March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – FASTCash 2.0: North Korea’s BeagleBoyz Targeted Bank-Theft Operations
August 27, 2020
Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020
Rewterz Threat Alert – FASTCash 2.0: North Korea’s BeagleBoyz Targeted Bank-Theft Operations
August 27, 2020
Rewterz Threat Alert – Industrial Espionage Using APT Hackers-for-Hire
August 28, 2020
Severity
Medium
Analysis Summary
Threat actors have continued to use COVID-19 as subject to lure recipients into downloading malware. One such campaign spreads Lemon Duck cryptocurrency-mining malware. The malware comes as attachment to the spam, usually named urgent.doc. These attachments contain a script file readme.js. Once infected with the malware, it has its own mailer script that it uses to propagate to other recipients. It does this by scraping the user’s MS Outlook contact list and sends emails with the malicious attachment. This routine adds legitimacy to the email sent as it now comes from a trusted or known source, making the next recipient click on the attachments. A multi-layered approach to security is needed for campaigns like this.
Impact
- Unauthorized power consumption
- Unauthorized access
Indicators of Compromise
Domain Name
- d[.]ackng[.]com
- t[.]amynx[.]com
- t[.]zz3r0[.]com
- t[.]zer9g[.]com
Source IP
- 167[.]71[.]87[.]85
URL
- http[:]//t[.]amynx[.]com/rdp[.]jsp
- http[:]//t[.]amynx[.]com/ln/core[.]png?rdso
- http[:]//t[.]amynx[.]com/ln/core[.]png?yarno
- http[:]//t[.]amynx[.]com/ipc[.]jsp?0[.]8
- http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshwhoamihostname
- http[:]//t[.]amynx[.]com/ms[.]jsp?0[.]8%computername%
- http[:]//d[.]ackng[.]com/ln/xr[.]zip
- http[:]//t[.]amynx[.]com/rdpo[.]jsp
- http[:]//t[.]amynx[.]com/ebo[.]jsp?0[.]8%username%%computername%
- http[:]//d[.]ackng[.]com/kr[.]bin?$params
- http[:]//d[.]ackng[.]com/nvd[.]zip
- http[:]//d[.]ackng[.]com/m6g[.]bin?$params
- http[:]//t[.]jdjdcjq[.]top/ln/a[.]asp?src_date_whoamihostnameguid
- http[:]//t[.]amynx[.]com/7p[.]php?0[.]8ipc%username%%computername%+[Environment][:][:]OSVersion[.]version[. ]Major
- http[:]//t[.]amynx[.]com/eb[.]jsp?0[.]8%username%%computername%
- http[:]//d[.]ackng[.]com/m6[.]bin?$params
- http[:]//d[.]ackng[.]com/if_mail[.]bin?$params
- http[:]//t[.]amynx[.]com/ln/core[.]png?rds
- http[:]//t[.]amynx[.]com/mso[.]jsp?0[.]8%computername%
- http[:]//t[.]amynx[.]com/ln/core[.]png?yarn
- http[:]//t[.]amynx[.]com/usb[.]jsp?0[.]8%computername%
- http[:]//167[.]71[.]87[.]85/20[.]dat?$params
- http[:]//d[.]ackng[.]com/ode[.]bin?$params
- http[:]//t[.]amynx[.]com/ln/core[.]png?0[.]8sshowhoamihostname
- http[:]//t[.]amynx[.]com/ln/a[.]asp?src_date_whoamihostnameguid
- http[:]//t[.]amynx[.]com/smgho[.]jsp?0[.]8%computername%
- http[:]//t[.]amynx[.]com/smgh[.]jsp?0[.]8*%computername%
- http[:]//t[.]amynx[.]com/a[.]jsp?[attack_vector]_20200820&%username%+%computername%+UUID+random_no
- http[:]//t[.]amynx[.]com/ipco[.]jsp?0[.]8
Remediation
- Block the threat indicators at their respective controls.
- Do not download unexpected email attachments without confirmation, even from known senders.