-
Notifications
You must be signed in to change notification settings - Fork 11
/
2022-03-03-IOCs-for-Bazil-targeted-malware-infection.txt
61 lines (46 loc) · 2.67 KB
/
2022-03-03-IOCs-for-Bazil-targeted-malware-infection.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
2022-03-03 (THURSDAY) - WINDOWS INFECTION ACTIVITY FROM BRAZIL-TARGETED MALSPAM
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1499491574627119117
NOTE:
- We reported a similar infection using similiar indicators on 2022-02-17: https://twitter.com/Unit42_Intel/status/1496172957726560257
EMAIL HEADERS:
Received: from ruvds-bxhg9 (unknown [194.87.107[.]33])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
(No client certificate requested)
by [recipient's mail server] (Postfix) with ESMTPS id 4K8Gs81q4bzFpVs
for <[recipient's email address]>; Thu, 3 Mar 2022 03:37:43 +0000 (UTC)
Received: by ruvds-bxhg9 (Postfix, from userid 0)
id C89E4E2C5E; Thu, 3 Mar 2022 06:07:02 +0300 (MSK)
content-type: text/html
Subject: NF-e - Pedido N (46512154)
From: nfe@empresajobs.com
Message-Id: <20220303033528.C89E4E2C5E@ruvds-bxhg9>
Date: Thu, 3 Mar 2022 03:07:02 -0000 (UTC)
LINK FROM THE EMAIL:
hxxp://fiscal.servebbs[.]com
TRAFFIC FROM AN INFECTED WINDOWS HOST:
- 20.77.245[.]61 port 80 - fiscal.servebbs[.]com - GET / HTTP/1.1
- 20.77.245[.]61 port 80 - fiscal.servebbs[.]com - GET /favicon.ico HTTP/1.1
- 20.77.245[.]61 port 80 - download2.go.dyndns[.]org - GET /5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_5E%2028%205B%205E_5E128%205B%205E_/ HTTP/1.1
- 20.77.245[.]61 port 80 - fiscal.homelinux[.]com - GET /Nota.zip HTTP/1.1
- 52.161.99[.]171 port 80 - plugtree.duckdns[.]org - GET /libwinpthread-1.css HTTP/1.1
- 20.77.245[.]61 port 80 - clientes.is-saved[.]org - POST /clientes/postUP.php HTTP/1.0
ASSOCIATED MALWARE:
- SHA256 hash: 9b86c38d0c1f3db86087cdd6463500843061180bd92f9f485ac674e0c6bdb9ea
- File size: 2,698,165 bytes
- File location: hxxp://fiscal.homelinux[.]com/Nota.zip
- File description: Zip archive downloaded after clicking link in email
- SHA256 hash: 6c646d75e7b79221a518ad57812991945e08a4679fbd51b44b1fb3bfe15870e3
- File size: 2,862,080 bytes
- File name: IM-87678A-1A1.msi
- File description: MSI file extracted from above zip archive
- SHA256 hash: 2ac951c753fd352c6f4fed3644ef770b05afbd25a1282400d7fc1070d7743ae9
- File size: 18,200,641 bytes
- File location: hxxp://plugtree.duckdns[.]org/libwinpthread-1.css
- File description: Zip archive retrieved by above MSI file
- Note: This zip archive contains files used to run the Pidgin chat client for Windows, along with a malicious DLL run by pidgin.exe
- SHA256 hash: 3afb9a436ca84260a2d7876646a6b999ece5c5a6a7f0f464ee6ca40e5b639834
- File size: 12,226,048 bytes
- File name: libpurple.dll
- File description: malicious 32-bit DLL run by pidgin.exe