Severity

High

Analysis Summary

Financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim’s environment. Understanding that normal business processes are critical to organizational success, these ransomware campaigns have been accompanied with multi-million dollar ransom amounts. In this newer campaign, the threat actors leveraged victim systems to deploy malware such as Dridexor NetSupport, and multiple post-exploitation frameworks. The threat actors’ ultimate goal in some cases was to ransom systems in mass with BitPaymer or DoppelPaymer ransomware.

A campaign that used compromised websites to deliver heavily obfuscated Trojan droppers masquerading as Chrome, Internet Explorer, Opera, and/or Firefox browser updates. The compromised sites contained code injected directly into the HTML or in JavaScript components rendered by the pages which had been injected. These sites were accessed by victim users either via HTTP redirects or watering-hole techniques utilized by the attackers.

Impact

Financial loss

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

• a2ac7b9c0a049ceecc1f17022f16fdc6
• 2c444002be9847e38ec0da861f3a702b
• 7503da20d1f83ec2ef2382ac13e238a8
• 0e470395b2de61f6d975c92dea899b4f
• 102ae3b46ddcb3d1d947d4f56c9bf88c
• aaca5e8e163503ff5fadb764433f8abb
• 10eefc485a42fac3b928f960a98dc451
• 175dcf0bd1674478fb7d82887a373174
• 62eaef72d9492a8c8d6112f250c7c4f2
• 6e05e84c7a993880409d7a0324c10e74
• 72fe19810a9089cd1ec3ac5ddda22d3f
• 7239da273d3a3bfd8d169119670bb745
• c8bb08283e55aed151417a9ad1bc7ad9
• 63d4834f453ffd63336f0851a9d4c632
• 07b0ce2dd0370392eedb0fc161c99dc7
• 0ef5c94779cd7861b5e872cd5e922311

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the link/attachments sent by unknown senders.