Rewterz Threat Alert – Buhtrap backdoor and ransomware distributed via major advertising platform
April 30, 2019Rewterz Threat Advisory – CVE-2019-2725 – WebLogic Server Remote Code Execution Vulnerability
May 2, 2019Rewterz Threat Alert – Buhtrap backdoor and ransomware distributed via major advertising platform
April 30, 2019Rewterz Threat Advisory – CVE-2019-2725 – WebLogic Server Remote Code Execution Vulnerability
May 2, 2019Severity
Medium
Analysis Summary
A new technical support scam (TSS) campaign surfaced using iframe in combination with basic pop-up authentication to freeze a user’s browser. This new technique also serves as a tool for evading detection for the threat actors. Just like other TSS campaigns disguising themselves as legitimate or well-known brand’s service providers, this campaign in particular uses Microsoft to lure victims and to establish a fake legitimacy. Following is a preview of the pop-up authentication on a spoofed Microsoft webpage.
Indicators of Compromise
URLs
- hxxp[:]//140[.]82[.]36[.]155/assests/eng_edge_new[.]html
- hxxp[:]//140[.]82[.]38[.]211/assests/eng_edge_new[.]html
- hxxp[:]//140[.]82[.]42[.]6/assests/eng_edge_new[.]html
- hxxp[:]//140[.]82[.]46[.]46/assests/eng_edge_new[.]html
- hxxp[:]//140[.]82[.]9[.]45/assests/eng_edge_new[.]html
- hxxp[:]//149[.]28[.]36[.]182/assests/eng_edge_new[.]html
- hxxp[:]//149[.]28[.]45[.]200/assests/eng_edge_new[.]html
- hxxp[:]//149[.]28[.]56[.]4/assests/eng_edge_new[.]html
- hxxp[:]//18[.]206[.]159[.]176/assests/eng_edge_new[.]html
- hxxp[:]//199[.]247[.]3[.]159/assests/eng_edge_new[.]html
- hxxp[:]//207[.]246[.]127[.]175/assests/eng_edge_new[.]html
- hxxp[:]//216[.]155[.]135[.]180/assests/eng_edge_new[.]html
- hxxp[:]//45[.]32[.]156[.]135/assests/eng_edge_new[.]html
- hxxp[:]//45[.]32[.]205[.]54/assests/eng_edge_new[.]html
- hxxp[:]//45[.]76[.]166[.]173/assests/eng_edge_new[.]html
- hxxp[:]//45[.]76[.]166[.]231/assests/eng_edge_new[.]html
- hxxp[:]//45[.]76[.]2[.]215/assests/eng_edge_new[.]html
- hxxp[:]//45[.]76[.]4[.]128/assests/eng_edge_new[.]html
- hxxp[:]//45[.]76[.]6[.]92/assests/eng_edge_new[.]html
- hxxp[:]//45[.]77[.]109[.]221/assests/eng_edge_new[.]html
- hxxp[:]//45[.]77[.]149[.]225/assests/eng_edge_new[.]html
- hxxp[:]//45[.]77[.]154[.]214/assests/eng_edge_new[.]html
- hxxp[:]//45[.]77[.]218[.]239/assests/eng_edge_new[.]html
- hxxp[:]//45[.]77[.]64[.]207/assests/eng_edge_new[.]html
- hxxp[:]//45[.]77[.]67[.]129/assests/eng_edge_new[.]html
- hxxp[:]//80[.]240[.]16[.]81/assests/eng_edge_new[.]html
- hxxp[:]//80[.]240[.]19[.]216/assests/eng_edge_new[.]html
- hxxp[:]//95[.]179[.]167[.]173/assests/eng_edge_new[.]html
- hxxp[:]//95[.]179[.]168[.]138/assests/eng_edge_new[.]html
Remediation
- Block the threat indicators at their respective controls.
- Do not respond to pop-ups that raise panic and alarm. Instead, contact a legitimate source to confirm the security status of your computer.
- Always check for errors or spelling mistakes in the URLs to ensure its legitimacy.