The subject is some variation of DOC / Document / document plus a number. There is a ZIP file attached with a name matching the subject, there is no body text.
Some examples
Subject: DOC541887
Attachment: DOC541887.zip
Subject: document36168
Attachment: document36168.zip
Subject: Document453567810
Attachment: Document453567810.zip
Contained within the ZIP file is one of several different .js scripts. Trusted third-party analysis (you know who you are, thank you!) shows download locations at:
calcoastlogistics.com/09ujnb76v5?yNVICJbit=nFikKFve
labthanhthanhpg.com/09ujnb76v5?yNVICJbit=nFikKFve
patmagifts.asia/09ujnb76v5?yNVICJbit=nFikKFve
shadowbi.com/09ujnb76v5?yNVICJbit=nFikKFve
www.tmdmagento.com/09ujnb76v5?yNVICJbit=nFikKFve
Detection rates for the dropped binary are 5/54. The malware phones home to the following IPs:
51.254.240.48 (Andrey Orlov aka Relink LLC, Russia / OVH, France)
217.12.223.88 (ITL, Ukraine)
195.123.209.227 (ITL, Latvia)
185.82.216.61 (ITL, Bulgaria)
Recommended blocklist:
51.254.240.48
217.12.223.88
195.123.209.227
185.82.216.61
No comments:
Post a Comment