Rewterz Threat Alert – Malspam Campaign Delivering Malicious Files Using Compromised Windstream Email Addresses

June 14, 2019

Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability

June 14, 2019

Rewterz Threat Alert – “Love You” Malspam Phishing Campaign Reemerged

June 14, 2019

Severity

Medium

Analysis Summary

A malspam email campaign that has emails with subject lines about love letters and had a zip attachment with a name starting with “Love_You_”. The zip file, when uncompressed, contained a JavaScript file that, upon execution, performed several HTTP requests to download additional malicious executables. These executables were a Monero cryptocurrency miner, Phorpiex spambot malware, and GandCrab ransomware. The Phorpiex spambot malware caused the victim host to be joined to a botnet and begin emailing out copies of the malicious zip file to additional targets. Meanwhile the victim host was infected with ransomware and leveraged to mine crypto-currency.

Impact

File encryption

Indicators of Compromise

IP(s) / Hostname(s)

92[.]63[.]197[.]48
198[.]105[.]244[.]228
78[.]46[.]77[.]98
217[.]26[.]53[.]161
74[.]220[.]215[.]73
136[.]243[.]13[.]215
138[.]201[.]162[.]99

URLs

slpsrgpsrhojifdij[.]ru
osheoufhusheoghuesd[.]ru
suieiusiueiuiuushgf[.]ru
www[.]2mmotorsport[.]biz
www[.]haargenau[.]biz
www[.]bizziniinfissi[.]com
www[.]holzbock[.]biz
www[.]fliptray[.]biz
gandcrabmfe6mnef[.]onion

Malware Hash (MD5/SHA1/SH256)

72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06
27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3
99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645
06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad
7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d
0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698
32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20
12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8
6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002
99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349
d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a
c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0
f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc
f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4
9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45
ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87
cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2
0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7
4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040
056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769
035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285
b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d
4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b

Remediation

Block all threat indicators at your respective controls.
Always be suspicious about emails sent by unknown senders.
Never click on the link/attachments sent by unknown senders.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs

Rewterz Threat Alert – Russian Threat Actors Target European NGO Systems with TinyTurla-NG Backdoor – Active IOCs

Rewterz Threat Advisory – CVE-2024-26246 – Microsoft Edge Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Rewterz Threat Alert – Malspam Campaign Delivering Malicious Files Using Compromised Windstream Email Addresses

Rewterz Threat Advisory – CVE-2019-1029 – Microsoft Lync Server 2010 / 2013 Denial of Service Vulnerability