Hanictor Malware behind ATMZOW Campaign
Share this:
Threat actors behind both the ATMZOW JS sniffer campaign and the Hancitor malware downloader are same as per the research report from Group-IB.
Researchers said ATMZOW successfully infected at least 483 websites across four continents since the beginning of 2019.
Group-IB first detected the same obfuscation technique on a phishing website, they hypothesized that the method was not unique to ATMZOW, but that other hackers could be using the same obfuscator.
Based on the same JS obfuscation technique and the connection between the domain names used for the JS sniffer and the phishing domain, we can conclude that both campaigns were conducted by the same threat group.
While analyzing Prometheus TDS, Group-IB noticed several cases when phishing pages targeting clients of the same bank were used as a final redirect after downloading the malicious payload distributed by Prometheus TDS.
Prior to the latest Group-IB, a TA using ATMZOW was at the center of a cyber-attack against a website set up to accept donations for victims of the Australian bushfires in January 2020.
Indicators of Compromise
- https://xn--keyvigatrs-key-7oc4531jsva[.]com/ktt/cmd/logon/
- https://xn--keynvigatorkey-yp8g[.]com/ktt/cmd/logon0210_4367220121562.doc
- https://xn--keyvigatrs-key-7oc4531jsva[.]com/ktt/cmd/logonhttps://xn--keynvigatorkey-yp8g%5B.%5Dcom/ktt/cmd/logon
- https://xn--keyvigatrs-key-7oc4531jsva[.]com/a3dcb4d229de6fde0db5686dee47145d_wait.gif
- https://xn--keynvigatorkey-yp8g[.]com/wait.gif
- https://xn--keyvigatrs-key-7oc4531jsva[.]com/a3dcb4d229de6fde0db5686dee47145d_security
![https://xn--keyvigatrs-key-7oc4531jsva[.]com/a3dcb4d229de6fde0db5686dee47145d_wait.gif](https://xn--keyvigatrs-key-7oc4531jsva[.]com/a3dcb4d229de6fde0db5686dee47145d_wait.gif){kind=link}
![https://xn--keynvigatorkey-yp8g[.]com/wait.gif](https://xn--keynvigatorkey-yp8g[.]com/wait.gif){kind=link}