Severity
Medium
Analysis Summary
An email campaign distributing malspam. A potential victim receives an email with a subject of “Order Inquiry”. The sender was observed as “Sales hofbraurestaurant[@]windstream[.]net”. Within the body of the email, the adversary attempts to entice a user to open the attachment “Order1002 Quotation.zip” to review the order. The infection process begins once the .zip attachment is opened and the malicious content executed, ultimately leading to the Orion keylogger being installed on the victim’s system. It is important to note that it appears the email service for “windstream.net” has been compromised, allowing the threat actor to pass through authentication checks.
Indicators of Compromise
IP(s) / Hostname(s)
- 104[.]27[.]183[.]176
- 192[.]254[.]234[.]204
URLs
- puu[.]sh
- mail[.]fajr[.]com
- http[:]//puu[.]sh/jMSLc[.]txt
- https[:]//puu[.]sh/y0rxd[.]dll
Filename
Order1002 Quotation.zip
Email Address
hofbraurestaurant[@]windstream[.]net
Email Subject
Order Inquiry
Malware Hash (MD5/SHA1/SH256)
- ee337babef9c414fc6bd473869a77ae7c81a0af0b62cda4b7a96abc71200e433
- f740df4d3a6c0b378116b48c1ed18a36e82938cf7dcaaba58f0ba8101f3e3531
- 49f3b5a15708161cb0b2d862c80e670da499675c
- 1570b3df76464a41c9ddebbcfb5f9f93
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the link/attachments sent by unknown senders.