Company names and senders are randomly generated. Attached is a randomly-named .DOT file with password protection. The password protection makes it hard to analyse, but my source tell me that these documents download from:
From: Trevor David
Date: 3 October 2016 at 13:46
Subject: Pede Industries
Hello
I have shipped your packet. Please check the report enclosed here to view more info.
Word doc password: JqpcGrKK9
Pede Industries
www.ldlogistic.it/kls.doc
csir.bdx6.siteinternet.com/kls.doc
The dropped malware apparently has an MD5 of 0e7913875724151d8e822add07ec75b2.
Once downloaded, the malware attempts to make a C2 connection to an IP in the range
31.184.234.0/23:6892 (GTO, Montenegro and Virty.io, Russia). I don't know which is the active IP, but blocking the entire /23 might be a good precaution.
No comments:
Post a Comment