Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 2020-05-12 (TUESDAY) - WORD DOCS WITH MACROS FOR VALAK
- NOTE:
- - This appears to be a continuation of the malspam-based distribution campaign that had previously used password-protected zip attachments with passwords like 111, 222, 333, 123, or 777 (and so on, historically almost always a three-digit password).
- - This malspam-based distribution campaign used to primarily push Ursnif, but sometime during March 2020, it switched to primarily pushing Valak malware (usually with IcedID when the infection runs long enough).
- - This campaign uses stolen email chains to make the malspam look like a reply to a legitimate email.
- - Sometime in April 2020, the naming patterns of the Word docs changed.
- - Sometime in May 2020, the Word document template changed to what it's using today.
- EXAMPLES OF WORD DOCS WITH MACROS FOR VALAK:
- - 02eaf14510aa8eb2f6209f2d289b3319449cc3b528b844b1518ddcc9f2eed3df Burnkirk_BCA.doc
- - 041f754a01a8b6ca427ba3b938d007ab66cfff53ee86eb98c14776f8e59ac0c0 request.doc
- - 1834387518f5c31ca599e2c6916fcdd2c644627091630f44d32dacfd79dfa6e3 Patron_Connection.doc
- - 2efc86679658d80d56f5838eaacb73a815cc4b1fc07c557c2d81ffdfc161f7cf BelmontDoor-Window.doc
- - 39a5d8650fbfa6f1325f6ccd4474dcfbdfa4ba30f734d2d26d6b0e8118775975 BoldenLimited.doc
- - 3c4cea6ec1704052010a5866bda5ce7c815aeb4d09c001e2b94ffaca28e8908c NISSAN.doc
- - 405870afa65b9760ecb448fe8cc5f2776bb96bf3023885b40f26f4e0fe54ab7b INFORMATION.doc
- - 41a570f40da909462fb1a4877102763444ef5d2fe49a429a275f6e0e9868984b Aquatrols.doc
- - 4de0e9fe2e68fde7284f91a646992fe7de6b44d3f6c07e0388d160d616e3617e alandoll.cl_1633.doc
- - 4dedfc6b384bc0d126fa61f0fea63ec504d4de989852c8b7508f937dae6a3edc Aquatrols.doc
- - 52df70bb3fd152a47fb09114d0273a938d3e2d58cec67a2c2a4b95f1ff777ed3 Paradise_Lanes.doc
- - 5c7cc57ff1b844f751dc6d990e40a22567a71bcd78cc7539e890d6e959372ea2 Cap_Advs.doc
- - 5d2e46b41be86930aa5848aa8a19a3862fc0001612f39e874fa4b2b75625cef4 Cape_Coral_Shores.doc
- - 5fb3c0d533689c0627d941c8da7d31c9a69605aaf0f4e78690fd584638e00dc1 request.doc
- - 677d3d40bcf8a5f834cc952e168e0323765da26bed9ad4eca2184671fea08c9b BackboneCapitalLimited.doc
- - 696fb802d1f5352f7bdb929387eb5e3c6edfbe94e7719d0e58b7c7aa3bb1bb0d Canamsigns.doc
- - 6b92a8b12083bb9820c6897e71083893ad8d7f7ab6f81734cebc16519a93d831 beckettoil.doc
- - 88c47b8b3707622a84117ee0a18da8eae3ed947e4bbdc4012784f006709e9bb5 ACTION.doc
- - 990bf0a841a4a5be0eafb03f2d02af94cedfe04b24341b5b192c6b8ecd91f9aa BEE_IMAGINE.doc
- - a449578de43b8e86d0ab00ca517ccd46a92b8fa995cf3af821db59195b7c8b96 Castle_Party_Rental.doc
- - c4724bde0bfc54f3d4b95346454cc0c79ef3469999ce82f14e3a16b0b83a8d14 americanfurn.doc
- - cab6fd0613cb9f73b526aa6f088edba89967c7925062b0221333c1a4f9391de4 Aquatrols.doc
- - cd038242e4fac0e3ec33f69481a967d3933e15f6bd714c8e73a844dfff87281a BelmontDoor-Window.doc
- - d717492d021f6e11e27b90cea4c4d7566b216c33f915b6f510e69592307e89a0 Aquatrols.doc
- - d94619cb3f3f3292860d07fc7a1ac0ab0185d149fb66f66e092c74e27fe40bed agetic-adm.gouv.ml_2412.doc
- - fac5923f35497ac24df39b5f1d758b5d0d66bd43bd50a84ab0c29961e0e6da6c BeaconHillGlass.doc
- EXAMPLES OF URLS TO RETRIEVE THE INITIAL VALAK DLL:
- - hxxp://acessogeek[.]com/wp-content/plugins/loginpage/_oRbpU-ASwltTUIqV.php?x=[long string]
- - hxxp://agetic-adm[.]gouv[.]ml/wp-content/plugins/loginpage/_1-rJGTYynaCAazdI.php?x=[long string]
- - hxxp://allianceship[.]net/wp-content/plugins/loginpage/_3ZyKva_O9zPO1K_k.php?x=[long string]
- - hxxp://alwatadpharma[.]com/wp-content/plugins/loginpage/_Ij5-IpC39Tz00pyP.php?x=[long string]
- - hxxp://anhvienakay[.]vn/wp-content/plugins/loginpage/_M2l-Vdd25YBfJqqz.php?x=[long string]
- - hxxp://betarg[.]com/cms/cashback/pinkash/wp-content/plugins/loginpage/_lkllnshOhk_-UATf.php?x=[long string]
- - hxxp://bookpeopleunite[.]org/wp-content/plugins/loginpage/_aM2x5z47t3azy6a3.php?x=[long string]
- - hxxp://boxmusic[.]com[.]br/wp-content/plugins/loginpage/_GCS165KogRJ64ry9.php?x=[long string]
- - hxxp://bw4limo[.]us/wp-content/plugins/loginpage/_t5Md-RjT8WPxLTq9.php?x=[long string]
- - hxxp://choptaswisscamp[.]in/wp-content/plugins/loginpage/_1mMBlKjn1fRxLRad.php?x=[long string]
- - hxxp://cinnamonmagazine[.]com/wp-content/plugins/loginpage/_tb4rztWM5Q1RltWY.php?x=[long string]
- - hxxp://civtecafrica[.]com/preview/wp-content/plugins/loginpage/_kR-yvovXkv4-_5jo.php?x=[long string]
- - hxxp://convergenciaglobal[.]com/wp-content/plugins/loginpage/_02sgNABWfngVdKqP.php?x=[long string]
- - hxxp://cricktracksafaris[.]com/wp-content/plugins/loginpage/_b7I1qhB9tyqeElWQ.php?x=[long string]
- - hxxp://dcthatta[.]gov[.]pk/wp-content/plugins/loginpage/_KykNAJZ8wb1bLBCX.php?x=[long string]
- - hxxp://derodeantraciet[.]be/wp-content/plugins/loginpage/_uHFmwjl8jUAktXgf.php?x=[long string]
- - hxxp://edisun[.]vn/wp-content/plugins/loginpage/_X9jFfSWdTucTqusp.php?x=[long string]
- - hxxp://energyfutureconf[.]com/wp-content/plugins/loginpage/_4C_qKNqLA5mPewcd.php?x=[long string]
- - hxxp://enjoy-tv[.]com/wp-content/plugins/loginpage/_SfrnDXUQo7gIZmAK.php?x=[long string]
- - hxxp://www[.]rentbishop[.]com/wp-content/plugins/loginpage/_IzJNqwPNr6dsEayu.php?x=[long string]
- - hxxp://www[.]robertsonoptical[.]com/wp/wp-content/plugins/loginpage/_ubMotFTxvIHuev8u.php?x=[long string]
- - hxxp://www[.]tjgdjt[.]net[.]cn/wp-content/plugins/loginpage/_uXrklAu-Opx1_zKn.php?x=[long string]
- EXAMPLE OF INITIAL VALAK DLL:
- - SHA256 hash: 9abde3fc03002275f98a9ee72d38b74365c49f8963ba99558a4482ae96f05459
- - File location: C:\Users\[username]\AppData\Local\Temp\xc.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\KL.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\cb.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\k0.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\Sc.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\Ng.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\e7.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\lC.tmp
- - File location: C:\Users\[username]\AppData\Local\Temp\WF.tmp
Add Comment
Please, Sign In to add comment