Skip to content

Commit

Permalink
Add files via upload
Browse files Browse the repository at this point in the history
  • Loading branch information
@brad-duncan
brad-duncan authored Jan 29, 2024
1 parent 3d64757 commit a97bbf9
Show file tree
Hide file tree
Showing 10 changed files with 1,098 additions and 0 deletions.
66 changes: 66 additions & 0 deletions 2023-03-06-IOCs-for-Gozi-infection.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
2023-03-06 (MONDAY): GOZI (ISFB/URSNIF) FROM MALSPAM TARGETING ITALY

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1633934017031467010

NOTES:

- This activity was first tweeted on Monday 2023-03-06 by the Italy CERT at @AgidCert
- As of Thursday 2023-03-09, many URLs and servers hosting the associted malware were apparently still on-line.

ORIGINAL REFERENCES:

- https://twitter.com/AgidCert/status/1632686769203302402
- https://twitter.com/JAMESWT_MHT/status/1632693485739429889

INFECTION CHAIN:

- Email --> link --> downloaded zip --> double-click extracted .url file --> SMB traffic for Gozi EXE --> Gozi infection

MALWARE FROM AN INFECTION TEST RUN ON 2023-03-06:

- SHA256 hash: 57befac41319e7e1fc9d6cd5637240fa766bdbc562d7720bb04beee36113ae10
- File size: 474 bytes
- File location: hxxps://nhatheptienchebinhduong[.]com/mise/Normativa.zip
- File description: Zip archive from link in email

- SHA256 hash: c59dc482b521b021813681f99a8570aa0f57a30bcf42d48667eb09ae635cc9a1
- File size: 189 bytes
- File name Normativa.url
- File description: URL file extracted from the above zip archive

- SHA256 hash: fc3e7ff40a45bccd83617ea952eccdfc93301c6673cce8de33b4bf924b8957d9
- File size: 318,976 bytes
- File location: file://46.8.19[.]163/mise/server.exe
- File description: Windows EXE for Gozi/ISFB/Ursnif retrieved by the above .url file

TRAFFIC FROM AN INFECTED WINDOWS HOST:

URL FOR INITIAL ZIP DOWNLOAD:

- 103.138.88[.]52 port 80 - nhatheptienchebinhduong[.]com - GET /mise/Normativa.zip
- Note: The URL for this is HTTPS, but it can also be retrieved over unencrypted HTTP traffic.

SMB TRAFFIC FOR GOZI (ISFB/URSNIF) EXE:

- 46.8.19[.]163 port 445 - SMB traffic - file://46.8.19[.]163/mise/server.exe

GOZI (ISFB/URSNIF) C2:

- 62.173.140[.]103 port 80 - 62.173.140[.]103 - GET /drew/[base64 string with underscores and backslashes].jlk
- 62.173.138[.]138 port 80 - 62.173.138[.]138 - GET /drew/[base64 string with underscores and backslashes].gif
- 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /stilak32.rar
- 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /stilak64.rar
- 62.173.138[.]138 port 80 - 62.173.138[.]138 - POST /drew/[base64 string with underscores and backslashes].bmp
- 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /cook32.rar
- 62.173.149[.]243 port 80 - 62.173.149[.]243 - GET /cook64.rar
- 62.173.140[.]94 port 80 - 62.173.140[.]94 - GET /drew/[base64 string with underscores and backslashes].gif
- 31.41.44[.]60 port 80 - 31.41.44[.]60 - GET /drew/[base64 string with underscores and backslashes].gif
- 46.8.19[.]233 port 80 - 46.8.19[.]233 - GET /drew/[base64 string with underscores and backslashes].gif
- 5.44.45[.]201 port 80 - 5.44.45[.]201 - GET /drew/[base64 string with underscores and backslashes].gif
- 89.116.236[.]41 port 80 - 89.116.236[.]41 - GET /drew/[base64 string with underscores and backslashes].gif
- 62.173.140[.]76 port 80 - 62.173.140[.]76 - GET /drew/[base64 string with underscores and backslashes].gif
- 31.41.44[.]49 port 80 - 31.41.44[.]49 - GET /drew/[base64 string with underscores and backslashes].gif
- 46.8.19[.]86 port 80 - 46.8.19[.]86 - GET /drew/[base64 string with underscores and backslashes].gif
- 62.173.140[.]94 port 80 - 62.173.140[.]94 - GET /drew/[base64 string with underscores and backslashes].gif
100 changes: 100 additions & 0 deletions 2023-03-07-IOCs-for-Emotet-activity.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
2023-03-07 (TUESDAY) - EMOTET INFECTION WITH SPAMBOT ACTIVITY

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1633238684278591489

NOTES:

- Emotet has not sent any new spam since sometime in November 2022, about 3 & 1/2 to 4 months ago.
- On Tuesday 2023-03-07 starting at approximately 1200 UTC, Emotet's epoch 4 botnet resumed spamming.
-- Reference: https://twitter.com/Cryptolaemus1/status/1633099154623803394
- Emotet emails so far have zip attachments containing inflated Word documents (500+ MB) with macros for Emotet.
- The Word macros retrieve zip archives which contain inflated 64-bit DLL files (500+ MB) for Emotet.
- Aside from the inflated Word docs and inflated DLL files, the infection patterns are similar to Emotet before its haitus.

INFECTION CHAIN:

- Email --> zip attachment --> 500+ MB Word doc --> enable macros --> download zip --> 500+ MB DLL from zip --> Emotet C2

EXAMPLES OF ZIP ATTACHMENTS FOR EMOTET MALSPAM:

- 4d9a6dfca804989d40eeca9bb2d90ef33f3980eb07ca89bbba06d0ef4b37634b - 661,401 bytes - Electronic form 03.07.2023.zip
- 4bc2d14585c197ad3aa5836b3f7d9d784d7afe79856e0ddf850fc3c676b6ecb1 - 670,543 bytes - Form Dt 03.07.2023 [info removed].zip
- 3b4fad0f7faeaa5d64daa9188a67b0de49f8909321e969c086204414652795ff - 648,160 bytes - INVOICE0000006407.zip
- afbc2421cd177bf8ca5e42f8b51c0330f1a7bec7b3214483ce653c691dbbb235 - 642,054 bytes - PO000206886.zip

INFLATED WORD DOCS EXTRACTED FROM THE ABOVE ZIP ARCHIVES:

- a0fe232fc8549e095d56da4467af9a01b4c766ae07178fce89bd486afa2846ad - 573,794,304 bytes - 36417 (Electric).doc
- 2e116e6a43dcc2ee55df34664a7d5bfae36918f3a8ce5af97be6cb99e3a4de5b - 551,774,208 bytes - Electronic form 03.07.2023.doc
- be670a75e6f3406b6143221503e7183eecdae30e1b2be864b3f668692d0acca1 - 561,211,392 bytes - Form Dt 03.07.2023.doc
- 745a064f8faeb470661c5277e7de8a282eb784d55dea0f8530e502732be8ee46 - 538,142,720 bytes - INVOICE 0000006407, US.doc

URLS GENERATED BY MACROS FROM THE ABOVE WORD DOCS:

- hxxps://midcoastsupplies[.]com[.]au/configNQS/Es2oE4GEH7fbZ/?[six digits]
- hxxps://esentai-gourmet[.]kz/404/EDt0f/?[six digits]
- hxxps://www.snaptikt[.]com/wp-includes/aM4Cz6wp2K4sfQ/?[six digits]
- hxxp://mtp.evotek[.]vn/wp-content/L/?[six digits]
- hxxp://www.189dom[.]com/xue80/C0aJr5tfI5Pvi8m/?[six digits]
- hxxp://139.219.4[.]166/wp-includes/XXrRaJtiutdHn7N13/?[six digits]
- hxxps://diasgallery[.]com/about/R/?[six digits]

- NOTE: So far, same URLs from every Word doc, but the six digits after the ? are variable.

FILES FROM AN INFECTED WINDOWS HOST:

- SHA256 hash: 4dd92c67830fbfe62fdfd431b426092ca041387c9e1598ea7e7fd18c7ef821cf
- File size: 891,292 bytes
- File location: hxxp://mtp.evotek[.]vn/wp-content/L/?160244
- File location: [same directory as the Word document]/160244.zip
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- File description: Zip archive retreived by Word macro

- SHA256 hash: 5400be12ec93d6936c2393bce3a285865e0b5f9280f2c0ce80b1827d07e84620
- File size: 547,028,493 bytes
- File type: Zip archive data, at least v2.0 to extract, compression method=deflate
- Initial file location: [same directory as the Word document]/160244/BWJ3Dpilxzevuv4T.dll
- Persistent location: C:\Users\[username]\AppData\Local\[random alphanumeric characters]\[random alphanumeric characters].dll
- File description: 64-bit DLL for Emotet extracted from the above zip archive
- Run method: regsvr32.exe /s [filename]

TRAFFIC FROM AN INFECTED WINDOWS HOST:

TRAFFIC GENERATED BY WORD MACRO TO RETRIEVE THE ZIP-ED DLL:

- 203.26.41[.]132 port 443 - midcoastsupplies.com.au - HTTPS traffic
- 101.99.3[.]20 port 80 - mtp.evotek.vn - GET /wp-content/L/?160244

EMOTET C2 TRAFFIC:

- 45.55.44[.]204 port 7080
- 54.37.136[.]187 port 443
- 66.228.32[.]31 port 7080
- 91.121.146[.]47 port 8080
- 91.207.181[.]106 port 443
- 103.159.224[.]46 port 8080
- 128.199.24[.]148 port 8080
- 165.22.211[.]113 port 8080
- 165.227.166[.]238 port 8080
- 167.172.248[.]70 port 8080
- 178.128.23[.]9 port 7080
- 178.128.31[.]80 port 443
- 178.128.82[.]218 port 443
- 182.162.143[.]56 port 443
- 190.90.233[.]69 port 443
- 213.32.75[.]32 port 8080

SPAMBOT ACTIVITY:

- Various IP addresses over various ports - mostly encrypted SMTP traffic

CERTIFICATE ISSUER DATA FOR EMOTET HTTPS C2 TRAFFIC:

- id-at-countryName=GB
- id-at-stateOrProvinceName=London
- id-at-localityName=London
- id-at-organizationaName=Global Security
- id-at-organizationalUnitName=IT Department
- id-at-commonName=example.com
60 changes: 60 additions & 0 deletions 2023-03-10-IOCs-for-CloakedUrsa-APT29-Activity.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
FEBRUARY 2023: CLOAKED URSA (APT29) PHISHING

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1634290575393402883

NOTES:

- This highlights additional activity originally reported upon by Recorded Future's Insikt Group on 20230127.
- The activity related to SHA256 21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354 was first tweeted on 20230305 by @felixaime
- Cloaked Ursa continues to use compromised WordPress sites to deliver malicious payloads in its phishing operations


REFERENCES:

- https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf
- https://twitter.com/felixaime/status/1632448523995103232


INFECTION CHAIN:

- Email --> link --> HTA file containing obfuscated archive --> open downloaded archive file --> click on masquerading .exe / .lnk file within archive -->
GraphicalNeutrino .dll loads and contacts notion[.]com for C2 & additional payloads


COMPROMISED WORDPRESS SITES USED:
signitivelogics[.]com
literaturaelsalvador[.]com

-----

Czech Republic Ministry of Foreign Affairs-Related:
--> URL: hxxps://signitivelogics[.]com/Schedule.html
--> Downloaded Archive: SHA256 56595330e9b7abc1fb1044ca7970693fab47d3191d1d98d7f7b5a12e43e07a0b; Filename: Schedule.zip
--> Legitimate .exe: SHA256 8ca4bf6df28088aa9ce3fc4a226932ae37af74ef54069480b7f4b2efe9402ddc; Filename: Meeting_Info.exe (Legitimate BsSndRpt.exe)
--> Hidden GraphicalNeutrino .dll: SHA256 4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b; Filename: BugSplatRc64.dll

-----

European Commission-Related Software Instructions:
hxxps://literaturaelsalvador[.]com/Instructions.html
--> Downloaded Archive: SHA256 21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354; Filename: Instructions.iso
--> .lnk File: dffaefaabbcf6da029f927e67e38c0d1e6271bf998040cfd6d8c50a4eff639df; Filename: Instructions.lnk
--> GraphicalNeutrino .dll: SHA256 e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98; Filename: BugSplatRc64.dll

-----

Polish Ministry of Foreign Affairs-Related:
hxxps://literaturaelsalvador[.]com/Schedule.html
--> Downloaded Archive: SHA256 505f1e5aed542e8bfdb0052bbe8d3a2a9b08fc66ae49efbc9d9188a44c3870ed; Filename: Schedule.iso
--> .lnk File: dffaefaabbcf6da029f927e67e38c0d1e6271bf998040cfd6d8c50a4eff639df; Filename: Instructions.lnk
--> GraphicalNeutrino .dll: SHA256 e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98; Filename: BugSplatRc64.dll

-----

BMW Automobile Purchase-Related:
--> URL: hxxps://signitivelogics[.]com/BMW.html
--> Downloaded Archive: SHA256 9c72d80f93ef4d51efbc1c4e29e65cc8af399a1e9463bacc694fb32ea5342771; Filename: Car_info.zip
--> Legitimate .exe: SHA256 8ca4bf6df28088aa9ce3fc4a226932ae37af74ef54069480b7f4b2efe9402ddc; Filename: BMW_sale.exe (Legitimate BsSndRpt.exe)
--> Hidden GraphicalNeutrino .dll: SHA256 3a489ef91058620951cb185ec548b67f2b8d047e6fdb7638645ec092fc89a835; Filename: BugSplatRc64.dll
153 changes: 153 additions & 0 deletions 2023-03-16-IOCs-for-Emotet-E5-activity.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
2023-03-16 (THURSDAY) - EPOCH 5 ACTIVITY: EMOTET NOW ALSO USING ONENOTE FILES

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1636739251277647874

NOTES:

- As early as Wednesday 2023-03-15 at 21:21 UTC, Emotet's epoch 5 botnet began using OneNote files in its malspam.
- Since the OneNote files appeared, some malspam still uses zip attachments containing inflated Word documents.
- Since the OneNote files appeared, follow-up Emotet DLL files are no longer inflated.
- Emotet DLL files are now well-under 1 MB, whether called by script from OneNote files or called by Word macros.
- An infected Windows lab host generated spambot activity on 2023-03-16 starting at approximately 15:28 UTC.

- The following are date/time and attachment type from 10 examples sent by the epoch 5 botnet:

-- 2023-03-15 21:21 UTC - OneNote attachment
-- 2023-03-16 03:09 UTC - OneNote attachment
-- 2023-03-16 03:16 UTC - OneNote attachment
-- 2023-03-16 03:18 UTC - OneNote attachment
-- 2023-03-16 06:54 UTC - OneNote attachment
-- 2023-03-16 10:40 UTC - zip attachment
-- 2023-03-16 10:41 UTC - zip attachment
-- 2023-03-16 15:33 UTC - OneNote attachment
-- 2023-03-16 18:24 UTC - zip attachment
-- 2023-03-16 20:08 UTC - zip attachment

DETAILS FOLLOW:

ZIP ARCHIVE FILE SIZES FROM 4 SAMPLES:

- 760,416 bytes - DATA 669635.zip
- 752,279 bytes - Data-16032023.zip
- 774,665 bytes - list-896881.zip
- 758,393 bytes - list_56062576009.zip

ZIP ARCHIVE SHA256 HASHES:

- 341f723772e0975ad98df44453e4d950a0e0a235979886edac27cf1ea43b89c4 DATA 669635.zip
- d628e2677183ff1576207410f0a11b2391d619c31291dd937e0cd6498bca64fa Data-16032023.zip
- fa413a95667abe33091b03b160aae83636b6ed3a97694e05861c1526943a551e list-896881.zip
- 12166599ae7ef34b66e729c21cdefc44cff5d5e2e12a2918c4705505f104329d list_56062576009.zip

EXTRACTED DOC FILE SIZES:

- 558,271,488 bytes - DATA 669635.doc
- 549,882,880 bytes - Data-16032023.doc
- 572,951,552 bytes - list-896881.doc
- 556,174,336 bytes - list_56062576009.doc

EXTRACTED DOC SHA256 HASHES:

- e910711f1172d35fffbd46bb33026df9e563b978e47fcb0fa910fa1df93e96da DATA 669635.doc
- f8d2147adc0c6218797343784493a1252a49d28e4f73f4c38df527a4b69240c4 Data-16032023.doc
- e6e06d8eeddfdb0d2785232274f2548e4a8699043818e1671a4bcdc9fc5cff02 list-896881.doc
- a60bc23b594f47710b80810a00a7e4022a84c20a967612d69c9b0f0f53b9b725 list_56062576009.doc

9 URLS GENERATED BY MACROS FROM THE ABOVE WORD DOCS:

- hxxp://7gallery[.]com/Tempur/vowpsy6ObSB7UMui/?024347&c=1
- hxxps://bosny[.]com/aspnet_client/LRYvI7/?024348&c=1
- hxxp://www.dcdestudio[.]com[.]ar/dcd/71ycoQSy/?024347&c=1
- hxxp://erkaradyator[.]com[.]tr/Areas/My5PdKnB/?024347&c=1
- hxxp://li-sa[.]jp/_phpMyAdmin/IWxxPYWM8AI53xYqO4/?024349&c=1
- hxxp://sipo[.]ru/images/UIbyj3q8881cJ/?024347&c=1
- hxxp://walkiria.5v[.]pl/wp-includes/ZWHV38j/?024347&c=1
- hxxp://webthaihosting[.]com/cgi-bin/wnDNU/?024347&c=1
- hxxp://www.snoek-landmeten[.]nl/Wordpress/Oh4CQgV/?024349&c=1

- Note: The 6-digits before &c=1 are randomly generated each time Word macros are enabled.

ONENOTE FILE SIZES FROM 6 SAMPLES:

- 134,140 bytes - Details-3922941.one
- 134,140 bytes - ECLL 16032023.one
- 134,140 bytes - List_1603.one
- 134,140 bytes - Scan_247.one
- 134,140 bytes - details_481978819.one
- 134,140 bytes - report 1219844918.one

ONENOTE SHA256 HASHES:

- f24259e65a935722c36ab36f6e4429a1d0f04c0ac3600e4286cc717acc5b03d7 Details-3922941.one
- 823cb940b33f1d14576de6ab9bf747b3a1632accb0104ba1bdbbb62ae5054f3c ECLL 16032023.one
- 2d2a9278a7ee9c29e8a09d31b217a3ae7e88f2ae48eb44e1a1a4a879653dd126 List_1603.one
- ecba257a646789c31d971efc233267495ac532109e92b064bac0c8e231a27a38 Scan_247.one
- 5d65ab3b6748ba7034dc0588f2d61fa43e7fce7ed5ee6ab533e2f08274bc5d22 details_481978819.one
- 7c4591fd03b73ba6d0ec71a3cf89a04bfb4bd240d359117d96834a83727bdcc2 report 1219844918.one

.WSF EMBEDDED IN EACH OF THE ABOVE .ONE FILES:

- SHA256 hash: af0c7d355bb6a495d038fd05217209054107d31aa6199c491b74ae3d24b11c7e
- File size: 63,088 bytes
- File name: click.wsf
- Example of saved file location: C:\Users\user1\AppData\Local\Temp\OneNote\16.0\Exported\{56D2BD78-EBDE-44C6-87B3-A47B99EFE0E4}\NT\0\click.wsf
- File description: Script file embedded in OneNote attachments (same SHA256 for all the above .one files)

12 URLS GENERATED BY THE ABOVE .WSF:

- hxxp://1it[.]fit/site_vp/4PwK3s6Bf9K7TEA/
- hxxps://4fly[.]su/search/OfGA/
- hxxp://efirma.sglwebs[.]com/img/2mmLuv7SxhhYFRVn/
- hxxp://hypernite.5v[.]pl/vendor/hvlVMsI9jGafBBTa/
- hxxps://kts[.]group/35ccbf2003/jKgk8/
- hxxp://malli[.]su/img/PXN5J/
- hxxps://olgaperezporro[.]com/js/ExGBiCZdkkw0GBAuHNZ/
- hxxp://semedacara.com[.]br/ava/ahhz/
- hxxp://staging-demo[.]com/public_html/wTG/
- hxxps://thailandcan[.]org/assets/ulRa/
- hxxp://uk-eurodom[.]com/bitrix/9HrzPY66D1F/
- hxxp://www.polarkh-crewing[.]com/aboutus/EUzMzX7yXpP/

EXAMPLE OF AN EMOTET DLL:

- SHA256 hash: aa57889a91be96c5b5cae185792f5ad76eb5248abb66344a740266a1c297cfd7
- File size: 307,712 bytes
- File location: hxxp://malli[.]su/img/PXN5J/
- Saved file location: same temp directory as above click.wsf file
- Saved file name: rad00A25.tmp.dll
- File description: 64-bit DLL for Emotet
- Run method: regsvr32.exe [filename]
- Note: File size and hash were different when downloaded from same URL at a later time.

SUCCESSFUL HTTPS TRAFFIC FOR EMOTET C2 ACTIVITY:

- 93.84.115.205 port 7080
- 94.23.45.86 port 4143 <-- sent approx 4 MB of data to infected host immediately before spambot activity
- 103.224.241.74 port 8080
- 115.178.55.22 port 80
- 116.125.120.88 port 443
- 128.199.93.156 port 8080
- 139.196.72.155 port 8080
- 165.22.246.219 port 8080
- 165.227.153.100 port 8080
- 165.227.211.222 port 8080
- 174.138.33.49 port 7080
- 177.39.156.177 port 443
- 178.62.112.199 port 8080
- 186.250.48.5 port 443
- 198.199.70.22 port 8080

CERTIFICATE ISSUER DATA FOR ALL EMOTET HTTPS C2 TRAFFIC:

- id-at-countryName=GB
- id-at-stateOrProvinceName=London
- id-at-localityName=London
- id-at-organizationaName=Global Security
- id-at-organizationalUnitName=IT Department
- id-at-commonName=example.com

SPAMBOT ACTIVITY:

- Various IP addresses over TCP ports 25, 465, and 587
Loading

0 comments on commit a97bbf9

Please sign in to comment.