd13a1a008401e72f7

SHA1 3764911740702a30924990b0265c3eac53f1db82

SHA256 efce38cf340ef2de620e025147c75de667f9f0d495b23c61c4d75bfe9e60ac45

File type ZIP

File size 154.0 KB (157724 bytes)

Analyst Note: The MT103 is a SWIFT message format used for making payments.

Payload

10_07_18_MT103_Copy.exe

VT – Detection Ratio 29/68

MD5 4a629ccf87f24ac4720d890b1292da82

SHA1 291ff2f443e03ccf0b44ae227110f69a62f68d22

SHA256 127663c557f11c8571b6c73cd58f673ab705bff8ab273bd087480f215eb09ea7

File type Win32 EXE

File size 568.0 KB (581632 bytes)

C2s

newlogs1.hopto[.]org:2730

VT – Detection Ratio 2/67

URLVoid – Safety Reputation 1/35

Domain 1st Registered Unknown

Server Location (CH) Switzerland

ASN AS48971

ASN Owner DATAWIRE AG

newlogs.ddnsgeek[.]com:2730 VT – Detection Ratio 1/67

URLVoid – Safety Reputation 1/35

Domain 1st Registered Unknown

Server Location (AL) Albania

ASN AS197706 ASN Owner KemiNet Ltd.

THREAT INDICATORS

• laux-prien[@]t-online[.]de
• hxxp://irontech.ind[.]br/10_07_18_MT103_Copy.zip
• 03ab4e91c30a55bd13a1a008401e72f7
• 3764911740702a30924990b0265c3eac53f1db82
• efce38cf340ef2de620e025147c75de667f9f0d495b23c61c4d75bfe9e60ac45
• 4a629ccf87f24ac4720d890b1292da82
• 291ff2f443e03ccf0b44ae227110f69a62f68d22
• 127663c557f11c8571b6c73cd58f673ab705bff8ab273bd087480f215eb09ea7

RESOLVE

Organizations may consider blocking the threat indicators mentioned above. It is recommended to conduct training sessions for employees, explaining them to avoid clicking links or files attached with such phishing.

If you think you are a victim of a cyber-security attack. Immediately send an email to info@rewterz.com for a rapid response.