Request a Demo
Rewterz
Rewterz Threat Alert – Malspam Campaign Delivering Malicious Files Using Compromised Windstream Email Addresses
June 14, 2019
Rewterz
Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability
June 14, 2019

Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

Severity

Medium

Analysis Summary

A malspam email campaign that has emails with subject lines about love letters and had a zip attachment with a name starting with “Love_You_”. The zip file, when uncompressed, contained a JavaScript file that, upon execution, performed several HTTP requests to download additional malicious executables. These executables were a Monero cryptocurrency miner, Phorpiex spambot malware, and GandCrab ransomware. The Phorpiex spambot malware caused the victim host to be joined to a botnet and begin emailing out copies of the malicious zip file to additional targets. Meanwhile the victim host was infected with ransomware and leveraged to mine crypto-currency.

Impact

File encryption

Indicators of Compromise

IP(s) / Hostname(s)

  • 92[.]63[.]197[.]48
  • 198[.]105[.]244[.]228
  • 78[.]46[.]77[.]98
  • 217[.]26[.]53[.]161
  • 74[.]220[.]215[.]73
  • 136[.]243[.]13[.]215
  • 138[.]201[.]162[.]99


URLs

  • slpsrgpsrhojifdij[.]ru
  • osheoufhusheoghuesd[.]ru
  • suieiusiueiuiuushgf[.]ru
  • www[.]2mmotorsport[.]biz
  • www[.]haargenau[.]biz
  • www[.]bizziniinfissi[.]com
  • www[.]holzbock[.]biz
  • www[.]fliptray[.]biz
  • gandcrabmfe6mnef[.]onion


Malware Hash (MD5/SHA1/SH256)

  • 72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06
  • 27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3
  • 99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645
  • 06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad
  • 7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d
  • 0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698
  • 32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20
  • 12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8
  • 6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002
  • 99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349
  • d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a
  • c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0
  • f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc
  • f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4
  • 9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45
  • ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87
  • cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2
  • 0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7
  • 4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
  • 056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
  • 035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285
  • b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
  • 4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/attachments sent by unknown senders.