Rewterz Threat Alert – Malware Masquerading as Privacy Tool – Active IOCs

Severity

Medium

Analysis Summary

A new threat enticing users to download malware by masquerading as a “Privacy Tools” service offering a tool that “encrypts” user data using a zip-like utility. The fake website is professional-looking and contains detailed descriptions of the alleged service including step-by-step instructions on how to download the privacy tools which turn out to be malware. Identified the initial payload as Smoke Loader, a popular downloader is available on easily accessible forums for buying and selling malware and used by multiple threat actors. The malware subsequently installs follow-on data-stealing malware including Raccoon Stealer, the malware gathers information about the machine like the OS arch and version, system language, hardware information, and installed applications. In addition, it can take screenshots from the user’s machine if that was enabled by the attacker’s configuration. After fulfilling all its stealing capabilities, Raccoon gathers all the files that it wrote to the temp folder into one zip file named Log.zip. Now, all it has to do is send the zip file back to the C&C server and delete all traces of itself.

Impact

• Data Breach
• Hacking
• Credential Harvesting

Indicators of Compromise

Domain Name

• privacytools[.]xyz
• privacytoolsforyou[.]site
• privacmytools[.]site

IP

• 192[.]71[.]245[.]208
• 91[.]217[.]137[.]37
• 172[.]104[.]136[.]243
• 176[.]126[.]70[.]119
• 94[.]103[.]153[.]176
• 161[.]97[.]219[.]84
• 207[.]192[.]71[.]13
• 188[.]226[.]146[.]136
• 178[.]63[.]116[.]152
• 13[.]239[.]157[.]177

URL

• http[:]//999080321newfolder3100231-service1002[.]space/
• http[:]//999080321newfolder1002002431-service1002[.]space/
• http[:]//999080321newfolder1002002531-service1002[.]space/
• http[:]//999080321newfolder33417-012425999080321[.]space/
• http[:]//999080321test125831-service10020125999080321[.]space/
• http[:]//999080321test136831-service10020125999080321[.]space/
• http[:]//999080321test147831-service10020125999080321[.]space/
• http[:]//999080321test146831-service10020125999080321[.]space/
• http[:]//999080321test134831-service10020125999080321[.]space/
• http[:]//999080321est213531-service1002012425999080321[.]ru/
• http[:]//999080321yes1t3481-service10020125999080321[.]ru/
• http[:]//999080321test13561-service10020125999080321[.]su/
• http[:]//999080321test14781-service10020125999080321[.]info/
• http[:]//999080321test13461-service10020125999080321[.]net/
• http[:]//999080321test15671-service10020125999080321[.]tech/
• http[:]//999080321test12671-service10020125999080321[.]online/
• http[:]//999080321utest1341-service10020125999080321[.]ru/
• http[:]//999080321uest71-service100201dom25999080321[.]ru/
• http[:]//999080321test61-service10020125999080321[.]website/
• http[:]//999080321test51-service10020125999080321[.]xyz/
• http[:]//999080321yest31-service100201rus25999080321[.]ru/
• http[:]//999080321rest21-service10020125999080321[.]eu/
• http[:]//999080321test11-service10020125999080321[.]press/
• http[:]//999080321newfolder4561-service10020125999080321[.]ru/
• http[:]//999080321rustest213-service10020125999080321[.]ru/
• http[:]//999080321test281-service10020125999080321[.]ru/
• http[:]//999080321test261-service10020125999080321[.]space/
• http[:]//999080321yomtest251-service10020125999080321[.]ru/
• http[:]//999080321yirtest231-service10020125999080321[.]ru/
• http[:]//999080321test391-service10020125999080321[.]ru/
• http[:]//999080321test481-service10020125999080321[.]ru/
• http[:]//999080321test571-service10020125999080321[.]pro/
• http[:]//999080321test461-service10020125999080321[.]host/
• http[:]//999080321test231-service10020125999080321[.]fun/
• http[:]//999080321tostest371-service10020125999080321[.]ru/
• http[:]//999080321oopoest361-service10020125999080321[.]ru/
• http[:]//999080321newfolder481-service10020125999080321[.]ru/
• http[:]//999080321newfolder471-service10020125999080321[.]ru/
• http[:]//999080321newfolder351-service10020125999080321[.]ru/
• http[:]//999080321newfolder241-service10020125999080321[.]ru/
• http[:]//999080321newfolder1002-service100201shop25999080321[.]ru/
• http[:]//999080321newfolder1002-service100201life25999080321[.]ru/
• http[:]//999080321newfolder1002-service100201blog25999080321[.]ru/
• http[:]//999080321megatest251-service10020125999080321[.]ru/
• http[:]//999080321infotest341-service10020125999080321[.]ru/
• http[:]//999080321besttest971-service10020125999080321[.]ru/
• http[:]//999080321shoptest871-service10020125999080321[.]ru/
• http[:]//999080321kupitest451-service10020125999080321[.]ru/
• http[:]//999080321proftest981-service10020125999080321[.]ru/
• http[:]//999080321clubtest561-service10020125999080321[.]ru/
• http[:]//999080321mytest151-service1002012425999080321[.]ru/
• http[:]//999080321newfoldert161-service1002012425999080321[.]ru/
• http[:]//999080321newfolder100251-service25999080321[.]ru/
• http[:]//999080321newfolder100241-service10020999080321[.]ru/
• http[:]//999080321newfolder100231-service1022020[.]ru/
• http[:]//999080321newfolder100221-service1022020[.]ru/
• http[:]//999080321newfolder1002-012525999080321[.]ml/
• http[:]//999080321newfolder1002-012625999080321[.]ga/
• http[:]//999080321newfolder1002-012725999080321[.]cf/
• http[:]//999080321newfolder1002-012825999080321[.]gq/
• http[:]//999080321newfolder1002-012925999080321[.]com/
• http[:]//999080321newfolder1002-01302599908032135[.]site/
• http[:]//999080321newfolder1002-01312599908032135[.]site/
• http[:]//999080321newfolder1002-01322599908032135[.]site/
• http[:]//999080321newfolder1002-01332599908032135[.]site/
• http[:]//999080321newfolder1002-01342599908032135[.]site/
• http[:]//999080321newfolder1002-01352599908032135[.]site/
• http[:]//999080321newfolder1002-01362599908032135[.]site/
• http[:]//999080321newfolder1002-01372599908032135[.]site/
• http[:]//999080321newfolder1002-01382599908032135[.]site/
• http[:]//999080321newfolder1002-01392599908032135[.]site/
• http[:]//999080321newfolder1002-01402599908032135[.]site/
• http[:]//999080321newfolder1002-01412599908032135[.]site/
• http[:]//999080321newfolder1002-01422599908032135[.]site/
• http[:]//999080321newfolder1002-01432599908032135[.]site/
• http[:]//999080321newfolder1002-01442599908032135[.]site/
• http[:]//999080321newfolder1002-01452599908032135[.]site/
• http[:]//999080321newfolder1002-01462599908032135[.]site/
• http[:]//999080321newfolder1002-01472599908032135[.]site/
• http[:]//999080321newfolder1002-01482599908032135[.]site/
• http[:]//999080321newfolder1002-01492599908032135[.]site/
• http[:]//999080321newfolder1002-01502599908032135[.]site/
• http[:]//999080321newfolder1002-01512599908032135[.]site/
• http[:]//999080321newfolder1002-01522599908032135[.]site/
• http[:]//999080321newfolder1002-01532599908032135[.]site/
• http[:]//999080321newfolder1002-01542599908032135[.]site/
• http[:]//999080321newfolder1002-01552599908032135[.]site/

Remediation

• Update to the latest patches.
• Download from legitimate sources.
• Block the threat indicators at their respective controls.
• Do not click on URLs and files attached in untrusted emails.