-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2023-01-16-IOCs-for-malware-from-fake-7zip-page.txt
102 lines (79 loc) · 7.14 KB
/
2023-01-16-IOCs-for-malware-from-fake-7zip-page.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
2023-01-16 (MONDAY) - FAKE 7-ZIP PAGE LEADS TO MALWARE
REFERENCE:
- https://twitter.com/Unit42_Intel/status/1615470858067222568
NOTES:
- A Google ad led to the fake 7-zip page.
- The .msi package downloaded from the fake 7-zip page installs 7-zip version 22.01, but it also installer malware.
- This infection retreives legitimate tools like NSudo.exe (privileg escalation) and Gpg4win (GPG for Windows).
- This infection also retrieves GPG-encrypted files hosted on Bitbucket and uses the Gpg4win tool Kleopatra to decrypt them.
- This infection delivers Redline Stealer, Gozi (ISFB/Ursnif), and a GongShell tool.
- We saw follow-up malware traffic from the Gozi infection, that may have been Cobalt Strike, but cannot confirm
FAKE 7-ZIP PAGE:
- hxxps://archiver-7zip[.]software/
FAKE 7-ZIP INSTALLER:
- SHA256 hash: d5370c76769237e9d5200c66690ae6f34e1b785fc37dad57d72e839218d5fb58
- File size: 400,896 bytes
- File name: 7z2201-x64.msi
- File location: hxxps://download1[.]software/7z2201-x64.msi
- File description: Malicious installer downloaded from fake 7-zip page.
- Sample: https://bazaar.abuse.ch/sample/d5370c76769237e9d5200c66690ae6f34e1b785fc37dad57d72e839218d5fb58/
DECRYPTED MALWARE FILES:
- SHA256 hash: d5767193e98af701c8e7b458fce7751dd66683b1957c60d8fa55b642210d168e
- File size: 400,896 bytes
- File location: C:\Users\[username]\AppData\Roaming\ZipCosdaz.exe
- File description: Loader for Redline Stealer EXE at hxxp://193.56.146[.]114/pdfbuild.exe
- Sample: https://bazaar.abuse.ch/sample/d5767193e98af701c8e7b458fce7751dd66683b1957c60d8fa55b642210d168e/
- SHA256 hash: 5d6f1484f6571282790d64821429eeeadee71ba6b6d566088f58370634d2c579
- File size: 288,768 bytes
- File location: C:\Users\[username]\AppData\Roaming\ZipCosdaz1.exe
- File description: Gozi/ISFB/Ursnif installer
- Sample: https://bazaar.abuse.ch/sample/5d6f1484f6571282790d64821429eeeadee71ba6b6d566088f58370634d2c579/
- SHA256 hash: bd02e3c2bba567caf4f52adf9f52656a7d5057f3607d9e94fd9c27cfe490e710
- File size: 199,168 bytes
- File location: C:\Users\[username]\AppData\Roaming\ZLocal.exe
- File description: EXE for GongShell
- Sample: https://bazaar.abuse.ch/sample/bd02e3c2bba567caf4f52adf9f52656a7d5057f3607d9e94fd9c27cfe490e710/
OTHER ARTIFACTS:
- SHA256 hash: 74da94bf0e4f007387de6084a8437b947e139e0602df1d0f9d15341cabd41b3c
- File size: 204,800 bytes
- File location: hxxp://193.56.146[.]114/pdfbuild.exe
- File description: EXE for Redline Stealer
- Sample: https://bazaar.abuse.ch/sample/74da94bf0e4f007387de6084a8437b947e139e0602df1d0f9d15341cabd41b3c/
TRAFFIC GENERATED BY RUNNING THE DOWNLOADED 7Z2201-X64.MSI FILE:
- hxxps://huggingface[.]co/Looks/zip7/raw/main/arch
- hxxps://advertising-check[.]ru/start.php
- hxxps://bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz1.exe.gpg
- hxxps://bbuseruploads.s3.amazonaws[.]com/167118f1-f9a2-4a15-883b-f4bca0212b90/downloads/968ada68-5780-4190-80ab-912d11e581da/ZipCosdaz1.exe.gpg?response-content-disposition=attachment%3B%20filename%3D%22ZipCosdaz1.exe.gpg%22&AWSAccessKeyId=ASIA6KOSE3BNH26LAYXF&Signature=%2Fw6ksnVYKSPuN189ap%2FTJ2xfDto%3D&x-amz-security-token=FwoGZXIvYXdzEOP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDNl0wA0hRh8K%2F%2Fuv4yK%2BASQecHe8mdO77ggFaJSLxzp3n4lnNJasNAKmnB%2FB2KnnulTV7bk1VL1ldqPMXa5kpXJ9T%2FmBuEZowq%2B9Wfzhd3lSJ2NBV%2Ffad1bSlHdRbqkLmrCjpi%2B5aTRXqbYPSw6N2h1ntixvRxChPMfCwefhbVYg1r%2BtXVr5gJBW4GLlhwHVTpHcFm7%2F8FOY4wuvjrukDuaez7lX60UKCO%2BG1wVz4nFs06YamP8N6fo5is5QXt96ICHP6oynJbNcfQYR6%2BUojPCXngYyLQC%2Fpyunx2%2Fi9Y%2Fbn7QW0MdUaleZ8BZSDT5U36N7NaPBLnOVHnJZ6%2FYkfr5Adg%3D%3D&Expires=1673920277
- hxxps://bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz.exe.gpg
- hxxps://bbuseruploads.s3.amazonaws[.]com/167118f1-f9a2-4a15-883b-f4bca0212b90/downloads/16b2b281-04c4-4927-ae9e-169c0ea43939/ZipCosdaz.exe.gpg?response-content-disposition=attachment%3B%20filename%3D%22ZipCosdaz.exe.gpg%22&AWSAccessKeyId=ASIA6KOSE3BNPHK3M4VL&Signature=R6BNn86MUesQsNsWiInS6mHzsMw%3D&x-amz-security-token=FwoGZXIvYXdzEOP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDN0cx6GI6vbmuWBSrCK%2BASm6DCrlx6iUPBJePwvhJAUQ6nttM1GtC6KdYLxWUP%2FzxVmg7Gd3yXeKZArtfq022G9nWYECNzQdAsymMdW8bgPtUDnGD5qOEAQi4RihEIomcpvK3BwGoOOaw2w8pyQ9oL1oIF%2FyJmwx9wYAyLTHT8FnD900YnXNAPHgmncubgoQ05ZGkx3pSc2SPVsPiU83f0G%2FYaDZ1yo1gQjKyBNjCYBUpXUk4z0wiK2kjT%2B1XKN171NFh5AMpno2sHV%2FMzIo%2FeqXngYyLQ6jpGjJGsptLmYjnMTHWpyFx3zdzvtiPynux9gOVzwGFBiRxlTXAOC1x2YttA%3D%3D&Expires=1673919621
- hxxps://bitbucket[.]org/ganhack123/load/downloads/ZLocal.gpg
- hxxps://bbuseruploads.s3.amazonaws[.]com/167118f1-f9a2-4a15-883b-f4bca0212b90/downloads/3f2b93d2-67f9-447b-9a43-5879da9f8018/ZLocal.gpg?response-content-disposition=attachment%3B%20filename%3D%22ZLocal.gpg%22&AWSAccessKeyId=ASIA6KOSE3BNMQ3M2QXD&Signature=h5WqF8mWws%2F%2BF7JI34D8H2tTVww%3D&x-amz-security-token=FwoGZXIvYXdzEOP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDEyDNIsqd2teCyZTyyK%2BATt0Ao5Xh1kkniY9jQYqNaCGKcSkN9F%2BwecQqATJjh5LQwv5QeAaBAUU3HWjUdIPd1rRQyTC2y2vhfTiUtUWbLLHPZ0L0cKSUZnu6SKVqhrPZplHX3Qgz6Svr7yinL89h0A1NLCYdHQTF33kNoTf865V3ZrgGQj58Jv%2BKgt1v6xsrGQDKePdIvt4eCsUYsXFIFUavt2YY6jLny6Uhynyw6eT3YgnMhfzU3rvrE0ynwRAE%2BxIC3HIyxoDIXhRPFgo%2FuqXngYyLUlIR42b6VfCUaSqhH8Syoem7OhLME26OIgh6vLQG6JsdB6vpA6MKWn3ThIJ4w%3D%3D&Expires=1673919622
- hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
- hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
- hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
- hxxps://www.7-zip[.]org/a/7z2201.exe
- hxxp://files.gpg4win[.]org/gpg4win-2.2.5.exe
- hxxps://advertising-check[.]ru/install.php
POST-INFECTION TRAFFIC FOR REDLINE STEALER:
- hxxp://193.56.146[.]114/pdfbuild.exe - EXE retreived by ZipCosdaz.exe
- 193.56.146[.]114 port 44271 - TCP traffic generated by Redline Stealer
POST-INFECTION TRAFFFIC FOR GOZI/ISFB/URSNIF:
- 79.132.130[.]171 port 80 - 79.132.130[.]171 - GET /fonts/[base64 string with underscores and backslashes].bak
- 79.132.130[.]171 port 80 - 79.132.130[.]171 - POST /fonts/[base64 string with underscores and backslashes].dot
- 79.132.128[.]228 port 80 - 79.132.128[.]228 - GET /fonts/[base64 string with underscores and backslashes].csv
- 45.11.182[.]208 port 80 - 45.11.182[.]208 - GET /v32.rar
- 45.11.182[.]208 port 80 - 45.11.182[.]208 - GET /v64.rar
- 79.132.129[.]220 port 443 - HTTPS/SSL/TLS traffic <-- unknown, possible Cobalt Strike but cannot confirm
- 176.113.115[.]177 port 80 - 176.113.115[.]177 - GET /stilak32.rar
- 176.113.115[.]177 port 80 - 176.113.115[.]177 - GET /stilak64.rar
- 79.132.128[.]228 port 80 - 79.132.128[.]228 - POST /fonts/[base64 string with underscores and backslashes].dot
- 45.11.182[.]30 port 80 - 45.11.182[.]30 - GET /fonts/[base64 string with underscores and backslashes].csv
- 185.189.151[.]61 port 80 - 185.189.151[.]61 - GET /fonts/[base64 string with underscores and backslashes].csv
ISSUER DATA FROM SELF-SIGNED CERTIFICATE USED FOR HTTPS/SSL/TLS TRAFFIC ON 79.132.129[.]220 PORT 443:
- id-at-commonName=temp.cloudflare.com
- id-at-organizationalUnitName=Cloudflare
- id-at-organizationName=Cloudflare Inc.
- id-at-localityName=San Francisco
- id-at-stateOrProvinceName=California
- id-at-countryName=US
NOTE: The above is issuer data from a self-signed certificate, and it appears to impersonate Cloudflare.