malware_traffic

2019-10-03 - Netsupport RAT malspam campaign

Oct 4th, 2019
1,488
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. DATE:
  2.  
  3. - As early as Thursday 2019-10-03
  4.  
  5. DESCRIPTION:
  6.  
  7. - FedEx-themed malspam used to distribute Netsupport RAT.
  8.  
  9. SOME OF THE EMAIL SUBJECTS:
  10.  
  11. - Subject: Fedex delivery failure
  12. - Subject: Fedex delivery notification
  13. - Subject: Fedex delivery problem
  14. - Subject: Urgent Fedex delivery notification
  15.  
  16. SOME OF THE SENDING ADDRESSES (PROBABABLY SPOOFED):
  17.  
  18. - From: fedex.delivery.alerts@homebestfun.com
  19. - From: fedex.notifications@celgrundy.icu
  20. - From: fedex.notifications@clois.icu
  21. - From: fedex.notifications@cmelanie.icu
  22. - From: fedex.notifications@reiren.icu
  23. - From: info@fedexcn.org
  24.  
  25. SOME LINKS FROM THE EMAILS:
  26.  
  27. - hxxps://diezeitinsel[.]de/fedex.php
  28. - hxxps://jrunlimited[.]com/fedex.php
  29. - hxxps://pitchseed[.]com/fedex.php
  30. - hxxps://prestigefg[.]com/fedex.php
  31. - hxxps://squareonerenovationsinc[.]com/fedex.php
  32. - hxxps://www.isleeku[.]com/fedex.php
  33. - hxxps://www.shakeraleighbeauty[.]com/fedex.php
  34.  
  35. ALL OF THE ABOVE LINKS REDIRECT TO THE FOLLOWING EMAIL CHAIN:
  36.  
  37. - hxxps://mydropboxfiles[.]com/
  38. - hxxps://dropboxfiles[.]net/download/gBNksCv/
  39. - hxxps://dropboxfiles[.]net/download/gBNksCv/?file=form.hta&id=46
  40.  
  41. WHICH DROPS THE FOLLOWING HTA FILE:
  42.  
  43. - SHA256 hash: 466f848ac9dab1bf97abf2815506c443acc73204a822d68b66c44390e642964f
  44. - File size: 4,284 bytes
  45. - File name: form.hta
  46. - File location: hxxps://dropboxfiles[.]net/download/gBNksCv/?file=form.hta&id=46
  47. - File description: HTA file to infect a Windows host with Netsupport RAT
  48.  
  49. THE ABOVE HTA FILE GENERATES THE FOLLOWING INFECTION TRAFFIC:
  50.  
  51. - hxxp://185.225.17[.]53/form.msi
  52. - hxxp://185.225.19[.]35/fakeurl.htm
  53. - hxxp://geo.netsupportsoftware[.]com/location/loca.asp
  54.  
  55. NETSUPPORT RAT INSTALLER:
  56.  
  57. - SHA256 hash: 11f877eb961c5d13c07e9e29614e551f7fcd36cda5458927aa66a9f211d09286
  58. - File size: 4,030,464 bytes
  59. - File location: hxxp://185.225.17[.]53/form.msi
  60. - File description: Netsupport RAT installer
RAW Paste Data