Rewterz Threat Alert – Mirai Botnet aka Katana – Active IOCs
January 4, 2023Rewterz Threat Alert – Amadey Botnet – Active IOCs
January 4, 2023Severity
High
Analysis Summary
CrySIS, also known as Dharma, is a group of ransomware that has been developing starting around 2016. We have seen that this ransomware has become progressively dynamic of late, expanding by an edge of 148% from February until April 2019. The increase in discoveries might be because of CrySIS’ powerful utilization of different assault vectors. Italian Windows users are being targeted by a spam campaign that is spreading the Dharma ransomware as the end payload. Researchers indicate the spam emails attempt to disguise themselves as invoice emails. In reality, the spam is being used to infect users with the Ursnif keylogger or the Dharma ransomware. The emails claim that the included URL is a link to invoice documents that need the reader’s approval. The URL references a OneDrive page where a file named “New documento 2.zip” is automatically downloaded as soon as the page is displayed. The zip file contains a Visual Basic script and an image file. Should the user execute the Visual Basic script, infection begins.
Impact
- Data Encryption
Indicators of Compromise
MD5
- 69251b02e28b92aaf4f4b6c0e3753fcf
- fb0e8cdaae96f5da8f73b3e30af023fb
SHA-256
- d5ed2464066877a0982c623b1a86c344841b06698399b73a9db72965d731f459
- 6f64d864d4cdeaa6062e44e34c0969ebdead56edb22e5a2b61c987ca3400fad4
SHA-1
- 8fbf4cc0ff864766b2dfe38d81a757516c7e0702
- 5b0e1b47b42e6d1d068736f5106224fe2001624b
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.