Rewterz Threat Advisory – Recent Malicious IPs, Domains and their Impacts

A list of malicious domains and IPs is given below. The contents were observed carrying out malicious activities during November 16-22, 2018.

IMPACT:  VARIABLE

PUBLISH DATE:  27-11-2018

OVERVIEW

Listed below are some malicious IPs and domains that are suspected to be involved in malicious activities ranging from social engineering to dropping malware and payloads.

IMPACT ANALYSIS

The malicious activities associated with these threat indicators include the following known trojans and malware:

Powershell Empire

Empire is a pure PowerShell post-exploitation agent that implements the ability to run PowerShell agents without needing powershell.exe and contains rapidly deployable post-exploitation modules that evade network detection.

Emotet

Emotet is a banking trojan malware program which obtains financial information by injecting computer code into the networking stack of an infected computer, allowing sensitive data to be stolen.

Banload

BANLOAD malware variants arrive on the systems as files dropped by other malware or as files downloaded unknowingly by users when visiting malicious sites.

Ursnif

Ursnif is a data stealing malware with variants like Backdoors, spyware and file infectors.

Trickbot

TrickBot has become one of the most versatile threats of 2018. It’s distributed through separate distinct malicious spam (malspam) campaigns.

Arkei

Arkei is a malware strain specialized in dumping and stealing passwords and wallet private keys.

TinyNuke

Tinynuke, or Nukebot malware, is a trojan able to perform man in the browser attacks against modern web browsers. It’s promoted through social networking and advertisements that contain links to malicious software installers.

Alureon

Alureon is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, Paypal information, social security numbers, and other sensitive user data.

Trojan Downloader

A Trojan Downloader is a malicious program typically installed through an exploit sent through malicious attachments. It allows the download to install malware onto a victim’s computer.

MalDoc

There are powerful malicious document (maldoc) generation techniques that are effective at bypassing anti-virus detection. Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.

GrandCrab

Based on a ransomware-as-a-service model, GrandCrab is a ransomware that mines cryptocurrencies and shares profits between malware developers and cybercriminals.

THREAT INDICATORS

IP Addresses

• 248.56[.]131
• 120.97[.]51
• 223.109[.]139
• 243.111[.]170
• 143.57[.]109
• 184.13[.]216
• 213.21[.]254
• 58.165[.]119
• 0.186[.]35
• 201.103[.]16
• 32.33[.]194
• 201.103[.]26
• 207.113[.]106
• 247.181[.]125

Domains

• dayterria[.]com
• cjwefrfomatt[.]com
• onetwoabc[.]ws
• kerondown[.]com
• azzoodijdhgdr[.]com
• ogdotighth[.]com
• bellsyscdn[.]com
• lootototic[.]com
• wassedfast[.]com
• bizziniinfissi[.]com

RECOMMENDATIONS

• Consider blocking and alerting on these IP addresses and domains as this reduces the risk of security incidents.
• Review previously blocked IPs and domains and consider unblocking them, for the ones that have not been included in the fresh report and may not be malicious anymore.
• Note that some of the IP addresses may belong to legitimate organizations.
• If any traffic is found on either of the Malware Data tabs, then check the source host for signs of infection and report to us.

(An IP address can be associated with multiple domain names for those belonging to a hosting company, and a domain name can be associated with multiple IP addresses that utilize fast flux DNS or cloud hosting.)

If you think you’re a victim of a cyber-attack, immediately send an email to soc@rewterz.com for a quick response.