TA2101 IOCs

1. German Cobalt Strike/German Tax Office spoof (October 23)
2. Lure email address: [email protected]
3.  
4. SOA: [email protected]
5.  
6. Italian Maze Campaign/Italian Ministry of Taxation spoof (October 29)
7. Lure email address: [email protected]
8.  
9. SOA: [email protected]
10.  
11. Proofpoint researchers have also determined that the IP address 91.218.114[.]37 is present in all Maze Ransomware downloads initiated by this actor.
12.  
13. German Maze Campaign/German Tax Office spoof (November 6)
14. This campaign uses an identical lure that was observed on October 23, including the same "RSA Key" malicious Microsoft Word attachment. It is also where we observed the second use of word_/.tmp variation on the URL.
15.  
16. German Maze Campaign/German ISP spoof (November 7)
17. This campaign, distributing Maze ransomware, impersonates a German internet service provider (1&1 Internet AG) and uses a nearly identical malicious Word Document with an "RSA Key" lure that was observed in the November 6 German Tax Office campaign and the October 23 German campaign using Cobalt Strike.
18.  
19. Lure email address: [email protected]
20.  
21. SOA: [email protected], which matches the October 23 Cobalt Strike campaign.
22.  
23. US IcedID Campaign / USPS Spoof (November 12)
24. On November 12, Proofpoint researchers observed a campaign utilizing a USPS themed lure delivering the IcedID Trojan. While a .icu domain was not used in this campaign, instead choosing a different look-alike domain, uspsdelivery-service[.]com, these malicious documents used similar “RSA” style lures observed in the previous Cobalt Strike and Maze Ransomware campaigns, and added further evidence to support the theory that the same actor/group is behind the distribution of those malware families.
25.  
26. The SOA for uspsdelivery-service[.]com is [email protected] which matches previous campaigns.
27.  
28.  
29.  
30. Indicators of Compromise (IOCs)
31. IOC
32.  
33. IOC Type
34.  
35. Description
36.  
37. 44991186a56b0d86581f2b9cc915e3af426a322d5c4f43a984e6ea38b81b7bed
38.  
39. SHA256
40.  
41. Document
42.  
43. cfd8e3a47036c4eeeb318117c0c23e126aea95d1774dae37d5b6c3de02bdfc2a
44.  
45. SHA256
46.  
47. Document
48.  
49. 9f2139cc7c3fad7f133c26015ed3310981de26d7f1481355806f430f9c97e639
50.  
51. SHA256
52.  
53. Document
54.  
55. 5f1e512d9ab9b915b1fc925f546ed559cbfa49df53229e2f954a1416cf6f5ee4
56.  
57. SHA256
58.  
59. Document
60.  
61. 97043f23defd510607ff43201bb03b9916a23bd71b5bdf97db357e5026732506
62.  
63. SHA256
64.  
65. Document
66.  
67. d617fd4b2d0824e1a7eb9693c6ec6e71447d501d24653a8e99face12136491a8
68.  
69. SHA256
70.  
71. Document
72.  
73. 7e3ab96d2628e0a9970802b47d0356dc9b99994d7f98492d4e70a5384891695a
74.  
75. SHA256
76.  
77. Document
78.  
79. antowortensienicht@bzst-infomieren[.]icu
80.  
81. Domain
82.  
83. Spoofed sending domain
84.  
85. info@agenziaentrate[.]icu
86.  
87. Domain
88.  
89. Spoofed sending domain
90.  
91. antwortensienicht@bzstinform[.]icu
92.  
93. Domain
94.  
95. Spoofed sending domain
96.  
97. uspsdelivery-service[.[com
98.  
99. Domain
100.  
101. Spoofed sending domain
102.  
103. hxxp://198.50.168.67/wordpack.tmp
104.  
105. Payload
106.  
107. Cobalt Strike
108.  
109. hxxp://conbase.top/sys.bat
110.  
111. Payload
112.  
113. Cobalt Strike
114.  
115. hxxp://104.168.198.208/wordupd.tmp
116.  
117. Payload
118.  
119. Maze Ransomware
120.  
121. hxxp://104.168.215.54/wordupd.tmp
122.  
123. Payload
124.  
125. Maze Ransomware
126.  
127. hxxp://104.168.174.32/wordupd_3.0.1.tmp
128.  
129. Payload
130.  
131. Maze Ransomware
132.  
133. hxxp://192.119.68.225/wordupd1.tmp
134.  
135. Payload
136.  
137. Buran Ransomware
138.  
139. hxxp://108.174.199.10/wordupd3.tmp
140.  
141. Payload
142.  
143. Buran Ransomware
144.  
145. hxxp://54.39.233.175/wupd19823.tmp
146.  
147. Payload
148.  
149. Buran Ransomware
150.  
151. hxxp://54.39.233.131/word1.tmp
152.  
153. Payload
154.  
155. Buran Ransomware
156.  
157. hxxp://104.168.198.230/wordupd.tmp
158.  
159. Payload
160.  
161. IcedID