Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@brad-duncan
brad-duncan authored Jan 29, 2024
1 parent 99e8b60 commit 3d64757
Show file tree
Hide file tree
Showing 9 changed files with 643 additions and 0 deletions.
56 changes: 56 additions & 0 deletions 2023-01-05-IOCs-from-Agent-Tesla-variant-infection.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
2023-01-05 (THURSDAY) - MALSPAM CAUSES INFECTION FOR AGENT TESLA VARIANT, POSSIBLY ORIGINLOGGER

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1611379660029366273

INFECTION CHAIN:

- email --> attached .iso file --> contains .exe file --> .exe loads encoded binary --> binary decoded & used to generate Agent Telsa-style traffic

NOTES:

- This malware triggers alerts for Agent Tesla, but it is likely OriginLogger as discussed here: https://unit42.paloaltonetworks.com/originlogger/

- The malware EXE used for this infection rettrieves XOR-encoded binary from a web server.
- The XOR-encoded binary is decoded into a malicious DLL that is used to generate Agent Tesla-style traffic.
- The decoded DLL is not saved to disk.
- The infected host will start thise entire process again after the host is rebooted, or the victim logs off & logs back in.

EMAIL INFORMATION FROM MALSPAM:

- Received: from multisped.com.mk (multisped.com.mk [185.250.254.32]); Thu, 5 Jan 2023 04:18:36 +0000 (UTC)
- From: JPMorgan Chase Bank N.A <[email protected]>
- Subject: BANK PAYMENT NOTIFICATION
- Attachment name: Payment Copy_Chase Bank_Pdf.iso

ASSOCIATED FILES:

- SHA256 hash: 926a3142270a52f8afb93490d5dd21f0ca23bc0815ee6630068cf6409d8ee448
- File size: 1,245,184 bytes
- File name: Payment Copy_Chase Bank_Pdf.iso
- File type: UDF filesystem data (version 1.5) 'PAYMENT_COPY_CHASE_BANK_PDF'
- File description: This file mounts as a disk image on Windows and Mac hosts

- SHA256 hash: 5016ba92afac1c2b2a2a6b17a09406869bd6f58cfe680f25030af1a1ba1c29a2
- File size: 26,112 bytes
- File name: Payment Copy_Chase Bank_Pdf.exe
- File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Windows EXE retreived from the above .iso file

- SHA256 hash: 90d977ca0a3331d78005912d2b191d26e33fa2c6ef17602d6173164ba83fd85e
- File size: 664,576 bytes
- File location: hxxp://savory.com[.]bd/sav/Ztvfo.png
- File type: data
- File description: Malicious binary XOR-ed with the ASCII string: Sfhdjkpkowgnpcgoshb

- SHA256 hash: 3883d374ba0736254a89e310b86f3c3769adcaed471b103b5c0a8a2f16cf5c8d
- File size: 664,576 bytes
- File type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- File description: Malicious DLL file decoded from the above binary

INFECTION TRAFFIC:

- 45.56.99[.]101 port 80 - savory.com[.]bd - GET /sav/Ztvfo.png
- port 443 - api.ipify.org - HTTPS traffic, IP address by the infected Windows host, not inherently malicious
- 204.11.58[.]28 port 587 - mail.transgear[.]in - unencrypted SMTP traffic generated by Agent Tesla variant
88 changes: 88 additions & 0 deletions 2023-01-12-IOCs-from-IcedID-and-Cobalt-Strike-infection.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
2023-01-23 (THURSDAY) - ICEDID (BOKBOT) INFECTION WITH COBALT STRIKE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1613710507638235136

INFECTION CHAIN:

- email --> attached PDF --> password-protected zip --> extracted ISO --> files to run IcedID installer --> IcedID C2 --> Cobalt Strike

ASSOCIATED MALWARE:

- SHA256 hash: 1d769af38bea969c00501ff64b51f4e4fd2de2bedc7785b3471b7d12765c1a7d
- file size: 139,342 bytes
- File name: Document_251_Unpaid_-1-12.pdf
- File description: Example of PDF used to download passwor-protected zip for IcedID infection.

- SHA256 hash: fbeffaaf34d13cd45e2e545172db2287fead4ed05c04c0e8da549a0869d2fa96
- file size: 110,732 bytes
- File name: Document_224_Copy_01-12.zip
- File description: password-protected zip archive downloaded from firebasestorage.googleapis[.]com URL in above PDF
- Password: z5247

- SHA256 hash: 9661ba9658bf85409cc414b8f62aaca490ac9f75aa4c2a146795945cf014b211
- file size: 1,376,256 bytes
- File name: Document_224_Copy_01-12.iso
- File description: Disk image containing files for IcedID

CONTENTS OF THE ISO IMAGE:

- SHA256 hash: 1e84f66e29d4c0263d3b67bc9a694eabdff306fc83635bb1d4bd5d4c894c8428
- file size: 1,978 bytes
- File name: Document.lnk
- File description: Windows shortcut that runs hidden .cmd file below

- SHA256 hash: 156ed6c025b8d1dcfa8b3f9a183fc89fbbedc9f2cb178806ad23c2663a1d345c
- file size: 1,593 bytes
- File name: negconrodl\bogpacsipr.cmd
- File description: Command line script used to run the IcedID installer DLL

- SHA256 hash: 65281fe83e22bde20fa56079bebaea6fb353d1036be8073924fdf64cd9194984
- file size: 194,440 bytes
- File name: negconrodl\outgoing.dat
- File description: IcedID installer DLL (64-bit)
- Run method: rundll32.exe [filename],init

FILE FROM AN INFECTION:

- SHA256 hash: 6b22df802f36a9ab0a1f963304fcfcba7cf4b7a922ac123ac2d53240f18c3ab5
- file size: 544,003 bytes
- File location: hxxp://allertmnemonkik[.]com/
- File description: gzip binary retrieved by above IcedID installer DLL

- SHA256 hash: 509628d0ce1f30b6ce77aa484fb687aa23fa9d7ee73ed929e149eee354b3a3b0
- file size: 352,906 bytes
- File location: C:\Users\[username]\AppData\Roaming\HoleWheel\license.dat
- File description: data binary used to run persistent IcedID DLL

- SHA256 hash: e144b75d9cb85a5decf7895c824c025bc0f163af81094078130a2826328165eb
- file size: 190,344 bytes
- File location: C:\Users\[username]\AppData\Local\{7FB4161A-1942-0027-7D5F-A43B70B656A5}\Reexbw64.dll",Reexbw64.dll
- File description: Persistent IcedID DLL
- Run method: rundll32.exe [filename],init --qume="[path to license.dat]"

- SHA256 hash: 4c9364c85bd1e8a2fb53181696d6471ae10971f4cc709419dfaf6224b23b9f55
- file size: 540,672 bytes
- File location: hxxp://199.127.60[.]47/download/sg.exe
- File description: 64-bit Windows EXE for Cobalt Strike

URL FOR ZIP ARCHIVE DOWNLOAD:

- hxxps://firebasestorage.googleapis[.]com/v0/b/cobalt-nomad-372419.appspot.com/o/OwSq1IMH1D%2FDocument_224_Copy_01-12.zip?alt=media&
token=aa49349f-ed98-456b-85c4-ce74daf4a0e3

TRAFFIC GENERATED BY ICEDID INSTALLER DLL FOR GZIP BINARY:

- 162.33.177[.]186 port 80 - allertmnemonkik[.]com - GET /

ICEDID C2 TRAFFIC:

- 103.208.85[.]127 port 443 - turelomi[.]hair - HTTPS traffic
- 94.140.115[.]3 port 443 - lezhidov[.]cloud - HTTPS traffic
- 5.230.74[.]203 port 443 - qzmeat[.]cyou - HTTPS traffic

COBALT STRIKE TRAFFIC:

- 199.127.60[.]47 port 80 - 199.127.60[.]47 - GET /download/sg.exe
- 185.173.34[.]36 port 443 - fepopeguc[.]com - HTTPS traffic
102 changes: 102 additions & 0 deletions 2023-01-16-IOCs-for-malware-from-fake-7zip-page.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
2023-01-16 (MONDAY) - FAKE 7-ZIP PAGE LEADS TO MALWARE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1615470858067222568

NOTES:

- A Google ad led to the fake 7-zip page.
- The .msi package downloaded from the fake 7-zip page installs 7-zip version 22.01, but it also installer malware.
- This infection retreives legitimate tools like NSudo.exe (privileg escalation) and Gpg4win (GPG for Windows).
- This infection also retrieves GPG-encrypted files hosted on Bitbucket and uses the Gpg4win tool Kleopatra to decrypt them.
- This infection delivers Redline Stealer, Gozi (ISFB/Ursnif), and a GongShell tool.
- We saw follow-up malware traffic from the Gozi infection, that may have been Cobalt Strike, but cannot confirm

FAKE 7-ZIP PAGE:

- hxxps://archiver-7zip[.]software/

FAKE 7-ZIP INSTALLER:

- SHA256 hash: d5370c76769237e9d5200c66690ae6f34e1b785fc37dad57d72e839218d5fb58
- File size: 400,896 bytes
- File name: 7z2201-x64.msi
- File location: hxxps://download1[.]software/7z2201-x64.msi
- File description: Malicious installer downloaded from fake 7-zip page.
- Sample: https://bazaar.abuse.ch/sample/d5370c76769237e9d5200c66690ae6f34e1b785fc37dad57d72e839218d5fb58/

DECRYPTED MALWARE FILES:

- SHA256 hash: d5767193e98af701c8e7b458fce7751dd66683b1957c60d8fa55b642210d168e
- File size: 400,896 bytes
- File location: C:\Users\[username]\AppData\Roaming\ZipCosdaz.exe
- File description: Loader for Redline Stealer EXE at hxxp://193.56.146[.]114/pdfbuild.exe
- Sample: https://bazaar.abuse.ch/sample/d5767193e98af701c8e7b458fce7751dd66683b1957c60d8fa55b642210d168e/

- SHA256 hash: 5d6f1484f6571282790d64821429eeeadee71ba6b6d566088f58370634d2c579
- File size: 288,768 bytes
- File location: C:\Users\[username]\AppData\Roaming\ZipCosdaz1.exe
- File description: Gozi/ISFB/Ursnif installer
- Sample: https://bazaar.abuse.ch/sample/5d6f1484f6571282790d64821429eeeadee71ba6b6d566088f58370634d2c579/

- SHA256 hash: bd02e3c2bba567caf4f52adf9f52656a7d5057f3607d9e94fd9c27cfe490e710
- File size: 199,168 bytes
- File location: C:\Users\[username]\AppData\Roaming\ZLocal.exe
- File description: EXE for GongShell
- Sample: https://bazaar.abuse.ch/sample/bd02e3c2bba567caf4f52adf9f52656a7d5057f3607d9e94fd9c27cfe490e710/

OTHER ARTIFACTS:

- SHA256 hash: 74da94bf0e4f007387de6084a8437b947e139e0602df1d0f9d15341cabd41b3c
- File size: 204,800 bytes
- File location: hxxp://193.56.146[.]114/pdfbuild.exe
- File description: EXE for Redline Stealer
- Sample: https://bazaar.abuse.ch/sample/74da94bf0e4f007387de6084a8437b947e139e0602df1d0f9d15341cabd41b3c/

TRAFFIC GENERATED BY RUNNING THE DOWNLOADED 7Z2201-X64.MSI FILE:

- hxxps://huggingface[.]co/Looks/zip7/raw/main/arch
- hxxps://advertising-check[.]ru/start.php
- hxxps://bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz1.exe.gpg
- hxxps://bbuseruploads.s3.amazonaws[.]com/167118f1-f9a2-4a15-883b-f4bca0212b90/downloads/968ada68-5780-4190-80ab-912d11e581da/ZipCosdaz1.exe.gpg?response-content-disposition=attachment%3B%20filename%3D%22ZipCosdaz1.exe.gpg%22&AWSAccessKeyId=ASIA6KOSE3BNH26LAYXF&Signature=%2Fw6ksnVYKSPuN189ap%2FTJ2xfDto%3D&x-amz-security-token=FwoGZXIvYXdzEOP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDNl0wA0hRh8K%2F%2Fuv4yK%2BASQecHe8mdO77ggFaJSLxzp3n4lnNJasNAKmnB%2FB2KnnulTV7bk1VL1ldqPMXa5kpXJ9T%2FmBuEZowq%2B9Wfzhd3lSJ2NBV%2Ffad1bSlHdRbqkLmrCjpi%2B5aTRXqbYPSw6N2h1ntixvRxChPMfCwefhbVYg1r%2BtXVr5gJBW4GLlhwHVTpHcFm7%2F8FOY4wuvjrukDuaez7lX60UKCO%2BG1wVz4nFs06YamP8N6fo5is5QXt96ICHP6oynJbNcfQYR6%2BUojPCXngYyLQC%2Fpyunx2%2Fi9Y%2Fbn7QW0MdUaleZ8BZSDT5U36N7NaPBLnOVHnJZ6%2FYkfr5Adg%3D%3D&Expires=1673920277
- hxxps://bitbucket[.]org/ganhack123/load/downloads/ZipCosdaz.exe.gpg
- hxxps://bbuseruploads.s3.amazonaws[.]com/167118f1-f9a2-4a15-883b-f4bca0212b90/downloads/16b2b281-04c4-4927-ae9e-169c0ea43939/ZipCosdaz.exe.gpg?response-content-disposition=attachment%3B%20filename%3D%22ZipCosdaz.exe.gpg%22&AWSAccessKeyId=ASIA6KOSE3BNPHK3M4VL&Signature=R6BNn86MUesQsNsWiInS6mHzsMw%3D&x-amz-security-token=FwoGZXIvYXdzEOP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDN0cx6GI6vbmuWBSrCK%2BASm6DCrlx6iUPBJePwvhJAUQ6nttM1GtC6KdYLxWUP%2FzxVmg7Gd3yXeKZArtfq022G9nWYECNzQdAsymMdW8bgPtUDnGD5qOEAQi4RihEIomcpvK3BwGoOOaw2w8pyQ9oL1oIF%2FyJmwx9wYAyLTHT8FnD900YnXNAPHgmncubgoQ05ZGkx3pSc2SPVsPiU83f0G%2FYaDZ1yo1gQjKyBNjCYBUpXUk4z0wiK2kjT%2B1XKN171NFh5AMpno2sHV%2FMzIo%2FeqXngYyLQ6jpGjJGsptLmYjnMTHWpyFx3zdzvtiPynux9gOVzwGFBiRxlTXAOC1x2YttA%3D%3D&Expires=1673919621
- hxxps://bitbucket[.]org/ganhack123/load/downloads/ZLocal.gpg
- hxxps://bbuseruploads.s3.amazonaws[.]com/167118f1-f9a2-4a15-883b-f4bca0212b90/downloads/3f2b93d2-67f9-447b-9a43-5879da9f8018/ZLocal.gpg?response-content-disposition=attachment%3B%20filename%3D%22ZLocal.gpg%22&AWSAccessKeyId=ASIA6KOSE3BNMQ3M2QXD&Signature=h5WqF8mWws%2F%2BF7JI34D8H2tTVww%3D&x-amz-security-token=FwoGZXIvYXdzEOP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDEyDNIsqd2teCyZTyyK%2BATt0Ao5Xh1kkniY9jQYqNaCGKcSkN9F%2BwecQqATJjh5LQwv5QeAaBAUU3HWjUdIPd1rRQyTC2y2vhfTiUtUWbLLHPZ0L0cKSUZnu6SKVqhrPZplHX3Qgz6Svr7yinL89h0A1NLCYdHQTF33kNoTf865V3ZrgGQj58Jv%2BKgt1v6xsrGQDKePdIvt4eCsUYsXFIFUavt2YY6jLny6Uhynyw6eT3YgnMhfzU3rvrE0ynwRAE%2BxIC3HIyxoDIXhRPFgo%2FuqXngYyLUlIR42b6VfCUaSqhH8Syoem7OhLME26OIgh6vLQG6JsdB6vpA6MKWn3ThIJ4w%3D%3D&Expires=1673919622
- hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
- hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
- hxxps://raw.githubusercontent[.]com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe
- hxxps://www.7-zip[.]org/a/7z2201.exe
- hxxp://files.gpg4win[.]org/gpg4win-2.2.5.exe
- hxxps://advertising-check[.]ru/install.php

POST-INFECTION TRAFFIC FOR REDLINE STEALER:

- hxxp://193.56.146[.]114/pdfbuild.exe - EXE retreived by ZipCosdaz.exe
- 193.56.146[.]114 port 44271 - TCP traffic generated by Redline Stealer

POST-INFECTION TRAFFFIC FOR GOZI/ISFB/URSNIF:

- 79.132.130[.]171 port 80 - 79.132.130[.]171 - GET /fonts/[base64 string with underscores and backslashes].bak
- 79.132.130[.]171 port 80 - 79.132.130[.]171 - POST /fonts/[base64 string with underscores and backslashes].dot
- 79.132.128[.]228 port 80 - 79.132.128[.]228 - GET /fonts/[base64 string with underscores and backslashes].csv
- 45.11.182[.]208 port 80 - 45.11.182[.]208 - GET /v32.rar
- 45.11.182[.]208 port 80 - 45.11.182[.]208 - GET /v64.rar
- 79.132.129[.]220 port 443 - HTTPS/SSL/TLS traffic <-- unknown, possible Cobalt Strike but cannot confirm
- 176.113.115[.]177 port 80 - 176.113.115[.]177 - GET /stilak32.rar
- 176.113.115[.]177 port 80 - 176.113.115[.]177 - GET /stilak64.rar
- 79.132.128[.]228 port 80 - 79.132.128[.]228 - POST /fonts/[base64 string with underscores and backslashes].dot
- 45.11.182[.]30 port 80 - 45.11.182[.]30 - GET /fonts/[base64 string with underscores and backslashes].csv
- 185.189.151[.]61 port 80 - 185.189.151[.]61 - GET /fonts/[base64 string with underscores and backslashes].csv

ISSUER DATA FROM SELF-SIGNED CERTIFICATE USED FOR HTTPS/SSL/TLS TRAFFIC ON 79.132.129[.]220 PORT 443:

- id-at-commonName=temp.cloudflare.com
- id-at-organizationalUnitName=Cloudflare
- id-at-organizationName=Cloudflare Inc.
- id-at-localityName=San Francisco
- id-at-stateOrProvinceName=California
- id-at-countryName=US

NOTE: The above is issuer data from a self-signed certificate, and it appears to impersonate Cloudflare.
69 changes: 69 additions & 0 deletions 2023-01-23-IOCs-for-Google-ad-for-possible-TA505-activity.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
2022023-01-23 (MONDAY): GOOGLE AD --> FAKE ANYDESK PAGE --> POSSIBLE TA505 ACTIVITY

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1617672614792642560

NOTES:

- Download-cdn[.]com seen in today's traffic is associated with infrastructure previously used for TA505's "Get2" (GetandGo) loader.
- TA505's Get2 loader was last seen in 2020, back when threat actors more commonly used Microsoft Office documents as initial lures.

INFECTION CHAIN:

- Google ad --> fake AnyDesk page --> MSI --> traffic for persistent DLL --> traffic for additional DLL --> post-infection C2

GOOGLE AD:

- hxxps://www.googleadservices[.]com/pagead/aclk?sa=L&ai=DChcSEwjXyOnToN78AhW3fG8EHXGmBggYABABGgJqZg&ohost=www.google.com&
cid=CAASJuRoQHLL0UjPJuRfBwY5hCvWnzj89qG_kmWAzxtkdnaNbPIElHZF&sig=AOD64_3_5-fOmGsshEyXOapF53KCoq3rWA&q&
adurl&ved=2ahUKEwiOwuHToN78AhVGlGoFHRkEAOMQ0Qx6BAgLEAE

- 188.127.239[.]132 - hxxps://www.amydecke[.]online/?gclid=EAIaIQobChMI18jp06De_AIVt3xvBB1xpgYIEAAYASAAEgK_1PD_BwE

FAKE ANYDESK PAGE:

- 191.101.13[.]129 - hxxps://anydeskcloud[.]tech/?gclid=EAIaIQobChMI18jp06De_AIVt3xvBB1xpgYIEAAYASAAEgK_1PD_BwE

MSI FILE DOWNLOAD

- 191.101.13[.]129 - hxxps://anydeskcloud[.]tech/download/AnyDeskSetup_26b30163.msi

DOWNLOADED MSI FILE:

- SHA256 hash: e4edb4cc8f35c7bab6e89774a279593d492714fce9865e53879f87d3704ad96c
- File size: 11,544,064 bytes
- File name: AnyDeskSetup_26b30163.msi
- File description: MSI installer for TA505 malware
- Sample: https://bazaar.abuse.ch/sample/e4edb4cc8f35c7bab6e89774a279593d492714fce9865e53879f87d3704ad96c/
- Note: SAH256 hash for this sample was first reported in VT on 2022-12-01.

INFECTION TRAFFIC:

- 152.89.196[.]75 - hxxps://download-cdn[.]com/download.php?f=Ldrp.dll&from=AnyDeskSetup_26b30163.msi <-- DLL for persistent malware
- 152.89.196[.]75 - hxxps://download-cdn[.]com/pload/26b30163 <-- Follow-up DLL retrieved by persistent malware

EXAMPLE OF PERSISTENT MALWARE:

- SHA256 hash: caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a
- File size: 112,640 bytes
- File location: hxxps://download-cdn[.]com/download.php?f=Ldrp.dll&from=AnyDeskSetup_26b30163.msi
- File location: C:\ProgramData\1c220cdc.dat
- File description: DLL used to keep TA505 malware persistent
- Sample: https://bazaar.abuse.ch/sample/caaea7ec83956a823420a78dec430fddb5db65d9fa4bc6555659b9b0c05c817a/
- Run method: rundll32.exe [filename],#2
- Note: File hash and file name is different each time the MSI file installer is run, although file size and
placement under C:\ProgramData\ directory remain consistent.

POST-INFECTION C2 TRAFFIC:

- 64.190.113[.]123:443 - TCP traffic

EXAMPLE OF MALWARE RESPONSIBLE FOR POST-INFECTION TRAFFIC:

- SHA256 hash: e14ee6302076a2bb9e5634407500757319d5de9c45305ec6269120b7283b24cf
- File size: 94,720 bytes
- File location: hxxps://download-cdn[.]com/pload/26b30163
- File description: DLL retreived by persistent malware but not saved to disk
- Sample: https://bazaar.abuse.ch/sample/e14ee6302076a2bb9e5634407500757319d5de9c45305ec6269120b7283b24cf/
- Note: File hash is different each time this file is retrieved from download-cdn[.]com
Loading

0 comments on commit 3d64757

Please sign in to comment.