CATEGORY: Cyber Crime
The Meterpreter payload is downloaded using a HTTP POST request to 185[.]117[.]75[.]73. The SSL certiﬁcate for https://185[.]117[.]75[.]73 was issued for the domain cbrrf[.]tech which happens to be the domain for the C&C server used in the October campaign.
Peculiar as it is, the SSL certiﬁcate presented by 185[.]117[.]75[.]73 was changed in later December to a certiﬁcate for ﬁles[.]migcredit[.]host, generated via Let’s Encrypt. The domain migcredit[.]host was earlier used in the October campaign and a fresh SSL certiﬁcate suggests that it is likely to resurface in upcoming campaigns. The indicators of compromise were retrieved in the concluding week of 2018.
Indicators of Compromise
IP(s) / Hostname(s)
It is suggested to block the Indicators of Compromise at their respective controls. As more and more sophisticated email spam campaigns are emerging, employee training must be ensured so that they don’t fall victim to such phishing attacks.