Rewterz Threat Alert – Indicators of Compromise for Multiple Malspam Campaigns

Severity

Medium

Analysis Summary

The following Indicators of Compromise have been gathered from multiple phishing campaigns, dropping different kinds of malware. These campaigns include the following:

• Two phishing emails were reported, containing suspicious links. The link downloaded a malicious Microsoft Word document containing a PowerShell script that downloads another file. The downloaded file collects system information and sends it to a command-and-control (C2).
• A consumer account was taken over by malicious actors. The customer had never activated their online account access. The threat actor utilized social security and date of birth (DOB) information to gain unauthorized access to the account. They then would look to activate services such as account to account transfer and bill payment to try and steal funds from the victims.
• Another Malspam campaign was reported containing a .PDF file with a malicious URL embedded in it, leading to a OneDrive-themed Credential Harvesting Webpage.
• A campaign using multiple Google Docs URLs that download an encrypted ZIP file.
• National Australia Bank-themed phishing email with the subject, “Important notice” containing an embedded URL that directed to a National Australia Bank-themed credential harvesting webpage.
• A Sextortion Scam Email with the subject, “Bad news for you” requesting $450.00 in Bitcoin. Analysis of the Bitcoin wallet ID revealed that three payments have been made to the wallet since December 15, 2018.

Impact

• Credential Theft
• Fraudulent Fund Transfer
• Malware Infection
• Information Disclosure

Indicators of Compromise

IP(s) / Hostname(s)

• 96[.]40[.]81[.]132
• 96[.]92[.]228[.]177
• 99[.]106[.]208[.]107
• 207[.]163[.]116[.]24
• 162[.]233[.]101[.]248
• 45[.]40[.]6[.]180
• 174[.]85[.]31[.]129
• 96[.]92[.]252[.]93
• 192[.]230[.]142[.]91
• 104[.]240[.]101[.]9
• 108[.]78[.]60[.]37
• 184[.]159[.]232[.]113
• 173[.]164[.]178[.]10
• 75[.]38[.]213[.]175
• 173[.]166[.]177[.]153
• 96[.]81[.]203[.]206
• 162[.]239[.]230[.]209
• 107[.]207[.]117[.]22
• 38[.]88[.]226[.]18
• 104[.]2[.]215[.]40
• 50[.]83[.]25[.]252
• 104[.]31[.]92[.]251
• 105[.]185[.]141[.]205
• 108[.]188[.]116[.]179
• 133[.]242[.]156[.]30
• 138[.]201[.]140[.]110
• 147[.]135[.]210[.]39
• 167[.]114[.]210[.]191
• 173[.]255[.]196[.]209
• 173[.]255[.]250[.]241
• 173[.]3[.]29[.]123
• 178[.]62[.]37[.]188
• 185[.]94[.]252[.]3
• 186[.]113[.]255[.]229
• 186[.]4[.]234[.]27
• 187[.]142[.]0[.]234
• 187[.]189[.]195[.]208
• 187[.]233[.]152[.]78
• 190[.]128[.]199[.]57
• 190[.]211[.]207[.]11
• 190[.]97[.]219[.]241
• 192[.]115[.]76[.]18
• 198[.]20[.]81[.]59
• 200[.]113[.]185[.]229
• 200[.]50[.]185[.]54
• 201[.]220[.]152[.]101
• 201[.]239[.]154[.]191
• 203[.]143[.]86[.]111
• 207[.]255[.]210[.]196
• 208[.]78[.]100[.]202
• 217[.]13[.]106[.]160
• 24[.]243[.]101[.]134
• 41[.]220[.]119[.]246
• 45[.]123[.]3[.]54
• 45[.]33[.]49[.]124
• 49[.]36[.]1[.]96
• 5[.]230[.]147[.]179
• 50[.]31[.]0[.]160
• 50[.]80[.]248[.]108
• 58[.]171[.]215[.]214
• 58[.]9[.]168[.]7
• 59[.]103[.]164[.]174
• 62[.]75[.]187[.]192
• 64[.]13[.]225[.]150
• 64[.]46[.]91[.]165
• 67[.]205[.]149[.]117
• 67[.]209[.]208[.]130
• 67[.]248[.]56[.]82
• 69[.]198[.]17[.]7
• 70[.]57[.]82[.]196
• 73[.]183[.]131[.]231
• 76[.]168[.]149[.]66
• 80[.]172[.]234[.]15
• 83[.]222[.]124[.]62
• 85[.]104[.]59[.]244
• 86[.]239[.]117[.]57
• 87[.]106[.]139[.]101
• 87[.]106[.]210[.]123
• 94[.]76[.]200[.]114

URLs

• buckinghamandlloyds[.]com
• contabilidadecontacerta[.]com
• forexproservice[.]com
• lesserassociates[.]com
• nieuwhoftegelwerken[.]nl
• uninortediverso[.]com
• vigor-dragon[.]com
• hxxps://docs.google[.]com/uc?id=1033dAwy0T47NOT43MxU2zQUC-BJuxzY3
• hxxps://docs.google[.]com/uc?id=10HhH8vbWLIgCzHEer0XVSL6JHfqAvrpk
• hxxps://docs.google[.]com/uc?id=13swHcsF_2lEndOFpYeGjry8GBmjnR6fa
• hxxps://docs.google[.]com/uc?id=143h4FHSf-qSnScuji5TrPUcUzvI4TfaK
• hxxps://docs.google[.]com/uc?id=148pzjYlGEl85AxPCOjGIADfb9f480rzH
• hxxps://docs.google[.]com/uc?id=14Os0FhsFsyr2ICuvyy-wjtfMU1WvTrCu
• hxxps://docs.google[.]com/uc?id=14sDyVFWSl5iekrqWUXuMDTpdijIzvkp7
• hxxps://docs.google[.]com/uc?id=16gJJdh_BoCVmbnbj0x73RESNLcqqSpT0
• hxxps://docs.google[.]com/uc?id=16urp8KOUoAMl_QByO1aZ2E-AJnyPtolh
• hxxps://docs.google[.]com/uc?id=16z7DS-ypxPYDOSBqJfOJ1wRDlh1dnqic
• hxxps://docs.google[.]com/uc?id=17iyWtEZqZ4W6jgKQepEVbat_NiSW80vN
• hxxps://docs.google[.]com/uc?id=19k2wvLAoEIwJZ1L5uwykiAtZZxRkyve8
• hxxps://docs.google[.]com/uc?id=19PztJkhpUEpfO0rtvSe9w-LwUCwlf72u
• hxxps://docs.google[.]com/uc?id=1Ag8R2t9-RLhA105569b-UzsnJ2Kg4Rqu
• hxxps://docs.google[.]com/uc?id=1B-V7JX1ChP9xJ7Ld5FxY10WT-KGQZOlc
• hxxps://docs.google[.]com/uc?id=1CS3eHhE61nEykQuCItjVFWNv2wKEYeXs
• hxxps://docs.google[.]com/uc?id=1EmhVQIzHVRAy7BlA5tgZ_umVBErG9p4Y
• hxxps://docs.google[.]com/uc?id=1EqRGKvrM13J3-iX2jXAprKXJK7BeZT2s
• hxxps://docs.google[.]com/uc?id=1FgyS0MpkYiy9IskmXZR6dB_QuTrtLA3U
• hxxps://docs.google[.]com/uc?id=1gvqFSmDjvS0TN3LPxHP7u5u1qb29QyMH
• hxxps://docs.google[.]com/uc?id=1i1zzsjNiOW9dQdi7E9UHcBxT5J3m3cxp
• hxxps://docs.google[.]com/uc?id=1ibbDzrLxFAQHqIKiW6QMYgSidN4P7-Cg
• hxxps://docs.google[.]com/uc?id=1mcXkTfPIPZ4EuNDXgRVgezxsv6IIIIdw
• hxxps://docs.google[.]com/uc?id=1PACacYj2DvjiHIyXSG7AH_JyF-fdox9_
• hxxps://docs.google[.]com/uc?id=1PGA2kuCbDgqjOWnoI6Q8hf5ICGNpDnd4
• hxxps://docs.google[.]com/uc?id=1rbbVhAb9nDCTDmoMtIUFV5zZNaG5dYyc
• hxxps://docs.google[.]com/uc?id=1Rh126ypzs5z8G9xOce2z6UPjKe9k3EMl
• hxxps://docs.google[.]com/uc?id=1SDa-m9tXubv2eRFEks3OStbxcLUY-r7x
• hxxps://docs.google[.]com/uc?id=1SrdK_c2Di67jEYRgnJWidc6N5gdxaluQ
• hxxps://docs.google[.]com/uc?id=1uAQ9sbDVyehGlYHgbd5WsfDBY6PjZvF8
• hxxps://docs.google[.]com/uc?id=1uQvvU8A1m3dJ146i27rEFOdZ6dE0LzKc
• hxxps://docs.google[.]com/uc?id=1uUgRMcT3CxTL31L4VsNghVP8JuSixBIm
• hxxps://docs.google[.]com/uc?id=1vD5zW1F-9mjn6G_b-hVcbLMFNpOAn9qh
• hxxps://docs.google[.]com/uc?id=1W_uR-yFgcmxvRn4cOrCqmTWi-V3hMB1s
• hxxps://docs.google[.]com/uc?id=1W1qUGA6WPssBiyB7NMhU2A9j3EURMGnW
• hxxps://docs.google[.]com/uc?id=1wImvl3Z6GLPJu0hb_ohJ3Oqp4wu16eec
• hxxps://docs.google[.]com/uc?id=1Womh9gJRaKNMOVLmNLTyMFEaMhiAv4ow
• hxxps://docs.google[.]com/uc?id=1Wx1CMGhUKVUQjxNVuzaZ0UE6pLYrbTZ_
• hxxps://docs.google[.]com/uc?id=1x4o5y4UpUiDSIrBnxXunnzf39geOLLLH
• hxxps://docs.google[.]com/uc?id=1Xbgio_1Y7dJBFOC8HwcZYffKLDsXdLHa
• hxxps://docs.google[.]com/uc?id=1XMaWK_aabz-OWae-TUXy-0hHumYZ873M
• hxxps://docs.google[.]com/uc?id=1XSC4xAp2Ap8968BuwyJaNx37KsyHXQFE
• hxxps://docs.google[.]com/uc?id=1Y-1KkgeOp01UGpXESdAvgW6vs7chk_vB

Email Address

• Berry[@]mx[.]spamh[.]com
• Berry[@]za04[.]rocketseed[.]com
• markovfeofil[@]gmail[.]com
• naikvemimme[@]gmail[.]com
• nakokuroyaku[@]gmail[.]com
• peorpedom[@]gmail[.]com
• vezanaknyus[@]gmail[.]com

Email Subject

• James A. Popper sent you a message…
• Please approve
• Important notice
• Bad news for you
• New Agreement
• Agreement points.
• last points
• last paragraphs
• Agreement paragraphs

Malware Hash (MD5/SHA1/SH256)

• 39752866b4e0aab0bccc1d8a153619ab2e6b01d18802d2e0db2590576e85d263
• 96e38fde30eaa12b85c71f62489b51115f4df7b94e69948eb49612bca6f3ee22
• 832a44c8244e955bc4b54012b0a1f63f
• f0521e5edd6366d478e08497d6312aca2234d009
• 59448c0201c9757e812fcd548d35aeb5b6519364245d2302b249ba1d44b10050
• b490f25f08ba3add7dab8588b3d68a77eb75a5a1e34071112cacdc0aaf78fab8

Remediation

• Block the threat indicators at their respective controls.
• Maintain up-to-date antivirus signatures and engines.
• Keep operating system patches up-to-date.
• Restrict users’ ability (permissions) to install and run unwanted software applications.
• Enforce a strong password policy and implement regular password changes.
• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
• Scan all software downloaded from the Internet prior to executing.