Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- German Cobalt Strike/German Tax Office spoof (October 23)
- Lure email address: antwortensienicht@bzst-informieren.icu
- SOA: gladkoff1991@yandex.ru
- Italian Maze Campaign/Italian Ministry of Taxation spoof (October 29)
- Lure email address: info@agenziaentrate.icu
- SOA: gladkoff1991@yandex.ru
- Proofpoint researchers have also determined that the IP address 91.218.114[.]37 is present in all Maze Ransomware downloads initiated by this actor.
- German Maze Campaign/German Tax Office spoof (November 6)
- This campaign uses an identical lure that was observed on October 23, including the same "RSA Key" malicious Microsoft Word attachment. It is also where we observed the second use of word_/.tmp variation on the URL.
- German Maze Campaign/German ISP spoof (November 7)
- This campaign, distributing Maze ransomware, impersonates a German internet service provider (1&1 Internet AG) and uses a nearly identical malicious Word Document with an "RSA Key" lure that was observed in the November 6 German Tax Office campaign and the October 23 German campaign using Cobalt Strike.
- Lure email address: antwortensienicht@bzstinform.icu
- SOA: gladkoff1991@yandex.ru, which matches the October 23 Cobalt Strike campaign.
- US IcedID Campaign / USPS Spoof (November 12)
- On November 12, Proofpoint researchers observed a campaign utilizing a USPS themed lure delivering the IcedID Trojan. While a .icu domain was not used in this campaign, instead choosing a different look-alike domain, uspsdelivery-service[.]com, these malicious documents used similar “RSA” style lures observed in the previous Cobalt Strike and Maze Ransomware campaigns, and added further evidence to support the theory that the same actor/group is behind the distribution of those malware families.
- The SOA for uspsdelivery-service[.]com is gladkoff1991@yandex.ru which matches previous campaigns.
- Indicators of Compromise (IOCs)
- IOC
- IOC Type
- Description
- 44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
- SHA256
- Document
- cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
- SHA256
- Document
- 9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
- SHA256
- Document
- 5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
- SHA256
- Document
- 97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
- SHA256
- Document
- d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
- SHA256
- Document
- 7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a
- SHA256
- Document
- antowortensienicht@bzst-infomieren[.]icu
- Domain
- Spoofed sending domain
- info@agenziaentrate[.]icu
- Domain
- Spoofed sending domain
- antwortensienicht@bzstinform[.]icu
- Domain
- Spoofed sending domain
- uspsdelivery-service[.[com
- Domain
- Spoofed sending domain
- hxxp://198.50.168.67/wordpack.tmp
- Payload
- Cobalt Strike
- hxxp://conbase.top/sys.bat
- Payload
- Cobalt Strike
- hxxp://104.168.198.208/wordupd.tmp
- Payload
- Maze Ransomware
- hxxp://104.168.215.54/wordupd.tmp
- Payload
- Maze Ransomware
- hxxp://104.168.174.32/wordupd_3.0.1.tmp
- Payload
- Maze Ransomware
- hxxp://192.119.68.225/wordupd1.tmp
- Payload
- Buran Ransomware
- hxxp://108.174.199.10/wordupd3.tmp
- Payload
- Buran Ransomware
- hxxp://54.39.233.175/wupd19823.tmp
- Payload
- Buran Ransomware
- hxxp://54.39.233.131/word1.tmp
- Payload
- Buran Ransomware
- hxxp://104.168.198.230/wordupd.tmp
- Payload
- IcedID
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement