This article discusses a sophisticated phishing attack targeting a financial organization, involving the delivery of malicious emails and the deployment of obfuscated malware named “Zoomer.” The attack utilized various techniques for evasion and persistence, leading to significant data theft through the exfiltration of sensitive information via Telegram bots. Affected: financial organizations
Keypoints :
- Targeted phishing attack aimed at a top financial organization.
- Phishing emails contained a malicious ZIP file named REDACTED-fraud-transactions.zip.
- Malware, named “Zoomer,” employed advanced obfuscation techniques.
- Key components of the malware included JavaScript files and various payloads.
- Persistence mechanisms ensured the malware executed on system reboot.
- Data exfiltration was achieved using Telegram bots.
- The malware was classified as Stealer Malware due to its data theft capabilities.
MITRE Techniques :
- T1071.001: Application Layer Protocol – The malware communicates with external servers over HTTPS.
- T1047: Windows Management Instrumentation – The malware uses WMI for persistence and execution.
- T1059.001: JavaScript – Utilizes JavaScript for malicious payload execution.
- T1105: Ingress Tool Transfer – Downloads additional payloads from remote locations.
- T1070.001: Indicator Removal on Host – Attempts to hide its presence by deleting logs and artifacts.
Indicator of Compromise :
- [IP Address] 149.154.167.220
- [IP Address] 3.5.70.162
- [URL] https://carsight.s3.amazonaws.com
- [URL] https://comfucios.s3.us-west-2.amazonaws.com
- [MD5 Hash] f7903ddbf7c0aa570c3e6db19ec4df8c
- Check the article for all found IoCs.
Full Research: https://medium.com/@TomiwaAmuda/unveiling-a-sophisticated-phishing-attack-159a47fe2f18