Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection. The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.
This Astaroth Trojan campaign exclusively targeted Brazilians, as also reported in 2018. In one week, it was able to compromise around 8,000 machines. Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads. This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.
The emails analyzed by Cofense Intelligence were in Portuguese and had three distinct themes: an invoice theme, a show ticket theme, and a civil lawsuit theme. Each of the phishing campaigns enticed the end user into downloading and opening a .htm file to start the infection chain. The email security stack would need to be able to scan the attachments for malicious links and/or downloads to stop this technique. Having proper mitigations in place alongside user education on safeguard procedures will also help negate this type of attack, as it is mainly reliant on the end user.
Technical Findings
Once opened, the .htm downloads a .zip archive that is geo-fenced to Brazil and contains a malicious .LNK file. The .LNK file then downloads a JavaScript from a Cloudflare workers domain, shown in Figure 1.
Figure 1: The Cloudflare workers domain used within the infection chain
The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:Program FilesInternet ExplorerExtExport.exe’. Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security mseasures such as Anti-Virus (AV), application white-listing, and URL filtering.
After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources.
Astaroth uses Youtube and Facebook profiles to host and maintain the C2 configuration data. This C2 data is base64 encoded as well as custom encrypted, and bookended by ‘|||’ as shown in Figure 2. The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.
Figure 2: Shows the C2 configurations data hosted on YouTube
Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data on the endpoint. The data gathered includes financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The modules used to collect this data are part of the multiple files downloaded by the JavaScript discussed above. All collected information is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, a majority of which are hosted on Appspot. This encrypted connection to another trusted source allows for the communication to bypass network security measures that cannot decrypt it.
Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures. Understanding these types of threat actor Tactics, Techniques, and Procedures (TTPs) can help finetune the security stack to defend against them. Technology can help empower an end user to help protect against this type of attack, but education will make them confident in doing so.
HOW COFENSE CAN HELP
89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.
Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.
Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.
Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.
Appendix
ATR ID: 28320
hxxp://32ou4r9kwagc[.]hammer-escritorios[.]de/[.]well-known/hxxp-opportunistic
hxxp://32ou4r9kwagc[.]hammer-escritorios[.]de/U0W5Q0TJ80K/36516/Processo_8254504[.]htm
hxxp://36ou6w4yhiat6[.]patrocinioscomerciais[.]de/[.]well-known/hxxp-opportunistic
hxxp://36ou6w4yhiat6[.]patrocinioscomerciais[.]de/M03L90NWJ9A/38832/Processo_4872485[.]htm
hxxp://6suehrwtdue1m[.]patrocinioscomerciais[.]de/[.]well-known/hxxp-opportunistic
hxxp://6suehrwtdue1m[.]patrocinioscomerciais[.]de/ERC02X7133I/31888/Processo_8651438[.]htm
hxxp://7yaaa5w7woa8a[.]dracordocerto[.]com[.]br/[.]well-known/hxxp-opportunistic
hxxp://7yaaa5w7woa8a[.]dracordocerto[.]com[.]br/4LU11BID55M/74375/NOTA_FISCAL_ELETRONICA[.]htm
hxxp://a7aie85hyaeg9[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic
hxxp://a7aie85hyaeg9[.]paulosilvasoares[.]com[.]br/0H4Z02YXSEB/42230/NOTA_FISCAL_ELETRONICA[.]htm
hxxp://a7oueu1x3a6f[.]contratosadministrativoscasanova[.]de/[.]well-known/hxxp-opportunistic
hxxp://a7oueu1x3a6f[.]contratosadministrativoscasanova[.]de/000C7Q00AV2/53058/Processo_3372578[.]htm
hxxp://e3eonr2jaao8r[.]administrativosfiscaisbr[.]de/[.]well-known/hxxp-opportunistic
hxxp://e3eonr2jaao8r[.]administrativosfiscaisbr[.]de/8N139KS0TC8/28551/Processo_3358257[.]htm
hxxp://e8iat1eu5aae6[.]representantecomercialilhaverde[.]de/[.]well-known/hxxp-opportunistic
hxxp://e8iat1eu5aae6[.]representantecomercialilhaverde[.]de/L62SP3U11FF/76558/Processo_8933747[.]htm
hxxp://eoeaic04euwv[.]promad-contabilidade[.]de/[.]well-known/hxxp-opportunistic
hxxp://eoeaic04euwv[.]promad-contabilidade[.]de/7PY70HRS6M3/98547/Processo_5229337[.]htm
hxxp://fwadurhba31[.]paulosoaressilva[.]com[.]br/[.]well-known/hxxp-opportunistic
hxxp://fwadurhba31[.]paulosoaressilva[.]com[.]br/4K040HI1WB7/26224/NOTA_FISCAL_ELETRONICA[.]htm
hxxp://infects[.]maquina-turbo-huracan[.]adm[.]br/hura//dir1/
hxxp://jwa0ywl3a2h[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic
hxxp://jwa0ywl3a2h[.]paulosilvasoares[.]com[.]br/1Q6S1733W88/65153/NOTA_FISCAL_ELETRONICA[.]htm
hxxp://p1uifrt6eeuk9[.]representantecomercialilhaverde[.]de/[.]well-known/hxxp-opportunistic
hxxp://p1uifrt6eeuk9[.]representantecomercialilhaverde[.]de/0YW07AY906D/43557/Processo_4474588[.]htm
hxxp://sba8j8thar7[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic
hxxp://sba8j8thar7[.]paulosilvasoares[.]com[.]br/77MMM3800Z2/73319/NOTA_FISCAL_ELETRONICA[.]htm
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://billowing-morning-e8ad[.]number2one78jure[.]workers[.]dev/
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://little-dust-d4f3[.]number2one78jure[.]workers[.]dev/
hxxps://lucky-firefly-7e5f[.]true[.]workers[.]dev/
hxxps://lucky-tooth-57b7[.]true[.]workers[.]dev/
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://polished-bread-7459[.]number2one78jure[.]workers[.]dev/
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://rapid-sea-58cf[.]number2one78jure[.]workers[.]dev/
hxxps://rough-sunset-da24[.]number2one78jure[.]workers[.]dev/
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://small-glade-1d16[.]number2one78jure[.]workers[.]dev/
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://tight-fire-750f[.]number2one78jure[.]workers[.]dev/
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip
hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip
hxxps://twilight-voice-28c6[.]number2one78jure[.]workers[.]dev/
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip
hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip
hxxps://www[.]facebook[.]com/permalink[.]php?story_fbid=107771317241483
hxxps://www[.]facebook[.]com/permalink[.]php?story_fbid=108724057145111
hxxps://www[.]youtube[.]com/channel/UC_eGbnxTGKLBkncM6-xgXEQ/about
hxxps://www[.]youtube[.]com/channel/UCRvJAUYS4X3cjswXzdizM7w/about
hxxps://www[.]youtube[.]com/channel/UCWMRA17ykEduy3PYSLJ7qUQ/about
| File | MD5 Hash Value |
| 06 | dac44bfad9f76ba6dbdc2e5753b45ace |
| 09 | ba048536df48d7e9dd893a6a03ef2241 |
| Casa&Show_Convite-16478.doc.htm.zip | 19260462563234466f017056f6a206a4 |
| Casa&Show_Convite-24434.doc.htm.zip | 02b9550e9530552f0291e018248616e3 |
| Casa&Show_Convite-28353.doc.htm.zip | b939510a06297f7df415da4969ad370f |
| Convite-16478.doc.htm | 1b4ba6193c41c002ca01b79be6b4bf58 |
| Convite-24434.doc.htm | b958cc34580f88a85ec213710096b3f2 |
| Convite-28353.doc.htm | fd5a66109a47f6f8e2ddccd18dff90ac |
| Convite-Especial_450.lnk | c240f95d98b9a9c7013568bf82f82200 |
| Convite-Especial_450.zip | a4c9f257b3e59da8b2fcf0d8cea55c5a |
| Convite-Especial_500.lnk | 0ef2370581573a7dd04600957e1bf5f1 |
| Convite-Especial_500.zip | f71b63d22f4bab20aab0c9393857f665 |
| Convite-Especial_600.lnk | 451dcb3829434c1e2f12bf894a8f2793 |
| Convite-Especial_600.zip | 68b9e1a6ced7762ceb77f28632f0c462 |
| daffsyshqy64a.dll | 6ddf3a891ea9f3cc96cf04c6a06f8176 |
| daffsyshqy64b.dll | a8eb5f30af5632b86f61b82d32b39dca |
| daffsyshqy64.dll | 14ffd7f15426f44f2f6cca63c1f3074b |
| daffsyshqya.jpg | 57bbfb7dfbd710aaef209bff71b08a32 |
| daffsyshqyb.jpg | f2cf0bc2a11c62afa0fd80a3e8cd704d |
| daffsyshqyc.jpg | 1f2204f86817402088d4cb8337bfbccc |
| daffsyshqydwwn.gif | d0b486f131c70cf18b1e51651fa3667b |
| daffsyshqydx.gif | e1762709a530f79365e53339c3f5a92c |
| daffsyshqyg.gif | d2fb935b6a5ca8d61f27198eea7a3ad5 |
| daffsyshqygx.gif | 7443bbbf9b2f02c68573f2788208f9b3 |
| daffsyshqyxa.~ | 95b4897223c0220a71f8b7db8d26b96f |
| daffsyshqyxb.~ | a75137f66c218886d6cd44f6efa703bf |
| Departamento_Fiscal.170.lnk | f47531b59187ec87dcac80383fb43a32 |
| Departamento_Fiscal.170.zip | 8c39a5cbacf24535d83c116eb680cb08 |
| Departamento_Fiscal.300.lnk | 9db1833a686fea058b12bb050ec71d15 |
| Departamento_Fiscal.300.zip | 3cfdeede42ce9a35009ab8755860ce97 |
| Departamento_Fiscal.490.lnk | 1fda7ca3dca57d1eee0007695af6c36d |
| Departamento_Fiscal.490.zip | 7f01a1f829a1c514fcf372a5fed4852b |
| Departamento_Fiscal.580.lnk | a9939044af4b9886ed5fc570bef357d7 |
| Departamento_Fiscal.580.zip | c0bbbc27ed84ffb2066f4fd53f66fb8f |
| Departamento_Fiscal.700.lnk | 8d6379a39692ace24ec6232e333733ca |
| Departamento_Fiscal.700.zip | cb67c6e585b5ed0ffa8d6a1da0f50f6d |
| FISCAL_ELETRONICA.htm | 356f364e63d1cb900f4210497c006592 |
| FISCAL_ELETRONICA.htm | be34918b1b4f68885f12cfe79d79eaed |
| FISCAL_ELETRONICA.htm | 1b2fbd4b8e0fc09f18e385f3e99c7c18 |
| FISCAL_ELETRONICA.htm | 8d5ac61b30c704f18131afe16c6a931d |
| FISCAL_ELETRONICA.htm | 0c8c016e42cde175761ef1ccf5f49393 |
| l0hdOOY.js | de057b5a7518f0117a884b0393cb24f8 |
| mozcrt19.dll | 14ffd7f15426f44f2f6cca63c1f3074b |
| mozsqlite3.dll | 14ffd7f15426f44f2f6cca63c1f3074b |
| NOTA_FISCAL_ELETRONICA.htm.zip | e36ae691fc76dd3afdab86f120ef45f0 |
| NOTA_FISCAL_ELETRONICA.htm.zip | 9f20b09dd004fffb3bd440f1a69ff7e2 |
| NOTA_FISCAL_ELETRONICA.htm.zip | bde41fa97144ef74be6ae129aa699f9f |
| NOTA_FISCAL_ELETRONICA.htm.zip | 2159653ee0374fa4a157ba98ecd6dfe3 |
| NOTA_FISCAL_ELETRONICA.htm.zip | 74e9ee1b315b4bbe2f393eb434d282e8 |
| Processo_0339688.htm | 1b99d7c6ba70f5b51d29aa7138871de3 |
| Processo_0339688.htm.zip | 9bf29a680a7ccdcf08539cc0334d3bf0 |
| Processo_0743333.htm | 07eb7252072a9a367952e11e91099aba |
| Processo_0743333.htm.zip | 676752b756d6b549ba70bfd78453df75 |
| Processo_3585524.htm | 14c345a7b0832d978b0bfc1a41936cce |
| Processo_3585524.htm.zip | 99716f3749772b55a7a2337aa9c2ceae |
| Processo_4520552.htm | 552c4f4606586020e649e608a9635283 |
| Processo_4520552.htm.zip | b3e3cc3fc712b4e3bc0513e15da49fb7 |
| Processo_5451802.htm | 71c2dd1749b8b6424ae33fc742d8b979 |
| Processo_5451802.htm.zip | 95bb9a288c45ba4192c4c206a153898f |
| Processo_5574567.htm | d1a5c070a423d13a9f9a7a6c30290b96 |
| Processo_5574567.htm.zip | e829f09c42e9866027de2ba5ff37b42b |
| Processo_5583423.htm | 0c6bcf42b7eea1c88f501e7d27bd635a |
| Processo_5583423.htm.zip | 4459af875005925cc214699ea65e433a |
| Processo_8457803.htm | a62c73c1a6ffc93300ecd3417682caaa |
| Processo_8457803.htm.zip | 4459af875005925cc214699ea65e433a |
| Processo_8538828.htm | 2b3cd62a7e1ffb67a2412045ff3175a5 |
| Processo_8538828.htm.zip | a68847e5fa17cf6500fc2cc1bb9ad606 |
| Processo_Judicial_Eletronico.130.lnk | 11f473c93a505d0be9b2bbe2261f6891 |
| Processo_Judicial_Eletronico.130.zip | eca6717f16ce755254f39c1ff9175c62 |
| Processo_Judicial_Eletronico.150.lnk | cf333b6d6f5b22f41c685d7fce1ed30e |
| Processo_Judicial_Eletronico.150.zip | d623289773b08bddf4cb05b4c2155779 |
| Processo_Judicial_Eletronico.30.lnk | cf9599ed5188bf857d325a383492230b |
| Processo_Judicial_Eletronico.30.zip | 9986df584fbc379e71c94462f680435b |
| Processo_Judicial_Eletronico.310.lnk | b6f0527fe826a1c367f9385e6097284d |
| Processo_Judicial_Eletronico.310.zip | fee203eea24f9a647a7feb7c194cd36d |
| Processo_Judicial_Eletronico.420.lnk | 6bd1f103d08fd98d16346ef53a1bec9c |
| Processo_Judicial_Eletronico.420.zip | deb93d749ae8027263432e40be98fc22 |
| Processo_Judicial_Eletronico.480.lnk | b7901d33364a4734b9c02b6083ef3f7f |
| Processo_Judicial_Eletronico.480.zip | e38239422342eb717bcaccd3dc2c3c8e |
| Processo_Judicial_Eletronico.740.lnk | 7479929ccaa6c4a7b4e3e68eeac1668f |
| Processo_Judicial_Eletronico.740.zip | 5cff755c3bd694d8927d6ceb6bee3e0b |
| Processo_Judicial_Eletronico.750.lnk | 4f82854519cd2f6bdd77dd43bd8f7605 |
| Processo_Judicial_Eletronico.750.zip | 17f2e35d0e108c0a70325450c25bd57e |
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
