Rewterz Threat Alert – FASTCash 2.0: North Korea’s BeagleBoyz Targeted Bank-Theft Operations
August 27, 2020Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020Severity
Medium
Analysis Summary
Threat actors have continued to use COVID-19 as subject to lure recipients into downloading malware. One such campaign spreads Lemon Duck cryptocurrency-mining malware. The malware comes as attachment to the spam, usually named urgent.doc. These attachments contain a script file readme.js. Once infected with the malware, it has its own mailer script that it uses to propagate to other recipients. It does this by scraping the user’s MS Outlook contact list and sends emails with the malicious attachment. This routine adds legitimacy to the email sent as it now comes from a trusted or known source, making the next recipient click on the attachments. A multi-layered approach to security is needed for campaigns like this.
Impact
- Unauthorized power consumption
- Unauthorized access
Indicators of Compromise
Domain Name
- d[.]ackng[.]com
- t[.]amynx[.]com
- t[.]zz3r0[.]com
- t[.]zer9g[.]com
Source IP
- 167[.]71[.]87[.]85
URL
- http[:]//t[.]amynx[.]com/rdp[.]jsp
- http[:]//t[.]amynx[.]com/ln/core[.]png?rdso
- http[:]//t[.]amynx[.]com/ln/core[.]png?yarno
- http[:]//t[.]amynx[.]com/ipc[.]jsp?0[.]8
- http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshwhoamihostname
- http[:]//t[.]amynx[.]com/ms[.]jsp?0[.]8%computername%
- http[:]//d[.]ackng[.]com/ln/xr[.]zip
- http[:]//t[.]amynx[.]com/rdpo[.]jsp
- http[:]//t[.]amynx[.]com/ebo[.]jsp?0[.]8%username%%computername%
- http[:]//d[.]ackng[.]com/kr[.]bin?$params
- http[:]//d[.]ackng[.]com/nvd[.]zip
- http[:]//d[.]ackng[.]com/m6g[.]bin?$params
- http[:]//t[.]jdjdcjq[.]top/ln/a[.]asp?src_date_whoamihostnameguid
- http[:]//t[.]amynx[.]com/7p[.]php?0[.]8ipc%username%%computername%+[Environment][:][:]OSVersion[.]version[. ]Major
- http[:]//t[.]amynx[.]com/eb[.]jsp?0[.]8%username%%computername%
- http[:]//d[.]ackng[.]com/m6[.]bin?$params
- http[:]//d[.]ackng[.]com/if_mail[.]bin?$params
- http[:]//t[.]amynx[.]com/ln/core[.]png?rds
- http[:]//t[.]amynx[.]com/mso[.]jsp?0[.]8%computername%
- http[:]//t[.]amynx[.]com/ln/core[.]png?yarn
- http[:]//t[.]amynx[.]com/usb[.]jsp?0[.]8%computername%
- http[:]//167[.]71[.]87[.]85/20[.]dat?$params
- http[:]//d[.]ackng[.]com/ode[.]bin?$params
- http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshowhoamihostname
- http[:]//t[.]amynx[.]com/ln/a[.]asp?src_date_whoamihostnameguid
- http[:]//t[.]amynx[.]com/smgho[.]jsp?0[.]8%computername%
- http[:]//t[.]amynx[.]com/smgh[.]jsp?0[.]8*%computername%
- http[:]//t[.]amynx[.]com/a[.]jsp?[attack_vector]_20200820&%username%+%computername%+UUID+random_no
- http[:]//t[.]amynx[.]com/ipco[.]jsp?0[.]8
Remediation
- Block the threat indicators at their respective controls.
- Do not download unexpected email attachments without confirmation, even from known senders.