Rewterz Threat Alert – Spam Campaign Abuses PHP Functions for Persistence, Uses Compromised Devices for Evasion and Intrusion

Severity

Medium

Analysis Summary

A spam campaign that uses compromised devices to attack vulnerable web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to web servers. The script sends an email with an embedded link to a scam site to specific email addresses.

Impact

Credential theft

Indicators of Compromise

URLs

• http[:]//tiny[.]cc/oyxbbz
• http[:]//tiny[.]cc/ekubbz
• http[:]//pkusk[.]com/idkadmin/ckeditor/plugins/link/images/hidpi/libraries/merkzettel/shipping_help/wfidecademail[.]php/zftv/ayeq/?wait=ktw1m012zhw0
• https[:]//cryptonation[.]thesecuretrack[.]pro/en/crypto-nation
• http[:]//guidetti[.]se/wp-snapshots/tmp/handleoptin/countries/encuesta/sharethis/register/commentsmiss/busqueda[.]php/vtsk/sdzh/?higher=1es0xze1hzcxx20
• https[:]//clck[.]ru/HfCrK
• http[:]//bvsa[.]in/publicdeliver/rmareturns[.]php/kbrt/anpx/?spent=1df0b12ububx0f
• https[:]//clck[.]ru/HfCYQ
• https[:]//clck[.]ru/HfBwo
• http[:]//sweetheart-exhibition[.]com/upfiles/gzip_loader[.]php/tka/yxrbh/?8k8s8pu0z2

Malware Hash (MD5/SHA1/SH256)

• 5b6875ebd80c4e922b340aaf22831b58a16dc696

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the link/attachments sent by unknown senders.