Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #Gamaredon #templateinjection #OOXML #VBA
- https://pastebin.com/HUKPF31d
- previous_contact:
- 18/11/19 https://pastebin.com/Vhb4KF5L
- FAQ:
- https://radetskiy.wordpress.com/2019/11/19/ioc_gamaredon_181119/
- https://www.malcrawler.com/russias-gamaredon-group-new-cyber-espionage-campaign-against-ukraine/
- https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html
- https://whotippedmycows.com/gamaredon-targets-ukraine-using-cve-2017-0199/
- https://malpedia.caad.fkie.fraunhofer.de/actor/gamaredon_group
- attack_vector
- --------------
- email attach .docx > settings.xml.rels > GET .dot > VBA macro > GET exe (RECON)
- email_headers
- --------------
- n/a
- IOC`s from National Security and Defense Council of Ukraine (RNBO):
- https://www.rnbo.gov.ua/ua/Diialnist/4669.html
- * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
- files
- --------------
- SHA-256 f35a137f830a335a558e11d0521564af6d5098f3553f5b6ae4a12b697ae53ef4
- File name Оперативне зведення.docx
- File size 28.17 KB (28842 bytes)
- SHA-256 4bb156f4503ab179dc2b21c7ccebb09356ed5cffc991ddd2317651d6c899bee6
- File name Оперативне зведення.docx [Office Open XML Document]
- File size 28.17 KB (28843 bytes)
- SHA-256 45445987ba4fe3031f1d1d0b50b85e1f577bc270b8ca711ebd5fff70b82d228c
- File name Оперативне зведення.docx [Office Open XML Document]
- File size 28.17 KB (28841 bytes)
- activity
- --------------
- PL_SCR http://document.freedynamicdns.org/lib/boot/jknjfk.dot
- http://document.freedynamicdns.org/var/backups/JKAdYI.dot
- http://document.freedynamicdns.org/www/mail/WVCHiQ.dot
- IPs:
- --------------
- 141.8.196.176
- 141.8.196.56
- 141.8.192.31
- Domains:
- --------------
- document.freedynamicdns.org
- sekuso.freedynamicdns.org
- netwrk
- --------------
- [http]
- 141.8.192.31 OPTIONS /lib/cache/ Microsoft Office Protocol Discovery
- 141.8.192.31 HEAD /lib/cache/HzcGQt.dot Microsoft Office Existence Discovery
- 141.8.192.31 OPTIONS /lib/cache Microsoft-WebDAV-MiniRedir/6.1.7601
- IOC`s from McAfee Advanced Threat Research (ATR Team):
- https://www.mcafee.com/enterprise/en-us/threat-center/advanced-threat-research.html
- * * * * * * * * * * * * * * * * * * * * * * * * * * *
- Summary:
- --------------
- The campaig includes OOXML documents with embedded VBA macros, RAR archives with LNK files (VBS files were observed too), as well as RAR archives exploiting CVE-2018-202502.
- The initial phishing email and the attached lures will download an intermediate reconnaissance payload. After the intermediate reconnaissance step, traditional SFX archives used and delivered in order to retrieve the final malware family. Sometimes this delivery happens hours after the opening of the phishing lure.
- So, the campaign uses:
- Hosting at Russian providers, with Dynamic DNS domains provided by NO-IP, or domains registered with the .xyz, .website, .site, .space, and .ru top-level domains
- Delivery of payloads using Self-Extractible Archives containing batch scripts and other resources
- Attention!
- Exfiltration of BIOS manufacturer and version, username, computer name, NTFS serial volume and running network monitoring processes before sending next-stage payloads
- IPs:
- --------------
- 141.8.198.56
- 205.185.216.42
- 83.166.242.158
- 142.93.110.250
- 141.8.196.56
- 188.225.57.152
- Domains:
- --------------
- mishail.freedynamicdns.org
- inform.3utilities.com
- inform.bounceme.net
- inform.gotdns.ch
- kasim.freedynamicdns.org
- history.freedynamicdns.org
- mishel.freedynamicdns.org
- ncio.freedynamicdns.net
- kasting.freedynamicdns.org
- validat.freedynamicdns.org
- polits.freedynamicdns.org
- malofid.freedynamicdns.org
- myristica.ru
- Files SHA-256:
- --------------
- 021824a648e03939373f60f9915f38b57e5d562f57500017283814e9e5de60a7
- 30916ee605899226d8eb5ad03b00834dc8c8cb494302d841b09daea429d3cd93
- 42403c430e24e38866f5eb0f17d62432edcd988d6902e825fc4b93d1b280befb
- 569652ef84fdb29255587de7b25a475420930c40c41fa5e21b7613173b4439fa
- 693b4d811d4839e92f7dd8974c057bc1b6d57d50bb5ef6e49c4a365564ef99e7
- 6f4bd7871477ac3867126b82cfb3d9627e62b6a9d1a4d41a20bae733e18a33d7
- 75f2b3a6007d13f7a5d1c6ad37b91e53b1b74c4baa64dadb8a7e22dfbc174cd1
- 885c89c79cbfd9fe360ae6b456bd42f0b388e45c3bf9b414778b6f098f5056a5
- 8e598335d0de4438b80d8e5b63a6929d16ca67e2a5f6c567e84ea5152c5f9b15
- c846f757dc48b9ae437fe52dd8953e11074fcc3974c281924c9b44e4c642f48a
- d9358c588774722d8367ae6038e2eba11a9e5b88f28fb23d139a0ad04d1d0c2b
- e3462a0a5bd1e37419ebc46872cc0f1d2718cfcf3d05ecdeba7e4016cbc08e32
- 0f2b6b4ed61f0f54bf5333ca3879d3c31f214d2d386920dbba18cff1d90ec2c1
- 2589167e23bc288f04c3bd3cf735c4df52bad4633d20c94ebaff12f99405eccd
- 25dcfb64c72f4b8ba1ed4cf6a48810cacb94cc36df0335153d1a8ea9c75e98ac
- eaa1abf1dd367634f144117d567f5a871eb90193b7a9110b97b3b4fd73a04ad1
- 3bc65ce73726ffe17df6c65638d2b0833da0f221049a32af243184642dbc4fac
- 93da58d5cbbfdaf29dfa9ebcaf100457c657b9477db14bc0e7084196c96c694a
- aa4aa3e57f2fdce6f26baca6aedda8cb173bee9589a716f6818ed3b6062930be
- fe934cbb46e88f252ad327ac4735839afbf3b493378fecb7e1dcee961ff12d7c
- 6618185dd0fb9363d5dfeb6a8f32ed2e74418fb378f2b0726afd5198c6991255
- persist
- --------------
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
- drop
- --------------
- %APPDATA\Microsoft\Windows\FILE.vbs
- %USERPROFILE%\Downloads\FILE.vbs
- # # #
- https://www.virustotal.com/gui/file/f35a137f830a335a558e11d0521564af6d5098f3553f5b6ae4a12b697ae53ef4/details
- https://www.virustotal.com/gui/file/4bb156f4503ab179dc2b21c7ccebb09356ed5cffc991ddd2317651d6c899bee6/details
- https://www.virustotal.com/gui/file/45445987ba4fe3031f1d1d0b50b85e1f577bc270b8ca711ebd5fff70b82d228c/details
- VR
Add Comment
Please, Sign In to add comment