Severity

Medium

Analysis Summary

A new email campaign has been discovered that drops malicious files via spam emails. During analysis of these malicious files, a variant of c99madshell was found with a full suite of attack capabilities on web application servers running older versions of PHP.

Impact

Malware Infection

Indicators of Compromise

URLs

gulfup[.]com

Filename

10_lot_photo.jpg

Email Address

xkemox[@]gmail[.]com

Malware Hash (MD5/SHA1/SH256)

• 8e50e5e71ff22abeaf878a1d2dbb274ef84e0d4f9ccc120bf0c3b016fce0fe13
• 5179a36d40e1148eb54af2eeeb932a16cf397326a19f5ca2678be4f5ff28914f

Remediation

• Maintain up-to-date antivirus signatures and engines.
• Update PHP to the latest version available.
• Keep operating system patches up-to-date.
• Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
• Restrict users’ ability (permissions) to install and run unwanted software applications.
• Keep administrative privileges strictly limited to relevant users only.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
• Disable unnecessary services on agency workstations and servers.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
• Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.).
• Scan all software downloaded from the Internet prior to executing.
• Maintain situational awareness of the latest threats and implement appropriate ACLs.