2020-10-27 (Tuesday) - TA551 (Shathak) Japanese-language Word docs with macros for IcedID

1. 2020-10-27 (TUESDAY) - TA551 (SHATHAK) JAPANESE LANGUAGE WORD DOCS WITH MACROS FOR ICEDID:
2.  
3. NOTE:
4.  
5. - Today had a Japanese language template for all of the Word docs.
6.  
7. CHAIN OF EVENTS:
8.  
9. - malspam --> password-protected zip attachment --> extracted Word doc --> enable macros --> installer DLL --> IcedID EXE
10.  
11. 18 EXAMPLES OF TA551 WORD DOCS WITH MACROS:
12.  
13. - ea065175ef6a0454ad5fd8463e5ae31ba93c9f4cbf341c8ee0ed5708bea0d5ae adjure-10.20.doc
14. - 8365f422960511f3ad83dcb877f017b2386a25f33639f894f4bf166d4470434f certificate 10.20.doc
15. - 5d47bcb8c571e7f784c22cc3ee640dd59750537e219dc6e2beb645eef9dbf37a certificate.10.20.doc
16. - c6ac3e232fd9ad0bb4be599e31531a29c186334a0adde94c65cd36f75fff0dbe charge-10.20.doc
17. - 04cd2e745b64648d70ff159efccd46082fcfbe585014b8d90b769a229aac227b commerce .10.27.2020.doc
18. - 71a680865e6d4eb1acee77a3ae4b8cf03dfb8b3df97f92401d210b73b845404a details,10.20.doc
19. - 6346bceb0b37a62e8811451eed21512a9e178ce3e0842247893c2e762bb84c15 direct_10.20.doc
20. - ce7e29a63e5708fe079cd2af8714fb8b98a0a076f570dc7ddd66c53ad3955886 documents-10.20.doc
21. - 9534926e784013025e1febc229f9cf424d99acf517ddbec50dad5bf85787a590 figures,10.27.2020.doc
22. - 043e9f2bd568cf3d3a6cbf02bb6b09e2264696b5d5c1b602c5148a405e3d6f48 instruct 10.20.doc
23. - 6a7a959ba0929ee1a7b58b27b128ec7686021f24a339fcfdabcb2aa96e304948 intelligence.10.27.20.doc
24. - ba0bd92667586990beef3d0b88105404eba6de54b7c5eba5417e6b825adb94d8 ordain 10.20.doc
25. - 0096cd669a833d0a09a8d7f7577f45024c9ef3f150dec83242a2e56f8047abea ordain.10.20.doc
26. - a71465cb2160b2f79d9fcdce4445afbc57af7d5a7698d162c9819517be3a0440 particulars,10.27.20.doc
27. - 34b100faba875e8aa4cb7250929827ecc9cb581c748723105a6bdd037c860807 prescribe ,10.20.doc
28. - 8574334c36df9f1299ebf7cbe21fe7d0cc4418303177d06d2e872147637ee23e question.10.27.20.doc
29. - 0ed641d4c87f6c2fc2ce99dc599bcd23a6170a98a1c10930722fa8735797ce11 rule_10.20.doc
30. - 783d6b61817c8c90cf67866db5cacc4ecf2e5eb7c7e1f5bd61bc67289f893263 specifics,10.27.2020.doc
31.  
32. AT LEAST 4 DOMAINS HOSTING THE INSTALLER DLL:
33.  
34. - moon6651[.]com - 45.128.207[.]209
35. - space7873[.]com - 185.246.67[.]7
36. - ticket6798[.]com - 185.159.129[.]88
37. - virtual9408[.]com - 54.38.60[.]5
38.  
39. GET REQUESTS FOR INSTALLER DLL:
40.  
41. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj1
42. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj2
43. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj3
44. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj4
45. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj5
46. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj6
47. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj7
48. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj8
49. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj9
50. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj10
51. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj11
52. - GET /update/[random alphabetic string with backslashes and underscores]/tbqxj12
53.  
54. EXAMPLES:
55.  
56. - GET /update/SMWPRGgVrUkFbZPpQxZIItpHRzrV/XNzFe/tbqxj1
57. - GET /update/xtJLxerFWqJeOqxsRlVbRXSrgSkmfIZybmvePQYUTvIODzmHfO/yKE/tbqxj2
58. - GET /update/m_POYFUTKfHUgFzEMFzXshqbKj_kWdLpJRVQqLMZNHJvVAkuZq/fTOHqQsZgcgdR_RLTLFTwHcVjWTEa/tbqxj3
59. - GET /update/FGwAGrrKkUzTfd_pvGWqExvrgijQIZCcgbdKfcJwmjEKvhYQGSQNxAmzQZRPVQjlDZ_ApRrVMlSsZ_KXE/tbqxj4
60. - GET /update/jzAZdqNV/qLptGYPUQNrsuJIRXwGRLCwAxQyArEwOh_KzdF_LQIvwNOtTevfptmRhPRPcEqb/tbqxj6
61. - GET /update/holebHDRTyvjHNCKIKWprLWNKAJfLiGsXgYsmdCsKI_/tbqxj8
62. - GET /update/XGPogQbgsafkUhgIq_F_zwm/nO/xVhnc/hturStjSm/tbqxj9
63. - GET /update/qqOQccpolFmwCmTnTmURcfZPByI_lqzPNvPfTfvLQjqdJtpOYeWT/WRFlVYjJTKqWAf_KhCjsSselY/tbqxj12
64.  
65. 5 EXAMPLES OF INSTALLER DLLS:
66.  
67. - d14bb95a4d6e4d39c5d6d6ff49f5e057c1ecd039c56ce8e0a9befaac109109c1
68. - e78cec26b2161c90b29869ab28fe59fc8224de56dc231cb7164bfbb043642f87
69. - 57c343fea2c50431d4193ca7fec8543377e2b13fd26bf88ba0cd86f39efd8ebb
70. - dbf7c332a6f9e08aa4d508dd3bc004cb3089d5eeb6c5fc105c18d6920f2ecc36
71. - f48c86c1b8852dbbc17c494a64641769a6e37bbcb5a185f120a017b1f183b278
72.  
73. LOCATION FOR THE INSTALLER DLL FILES:
74.  
75. - C:\Users\public\12345.txt
76.  
77. DLL RUN METHOD:
78.  
79. - regsvr32.exe [filename]
80.  
81. HTTPS TRAFFIC TO LEGITIMATE DOMAINS CAUSED BY INSTALLER DLL:
82.  
83. - port 443 - support.microsoft[.]com
84. - port 443 - www.intel[.]com
85. - port 443 - support.apple[.]com
86. - port 443 - support.oracle[.]com
87. - port 443 - www.oracle[.]com
88. - port 443 - help.twitter[.]com
89.  
90. AT LEAST 1 URL FOR HTTPS TRAFFIC GENERATED BY INSTALLER DLLS:
91.  
92. - 167.71.234[.]172 port 443 - zomboboxer[.]top - GET /background.png
93.  
94. 2 EXAMPLES OF SHA256 HASHES FOR ICEDID DLLS CREATED BY INSTALLER:
95.  
96. - 0a150760e79eec44b344843de116abacb0244a229b4d10dbb8897ea742dc6b63 (initial)
97. - 39d216bc849e4fc5a9f960b72f882bc95e18787028852243ed26b772239a2f0b (persistent)
98.  
99. HTTPS TRAFFIC TO MALICIOUS DOMAINS CAUSED BY THE ICEDID DLL FILES:
100.  
101. - 188.166.82[.]172 port 443 - maseratipirosh[.]top
102. - 188.166.82[.]172 port 443 - tyrek87[.]cyou
103. - 188.166.82[.]172 port 443 - fodsijjire[.]cyou
104. - 188.166.82[.]172 port 443 - rivercoockinh[.]cyou
105. - 188.166.82[.]172 port 443 - hdfouter[.]pw