Agent Tesla Keylogger Is Now a Top Phishing Threat

By Aaron Riley, Cofense IntelligenceTM

The Agent Tesla keylogger is an increasingly widespread piece of malware in the phishing threat landscape, targeting multiple industries and using multiple stages within its infection chain. Currently, threat actors prefer archived files or weaponized Microsoft Office productivity documents to deliver this malicious software to the endpoint. Agent Tesla is sold as a commercial subscription license and offers a 24/7 support team. With an easy to use and abundant feature set—like a document exploit builder embedded into the malware management web panel—this keylogger lends itself to all levels of threat actors.

A typical theme for these campaigns revolves around finances, orders, and shipments. The most common way for this keylogger to make it to the endpoint is by archiving the executable and attaching it to a phishing email. This delivery vector can be successful if the email security stack does not have a standard in place for allowed archival types, does not conduct archive file analysis, or determines the file to be an unknown archive type.

For the infection chain, there are numerous methods a threat actor can choose. Most notably, Agent Tesla leverages a document exploiting an equation editor vulnerability documented in CVE-2017-11882 as the first stage loader. Exploiting this vulnerability allows for the attached document to download and execute a binary on the victim’s endpoint once opened. Although a patch has been out for this vulnerability, threat actors continue to utilize it for exploits.

An Office macro-laden document is the second most popular ‘stage one’ loader for this keylogger. This is somewhat surprising, given the fact that the macro builder is embedded into the Agent Tesla web panel as a feature, thus making it easier than the CVE-2017-11882 exploit to capitalize on. As such, this keylogger demonstrates features that fit closer in line with a Remote Access Trojan (RAT), including the capability to take screenshots or control the webcam. Agent Tesla adds to its robustness with the ‘File Binder’ option which links a selected file on the endpoint to the Agent Tesla executable and executes the keylogger at the same time as the selected file. This is done to keep the keylogger up and running without interaction needed from the victim.

Unlike most RAT suites, Agent Tesla’s preferred exfiltration method for the stolen data is the use of email. The web panel allows for a threat actor to set an email address as the recipient or the sender and has the ability for the email traffic to be SSL encrypted. This exfiltration technique can be avoided by blocking all traffic using SMTP that does not match organizational or enterprise standards. Agent Tesla, however, can also exfiltrate the stolen information via FTP or an HTTP POST. Each of these exfiltration methods can be defended against with proper firewall, content filtering, and alerting rules in place.

Figure 1: An example phishing email with Agent Tesla keylogger attached.

Agent Tesla’s recent rise to the top of the phishing threat landscape shouldn’t be a surprise, given the ease of use, options, and technical support from the creators. Network safeguards can help stop the exfiltration of data from a successful infection. Patching and updating user endpoints can combat at least one of the delivery mechanisms used within these phishing campaigns. Educating users on company standards for file extensions and Office macro use can combat the other two delivery mechanisms.

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Emotet Malicious Phishing Campaigns Return in Force

By Alan Rainer and Max Gannon

The infamous malware family Emotet—also known as Geodo—has fully resurfaced and resumed sending phishing campaigns that trick users into clicking on links and downloading attachments that contain malicious macros. Many of the emails feature common financial themes that capitalize on an existing reply chain or contact list impersonation.

In most cases, subjects for these phishing emails are rather mundane, such as “RE: Re: Contract/Invoice Count” and “Customer Statement 09/16/2019”, with attachments that use Microsoft Office macros to install malware. Upon installation of the Emotet executable, the banking Trojan TrickBot may be placed onto the victim machine, mainly depending on geography and organization. TrickBot is known to siphon information from a host and has shown to result in Ryuk ransomware making its way to the victim after some time. Current statistics show that Emotet is targeting over 66,000 unique emails on more than 30,000 domains. The origin emails—of which credentials had likely been stolen—span over 1,900 unique domains from 3,400 different senders. This extensive reach makes it tricky to combat the Emotet threat.

User awareness and technical safeguards such as email defense capabilities and endpoint protection solutions are vital in thwarting Emotet. Users should be increasingly wary of reply chain emails that contain unexpected documents, especially ones that ask to ‘Enable Content’ for editing or to ‘Accept the license agreement.’

Security teams should maintain a heightened awareness of Emotet trends and leverage the analysis to deny or hunt down malicious activity. Through active monitoring of the Emotet botnet and malware, Cofense IntelligenceTM continues to identify phishing threats that may impact customers and to provide security operations with the latest campaign data.  In the Technical Findings section below, Cofense Intelligence has chosen a random example of the most common email and macro as seen today for analysis.

Figure 1: Original Email

Technical Findings

Emotet delivers malicious documents as either part of a reply chain or as a finance-themed (such as invoice, new document, bank transfer, and quotation) phishing email. The languages used for each email body differ widely and have been seen to include English, Italian, Polish, or German, among others. These phishing emails contain a Microsoft Word document with a .doc extension and an Office macro that downloads Emotet executables.

Historically, Emotet utilized malicious links as well, but current indications show this is not the preferred method of malware delivery. The attached Office documents with macros store payload information in embedded object data, rather than in the macro itself, which makes analysis more difficult.

While similar to a delivery mechanism discussed in a previous blog, this version of the dropper is more advanced than before. When the document is opened, it displays a lure stating that to continue to use Microsoft Word after September 20, 2019, the user must accept the license agreement and enable editing. The lure shown in Figure 2 does not appear to be significantly different from the typical Office message that asks to enable macros; however, a requirement to accept a new license agreement makes the lure seem so routine that this new trap may be more effective.

Figure 2: Macro Request

After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations. When run, these executables launch a service, shown in Figure 3, that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if (currently undetermined) criteria of geographical location and organization are met.

Figure 3: Service Launched by Emotet

The macros used in this case are relatively small even with the garbage code included, totaling approximately 150 to 300 lines. Removing the garbage code reveals only 10 lines of actual code. This code extracts metadata from embedded objects in the Word document; specifically, the “caption” data of these objects as seen in Figure 4.

Figure 4: Object content

While the attached documents all have a .doc extension, they are in fact .dotm, .docx, and other document file types, which enables them to successfully hide the embedded objects as ActiveX objects rather than typical “Form” objects whose metadata can be easily accessed in an opened document.

In each case, the result is the attempted download of an Emotet binary from a set of five payload locations using both HTTP and HTTPS. Emotet has been seen downloading TrickBot and other malware historically, with no noteworthy modifications to the present-day TrickBot sample.

 

How Cofense Can Help

Cofense Resources

Cofense PhishMeTM  offers a phishing simulation, “Service Report – Emotet,” to educate users on the phishing attack described in today’s blog.

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet

The Cofense Phishing Defense CenterTM  has detected a new wave of attacks targeting the US taxpayer by delivering Amadey botnet via phishing emails. Amadey is a relatively new botnet, first noted late in Q1 of 2019. Known for its simplicity, it is available to hire for a very steep price compared to other commercially available botnets with similar functionality. Threat groups like TA505 have been known to leverage Amadey botnet as recently as July 2019 to deliver secondary malware like FlawedAmmy (RAT) and email stealers.

Here’s how a typical attack works:

Figure 1: Infection chain

Figure 2: Email Body

The email body reports to be from the Internal Revenue Service (IRS) and claims that the recipient is eligible for a tax refund. The recipient is presented with a “one time username and password” and urged to click the “Login Right Here” button. As seen above in figure 1, the login button is an embedded Hyperlink and redirects to hxxp://yosemitemanagement[.]com/fonts/page5/. Here the recipient is presented with an IRS login page to enter the one-time password.

Figure 3: Infection Page 

Once the recipient is logged into the fake IRS portal they are informed that they have “1 pending refund” and asked to download a document, print and sign, then either mail it back or upload a copy to the portal. When the recipient clicks to download the document, a zip file called “document.zip” is presented, which contains a Visual Basic script dropper.

Fig 4. Obfuscated vbs Script

The VBScript is highly obfuscated and encrypted. For more details on how this VBScript was decoded, please take a look at the Cofense™ Labs detailed write-up, which can be found here.

At a high level, once executed the script decrypts itself at run time and drops an executable file called “ZjOexiPr.exe” in C:\Users\Byte\AppData\Local\Temp\. Once dropped it then proceeds to install the executable kntd.exe in C:\ProgramData\0fa42aa593 and execute the process.

Figure 5: Persistence 

The Amadey process installs itself in C:\ProgramData\0fa42aa593 and to maintain persistence it uses Reg.exe, a command line tool for editing the registry. Next the script issues the command “REG ADD “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” /f /v Startup /t REG_SZ /d C:\ProgramData\0fa42aa593”

Figure 6: C2 channels

Amadey instantly beacons out to its command and control (C2) channels sending system diagnostic information back to the C2 server and awaits further instructions. Amadey connects out via HTTP on port 80 to multiple C2 servers.

Figure 7: Network Traffic

If we take a closer look at the HTTP traffic we can see that Amadey sends system information back to its C2 server.

From the values given we can infer that:

ID – Unique identifier of the infected system

VS – Version of Amadey

OS – Operating system

AV – Antivirus

PC – System name

UN – Username

Additional Analysis:

Cofense Labs takes this analysis a bit deeper to deobfuscate the malware. To learn more, check out the Lab Notes on this analysis: https://cofenselabs.com/i-see-what-you-did-there/

Indicators of Compromise (IOCs):

Malware Artifacts

File  MD5 Hash Value
document.zip 7f9a3244d23baed3b67416e32eb949bd
a4-155QFYXY.vbs 79d24672fff4c771830b4c53a7079afe
kntd.exe a046030e2171ddf787f06a92941d37ca

 Network Connections

URL  IP
hxxp://yosemitemanagement[.]com/fonts/page5/ 160[.]153[.]138[.]163
hxxp://ledehaptal[.]ru/f5lkB/index[.]php 78[.]40[.]109[.]187
hxxp://nofawacat[.]com/f5lkB/index[.]php 179[.]43[.]139[.]222
hxxp://Ip[.]hoster[.]kz 192[.]4[.]58[.]78

 

HOW COFENSE CAN HELP

Cofense Resources

Cofense PhishMeTM offers a phishing simulation, “Tax Refund Notice –Amadey Botnet,” to educate users on the attack described in today’s blog.

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMe.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Astaroth Uses Facebook and YouTube within Infection Chain

Cofense Intelligence™ has identified a phishing campaign targeting Brazilian citizens with the Astaroth Trojan in which Facebook and YouTube profiles are used in support of the infection. The complex chain of events that leads to the successful installation of the Astaroth Trojan all starts with an .htm file attached to an email. There are numerous stages within this infection chain that could have been stopped with properly layered defenses on the email and network security stack. However, at each step of the infection, this campaign uses trusted sources and the end user to help advance to the next stage, ultimately leading to an eventual exfiltration of sensitive information.

This Astaroth Trojan campaign exclusively targeted Brazilians, as also reported in 2018. In one week, it was able to compromise around 8,000 machines. Astaroth leverages legitimate Microsoft Windows services to help propagate and deliver the payloads. This campaign also utilized Cloudflare workers (JavaScript execution environment) to download modules and payloads, negating network security measures. Using these resources adds to the trusted source methodology employed by this campaign to bypass the security stack.

The emails analyzed by Cofense Intelligence were in Portuguese and had three distinct themes: an invoice theme, a show ticket theme, and a civil lawsuit theme. Each of the phishing campaigns enticed the end user into downloading and opening a .htm file to start the infection chain. The email security stack would need to be able to scan the attachments for malicious links and/or downloads to stop this technique. Having proper mitigations in place alongside user education on safeguard procedures will also help negate this type of attack, as it is mainly reliant on the end user.

Technical Findings

Once opened, the .htm downloads a .zip archive that is geo-fenced to Brazil and contains a malicious .LNK file. The .LNK file then downloads a JavaScript from a Cloudflare workers domain, shown in Figure 1.

Figure 1: The Cloudflare workers domain used within the infection chain

The JavaScript then downloads multiple files that are used to help obfuscate and execute a sample of the Astaroth information stealer. Among the files downloaded are two .DLL files that are joined together and side-loaded into a legitimate program named ‘C:\Program Files\Internet Explorer\ExtExport.exe’. Using a legitimate program to run the two-part malicious code that was downloaded from a trusted source helps to bypass security mseasures such as Anti-Virus (AV), application white-listing, and URL filtering.

After ExtExport.exe is running with the malicious code side-loaded, it uses a technique known as process hollowing to execute a legitimate program within a suspended state. Process hollowing is used to inject malicious code retrieved from multiple files downloaded by the earlier JavaScript. The legitimate programs that were targeted for process hollowing were unins000.exe, svchost.exe, and userinit.exe. The program unins000.exe is most notably used within a security program on systems that allow online banking in Brazil. After the program’s process is hollowed out and replaced with malicious code, Astaroth begins to retrieve the Command and Control (C2) configuration data from outside trusted sources.

Astaroth uses Youtube and Facebook profiles to host and maintain the C2 configuration data. This C2 data is base64 encoded as well as custom encrypted, and bookended by ‘|||’ as shown in Figure 2. The data is within posts on Facebook or within the profile information of user accounts on YouTube. By hosting the C2 data within these trusted sources, the threat actors can bypass network security measures like content filtering. The threat actors are also able to dynamically change the content within these trusted sources so they can deter the possibility of their infrastructure being taken down.

Figure 2: Shows the C2 configurations data hosted on YouTube

Once the C2 information is gathered, Astaroth then proceeds to collect sensitive data on the endpoint. The data gathered includes financial information, stored passwords in the browser, email client credentials, SSH credentials, and more. The modules used to collect this data are part of the multiple files downloaded by the JavaScript discussed above. All collected information is encrypted with two layers of encryption and sent via HTTPS POST to a site from the C2 list, a majority of which are hosted on Appspot. This encrypted connection to another trusted source allows for the communication to bypass network security measures that cannot decrypt it.

Astaroth’s complex infection chain targeting Brazilian citizens shows the value in layered defense as well as education of the end user. At each step, the security stack could have made an impact to stop the infection chain; however, through the use of legitimate processes and outside trusted sources, Astaroth was able to negate those defensive measures. Understanding these types of threat actor Tactics, Techniques, and Procedures (TTPs) can help finetune the security stack to defend against them. Technology can help empower an end user to help protect against this type of attack, but education will make them confident in doing so.

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than CofenseTM. To understand them better, read the 2019 Phishing Threat & Malware Review.

Appendix 

Click to Expand a Full List of IOCs

ATR ID: 28320 

hxxp://32ou4r9kwagc[.]hammer-escritorios[.]de/[.]well-known/hxxp-opportunistic 

hxxp://32ou4r9kwagc[.]hammer-escritorios[.]de/U0W5Q0TJ80K/36516/Processo_8254504[.]htm 

hxxp://36ou6w4yhiat6[.]patrocinioscomerciais[.]de/[.]well-known/hxxp-opportunistic 

hxxp://36ou6w4yhiat6[.]patrocinioscomerciais[.]de/M03L90NWJ9A/38832/Processo_4872485[.]htm 

hxxp://6suehrwtdue1m[.]patrocinioscomerciais[.]de/[.]well-known/hxxp-opportunistic 

hxxp://6suehrwtdue1m[.]patrocinioscomerciais[.]de/ERC02X7133I/31888/Processo_8651438[.]htm 

hxxp://7yaaa5w7woa8a[.]dracordocerto[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://7yaaa5w7woa8a[.]dracordocerto[.]com[.]br/4LU11BID55M/74375/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://a7aie85hyaeg9[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://a7aie85hyaeg9[.]paulosilvasoares[.]com[.]br/0H4Z02YXSEB/42230/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://a7oueu1x3a6f[.]contratosadministrativoscasanova[.]de/[.]well-known/hxxp-opportunistic 

hxxp://a7oueu1x3a6f[.]contratosadministrativoscasanova[.]de/000C7Q00AV2/53058/Processo_3372578[.]htm 

hxxp://e3eonr2jaao8r[.]administrativosfiscaisbr[.]de/[.]well-known/hxxp-opportunistic 

hxxp://e3eonr2jaao8r[.]administrativosfiscaisbr[.]de/8N139KS0TC8/28551/Processo_3358257[.]htm 

hxxp://e8iat1eu5aae6[.]representantecomercialilhaverde[.]de/[.]well-known/hxxp-opportunistic 

hxxp://e8iat1eu5aae6[.]representantecomercialilhaverde[.]de/L62SP3U11FF/76558/Processo_8933747[.]htm 

hxxp://eoeaic04euwv[.]promad-contabilidade[.]de/[.]well-known/hxxp-opportunistic 

hxxp://eoeaic04euwv[.]promad-contabilidade[.]de/7PY70HRS6M3/98547/Processo_5229337[.]htm 

hxxp://fwadurhba31[.]paulosoaressilva[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://fwadurhba31[.]paulosoaressilva[.]com[.]br/4K040HI1WB7/26224/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://infects[.]maquina-turbo-huracan[.]adm[.]br/hura//dir1/ 

hxxp://jwa0ywl3a2h[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://jwa0ywl3a2h[.]paulosilvasoares[.]com[.]br/1Q6S1733W88/65153/NOTA_FISCAL_ELETRONICA[.]htm 

hxxp://p1uifrt6eeuk9[.]representantecomercialilhaverde[.]de/[.]well-known/hxxp-opportunistic 

hxxp://p1uifrt6eeuk9[.]representantecomercialilhaverde[.]de/0YW07AY906D/43557/Processo_4474588[.]htm 

hxxp://sba8j8thar7[.]paulosilvasoares[.]com[.]br/[.]well-known/hxxp-opportunistic 

hxxp://sba8j8thar7[.]paulosilvasoares[.]com[.]br/77MMM3800Z2/73319/NOTA_FISCAL_ELETRONICA[.]htm 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://autumn-pond-1a5b[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://billowing-morning-e8ad[.]number2one78jure[.]workers[.]dev/ 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://blue-bonus-263d[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://cool-king-426c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://crimson-waterfall-90d4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://curly-credit-79e4[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://dry-hat-05c3[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://dry-wave-62b5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://fancy-frog-b457[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://green-shape-8775[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://hidden-math-4d14[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://lingering-fire-b1e5[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://little-dust-d4f3[.]number2one78jure[.]workers[.]dev/ 

hxxps://lucky-firefly-7e5f[.]true[.]workers[.]dev/ 

hxxps://lucky-tooth-57b7[.]true[.]workers[.]dev/ 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://morning-cherry-481e[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://nameless-field-4aaf[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://old-limit-a6af[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://old-surf-9b33[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://polished-bread-7459[.]number2one78jure[.]workers[.]dev/ 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://proud-violet-18c3[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://rapid-sea-58cf[.]number2one78jure[.]workers[.]dev/ 

hxxps://rough-sunset-da24[.]number2one78jure[.]workers[.]dev/ 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://royal-haze-b4bb[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://small-glade-1d16[.]number2one78jure[.]workers[.]dev/ 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://small-tooth-1089[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://tight-fire-750f[.]number2one78jure[.]workers[.]dev/ 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyg[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxa[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydx[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyc[.]jpg[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqygx[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyb[.]jpg[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqya[.]jpg[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqyxb[.]gif[.]zip 

hxxps://tight-rice-f842[.]hipertowsa2jkil7[.]workers[.]dev/?09/daffsyshqydwwn[.]gif[.]zip 

hxxps://twilight-voice-28c6[.]number2one78jure[.]workers[.]dev/ 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqya[.]jpg[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxa[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyg[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydx[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyxb[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyc[.]jpg[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqygx[.]gif[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqyb[.]jpg[.]zip 

hxxps://wandering-tooth-730c[.]ligasppk[.]workers[.]dev/?06/daffsyshqydwwn[.]gif[.]zip 

hxxps://www[.]facebook[.]com/permalink[.]php?story_fbid=107771317241483 

hxxps://www[.]facebook[.]com/permalink[.]php?story_fbid=108724057145111 

hxxps://www[.]youtube[.]com/channel/UC_eGbnxTGKLBkncM6-xgXEQ/about 

hxxps://www[.]youtube[.]com/channel/UCRvJAUYS4X3cjswXzdizM7w/about 

hxxps://www[.]youtube[.]com/channel/UCWMRA17ykEduy3PYSLJ7qUQ/about 

 

File   MD5 Hash Value 
06  dac44bfad9f76ba6dbdc2e5753b45ace 
09  ba048536df48d7e9dd893a6a03ef2241 
Casa&Show_Convite-16478.doc.htm.zip  19260462563234466f017056f6a206a4 
Casa&Show_Convite-24434.doc.htm.zip  02b9550e9530552f0291e018248616e3 
Casa&Show_Convite-28353.doc.htm.zip  b939510a06297f7df415da4969ad370f 
Convite-16478.doc.htm  1b4ba6193c41c002ca01b79be6b4bf58 
Convite-24434.doc.htm  b958cc34580f88a85ec213710096b3f2 
Convite-28353.doc.htm  fd5a66109a47f6f8e2ddccd18dff90ac 
Convite-Especial_450.lnk  c240f95d98b9a9c7013568bf82f82200 
Convite-Especial_450.zip  a4c9f257b3e59da8b2fcf0d8cea55c5a 
Convite-Especial_500.lnk  0ef2370581573a7dd04600957e1bf5f1 
Convite-Especial_500.zip  f71b63d22f4bab20aab0c9393857f665 
Convite-Especial_600.lnk  451dcb3829434c1e2f12bf894a8f2793 
Convite-Especial_600.zip  68b9e1a6ced7762ceb77f28632f0c462 
daffsyshqy64a.dll  6ddf3a891ea9f3cc96cf04c6a06f8176 
daffsyshqy64b.dll  a8eb5f30af5632b86f61b82d32b39dca 
daffsyshqy64.dll  14ffd7f15426f44f2f6cca63c1f3074b 
daffsyshqya.jpg  57bbfb7dfbd710aaef209bff71b08a32 
daffsyshqyb.jpg  f2cf0bc2a11c62afa0fd80a3e8cd704d 
daffsyshqyc.jpg  1f2204f86817402088d4cb8337bfbccc 
daffsyshqydwwn.gif  d0b486f131c70cf18b1e51651fa3667b 
daffsyshqydx.gif  e1762709a530f79365e53339c3f5a92c 
daffsyshqyg.gif  d2fb935b6a5ca8d61f27198eea7a3ad5 
daffsyshqygx.gif  7443bbbf9b2f02c68573f2788208f9b3 
daffsyshqyxa.~  95b4897223c0220a71f8b7db8d26b96f 
daffsyshqyxb.~  a75137f66c218886d6cd44f6efa703bf 
Departamento_Fiscal.170.lnk  f47531b59187ec87dcac80383fb43a32 
Departamento_Fiscal.170.zip  8c39a5cbacf24535d83c116eb680cb08 
Departamento_Fiscal.300.lnk  9db1833a686fea058b12bb050ec71d15 
Departamento_Fiscal.300.zip  3cfdeede42ce9a35009ab8755860ce97 
Departamento_Fiscal.490.lnk  1fda7ca3dca57d1eee0007695af6c36d 
Departamento_Fiscal.490.zip  7f01a1f829a1c514fcf372a5fed4852b 
Departamento_Fiscal.580.lnk  a9939044af4b9886ed5fc570bef357d7 
Departamento_Fiscal.580.zip  c0bbbc27ed84ffb2066f4fd53f66fb8f 
Departamento_Fiscal.700.lnk  8d6379a39692ace24ec6232e333733ca 
Departamento_Fiscal.700.zip  cb67c6e585b5ed0ffa8d6a1da0f50f6d 
FISCAL_ELETRONICA.htm  356f364e63d1cb900f4210497c006592 
FISCAL_ELETRONICA.htm  be34918b1b4f68885f12cfe79d79eaed 
FISCAL_ELETRONICA.htm  1b2fbd4b8e0fc09f18e385f3e99c7c18 
FISCAL_ELETRONICA.htm  8d5ac61b30c704f18131afe16c6a931d 
FISCAL_ELETRONICA.htm  0c8c016e42cde175761ef1ccf5f49393 
l0hdOOY.js  de057b5a7518f0117a884b0393cb24f8 
mozcrt19.dll  14ffd7f15426f44f2f6cca63c1f3074b 
mozsqlite3.dll  14ffd7f15426f44f2f6cca63c1f3074b 
NOTA_FISCAL_ELETRONICA.htm.zip  e36ae691fc76dd3afdab86f120ef45f0 
NOTA_FISCAL_ELETRONICA.htm.zip  9f20b09dd004fffb3bd440f1a69ff7e2 
NOTA_FISCAL_ELETRONICA.htm.zip  bde41fa97144ef74be6ae129aa699f9f 
NOTA_FISCAL_ELETRONICA.htm.zip  2159653ee0374fa4a157ba98ecd6dfe3 
NOTA_FISCAL_ELETRONICA.htm.zip  74e9ee1b315b4bbe2f393eb434d282e8 
Processo_0339688.htm  1b99d7c6ba70f5b51d29aa7138871de3 
Processo_0339688.htm.zip  9bf29a680a7ccdcf08539cc0334d3bf0 
Processo_0743333.htm  07eb7252072a9a367952e11e91099aba 
Processo_0743333.htm.zip  676752b756d6b549ba70bfd78453df75 
Processo_3585524.htm  14c345a7b0832d978b0bfc1a41936cce 
Processo_3585524.htm.zip  99716f3749772b55a7a2337aa9c2ceae 
Processo_4520552.htm  552c4f4606586020e649e608a9635283 
Processo_4520552.htm.zip  b3e3cc3fc712b4e3bc0513e15da49fb7 
Processo_5451802.htm  71c2dd1749b8b6424ae33fc742d8b979 
Processo_5451802.htm.zip  95bb9a288c45ba4192c4c206a153898f 
Processo_5574567.htm  d1a5c070a423d13a9f9a7a6c30290b96 
Processo_5574567.htm.zip  e829f09c42e9866027de2ba5ff37b42b 
Processo_5583423.htm  0c6bcf42b7eea1c88f501e7d27bd635a 
Processo_5583423.htm.zip  4459af875005925cc214699ea65e433a 
Processo_8457803.htm  a62c73c1a6ffc93300ecd3417682caaa 
Processo_8457803.htm.zip  4459af875005925cc214699ea65e433a 
Processo_8538828.htm  2b3cd62a7e1ffb67a2412045ff3175a5 
Processo_8538828.htm.zip  a68847e5fa17cf6500fc2cc1bb9ad606 
Processo_Judicial_Eletronico.130.lnk  11f473c93a505d0be9b2bbe2261f6891 
Processo_Judicial_Eletronico.130.zip  eca6717f16ce755254f39c1ff9175c62 
Processo_Judicial_Eletronico.150.lnk  cf333b6d6f5b22f41c685d7fce1ed30e 
Processo_Judicial_Eletronico.150.zip  d623289773b08bddf4cb05b4c2155779 
Processo_Judicial_Eletronico.30.lnk  cf9599ed5188bf857d325a383492230b 
Processo_Judicial_Eletronico.30.zip  9986df584fbc379e71c94462f680435b 
Processo_Judicial_Eletronico.310.lnk  b6f0527fe826a1c367f9385e6097284d 
Processo_Judicial_Eletronico.310.zip  fee203eea24f9a647a7feb7c194cd36d 
Processo_Judicial_Eletronico.420.lnk  6bd1f103d08fd98d16346ef53a1bec9c 
Processo_Judicial_Eletronico.420.zip  deb93d749ae8027263432e40be98fc22 
Processo_Judicial_Eletronico.480.lnk  b7901d33364a4734b9c02b6083ef3f7f 
Processo_Judicial_Eletronico.480.zip  e38239422342eb717bcaccd3dc2c3c8e 
Processo_Judicial_Eletronico.740.lnk  7479929ccaa6c4a7b4e3e68eeac1668f 
Processo_Judicial_Eletronico.740.zip  5cff755c3bd694d8927d6ceb6bee3e0b 
Processo_Judicial_Eletronico.750.lnk  4f82854519cd2f6bdd77dd43bd8f7605 
Processo_Judicial_Eletronico.750.zip  17f2e35d0e108c0a70325450c25bd57e 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

Advanced Phishing Campaign Delivers Quasar RAT

Cofense IntelligenceTM has uncovered an advanced campaign that uses multiple anti-analysis methods to deliver Quasar Remote Access Tool (RAT). A phishing email poses as a job seeker and uses the unsophisticated ploy of an attached resume to deliver the malware. Quasar RAT is freely available as an open-source tool on public repositories and provides a number of capabilities. Organizations find a higher degree of difficulty with the ‘.doc’ file attachment distributing Quasar RAT itself, because the document employs a multitude of measures to deter detection. Such methods include password protection—which is a built-in feature of Microsoft Word—and encoded macros. Along with automated tools, educating employees on new phishing trends is the best way of countering a campaign such as this.

Figure 1: Original Email

Technical Findings

The initial email used to deliver this malware, seen in Figure 1, uses a relatively common “resume” theme with an attached document. As previously mentioned, Quasar RAT is not particularly unusual or advanced compared to other toolkits. A US-Cert report states that Quasar RAT “has been observed being used maliciously by Advanced Persistent Threat (APT) actors to facilitate network exploitation,” however, Quasar is also “a publicly available, open-source RAT” and can be found on GitHub. Since the tool is easily accessible, attributing the activity to a specific threat actor is tedious at best.

The malicious attachment used by this campaign employs counter-detection measures to reach the end user. Even if the email is marked as being suspicious, the attachment may be treated as legitimate and delivered. Despite a simplistic and apparent first stage delivery, threat actors took advantage of increasingly sophisticated methods to increase the difficulty of analysis and delay detection. This delay can provide threat actors with enough time to gather information and potentially install additional, more subtle, malware before being detected or removed.

The first stage of the avoidance practiced by the document in this campaign is simple password protection. A password of “123” is not particularly inventive, but to an automated system that processes attachments separately from emails it means that the document will be opened and no malicious activity will be recorded because the system has not determined either a need for a password or what the password is. Sufficiently advanced systems should still be able to guess a password of “123”; however, this only opens the document and does not necessarily trigger malicious activity. The resulting prompt is shown in Figure 2.

Figure 2: Request to enable macros

If an analyst or automated system were then to attempt to analyze the macros using an analysis tool (such as the popular tool ‘olevba’ by Philippe Lagadec), the script would fail and potentially crash from using too much memory when it attempted to analyze the macro. This is likely an intentional effect by the threat actor in the form of more than 1200 lines of garbage code that appears to be base64 encoded. Forcing the script to attempt to decode the garbage strings causes, in all likelihood, a crash due to the magnitude of decoding required. An example of some of these garbage strings is shown in Figure 3.

Figure 3: Example of the fake encoded strings

If those strings are not decoded or the process decoding them has enough resources allocated, the resulting content still lacks the all-important payload URL. Instead, partial strings and filler text give some semblance of legitimacy. Portions of the payload URL, as well as additional information, are in fact hidden as meta-data for embedded images and objects, as shown in Figure 4.

Figure 4: Script content in the meta-data of a form object

Other script content bears essential information within its comments. Below, you can see evidence that this macro may originate from a template or guide. Here, some of the commentary relates to if the operating system is Windows or Mac.

Figure 5: Commentary included in the script

Embedded comments describe the usage of a shelled application and the startup process. If the macro is successfully run, it will display a series of images claiming to be loading content while repeatedly adding a garbage string to the document contents. It will then show an error message while downloading and running a malicious executable in the background.

The last significant step the threat actors take to avoid discovery is to download a Microsoft Self Extracting executable. This executable then unpacks a Quasar RAT binary that is 401MB. The technical maximum file upload size for the popular malware information sharing website, VirusTotal, is 550 MB. However, the commonly used public methods of submission, email and API, are set to 32MB maximum with special circumstances for API submission going up to 200MB. By using an artificially large file size the threat actors make sharing information difficult while also causing problems for automated platforms that attempt to statically analyze the content.

Table 1: Malware Artifacts

Filename MD5
0.doc 1d7328b01845117ca2220d8f5e725617
Period1.exe 15dbb457466567bfeaad1d5c88f4ebfe
Uni.exe e7bcec4d736a6553b4366b0273aaf6f8

Table 2: Network IOCs

IOC
hxxp://1xv4[.]com/due[.]exe
toptoptop1[.]online
toptoptop1[.]site

 

Yara Rule:

rule PM_Intel_Quasar_27476

{

    strings:

        $message_lede = "the password is " nocase

        $attachment = /[0-9]{1,3}\.doc/ nocase

        $subject = /subject:\s*attached resume/ nocase

    condition:

        all of them

}

 

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM.  Cofense PhishMe offers a phishing scenario, “Password-Protected Resume – Office Macro / Monero / Smoke Loader,” to help users recognize the phish described in today’s blog.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry

The CofenseTM Phishing Defense CenterTM has observed a new phishing campaign that spoofs a PDF attachment to deliver the notorious Adwind malware. This campaign was found explicitly in national grid utilities infrastructure. Adwind, aka JRAT or SockRat, is sold as a malware-as-a-service where users can purchase access to the software for a small subscription-based fee.

The malware boasts the following features:

  • Takes screen shots
  • Harvests credentials from Chrome, IE and Edge
  • Accesses the webcam, record video and take photos
  • Records audio from the microphone
  • Transfers files
  • Collects general system and user information
  • Steals VPN certificates
  • Serves as a Key Logger

Email Body

Fig1. Email Body

This email comes from a hijacked account at Friary Shoes. Also note the web address for Fletcher Specs, whose domain threat actors are abusing to host the malware.

The email body is simple and to the point: “Attached is a copy of our remittance advice which you are required to sign and return.” At the top of the email is an embedded image which is meant to look like a PDF file attachment, however, is in fact a jpg file with an embedded hyperlink. When victims click on the attachment, they are brought to the infection URL hxxps://fletcherspecs[.]co[.]uk/ where the initial payload is downloaded.

Fig 2. Payload 

The initial payload is in the form of a .JAR file named: “Scan050819.pdf_obf.jar.” Note that the attacker has attempted to make the file appear as if it were a PDF by attempting to obfuscate the file true extension.

Fig 3. Running processes

Once executed, we can see that two java.exe processes are created which load two separate .class files. JRAT then beacons out to its command and control server: hxxp://ns1648[.]ztomy[.]com

Fig 4. C2 Traffic

Adwind installs its dependencies and harvested information in: C:\Users\Byte\AppData\Local\Temp\. Here we can see the two class files the jave.exe process has loaded along with a registry key entries and several .dlls:

Fig5. Additional dependencies and artifacts 

The malware also attempts to circumvent analysis and avoid detection by using taskkill.exe to disable popular analysis tools and antivirus software. If we take a closer look at the registry entries file we see that the malware looks for popular antivirus and malware analysis tools.

Fig 6. Anti-Analysis

Indicators of Compromise (IOCs):

Malicious File(s):

File Name: Scan050819.pdf_obf.jar

MD5: 6b94046ac3ade886488881521bfce90f

SHA256: b9cb86ae6a0691859a921e093b4d3349a3d8f452f5776b250b6ee938f4a8cba2

File size: 634,529 bytes (619K)


File Name: _0.116187311888071087770622558430261020.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)    


File Name: _0.40308597817769314486921725080498503.class

MD5: 781fb531354d6f291f1ccab48da6d39f

SHA256: 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

File size: 247,088 bytes (241K)


File Name: gCMmWntWwp7328181049172078943.reg

MD5: 7f97f5f336944d427c03cc730c636b8f

SHA256: 9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57

File size: 27,926 bytes (27K)


File Name: Windows3382130663692717257.dll

MD5: 0b7b52302c8c5df59d960dd97e3abdaf

SHA256: a6be5be2d16a24430c795faa7ab7cc7826ed24d6d4bc74ad33da5c2ed0c793d0

File size: 46,592 bytes (45K)


File Name: sqlite-3.8.11.2-fd78b49b-d887-492e-8419-acb9dd4e311c-sqlitejdbc.dll

MD5: a4e510d903f05892d77741c5f4d95b5d

SHA256: a3fbdf4fbdf56ac6a2ebeb4c131c5682f2e2eadabc758cfe645989c311648506

File size: 695,808 bytes (679K)


File Name: Windows8838144181261500314.dll

MD5: c17b03d5a1f0dc6581344fd3d67d7be1

SHA256: 1afb6ab4b5be19d0197bcb76c3b150153955ae569cfe18b8e40b74b97ccd9c3d

File size: 39,424 bytes (38K)

 

Malicious URL(s):

hxxps://fletcherspecs[.]co[.]uk/

hxxp://ns1648[.]ztomy[.]com

 

Associated IP(s):

109[.]203[.]124[.]231

194[.]5[.]97[.]28

 

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analysed by the Cofense Phishing Defense Center bypassed secure email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM.It offers a phishing simulation, “Remittance Advice – Adwind,” to educate users on the attack described in today’s blog.

Remove the blind spot with Cofense ReporterTM—give users a one-click tool to report suspicious messages, alerting security teams to potential threats.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Easily consume phishing-specific threat intelligence to proactively defend your organisation against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand current threats, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations.  Subsequent updates or different configurations may be effective at stopping these or similar threats.

TrickBot Adds ‘Cookie Grabber’ Information Stealing Module

Cofense Intelligence™ has identified a new credential information stealing module for the TrickBot banking trojan being used to gather web browser cookie data. Previous versions of TrickBot allowed for minimal web browser data theft; however, this ability was within the main functionality of the trojan platform and not a stand-alone module as it is now. This new module, dubbed ‘Cookie Grabber,’ has an added feature that allows for further control and manipulation of the victim’s host.

TrickBot is a modular banking trojan that targets financial information within an infected host. The threat actors behind TrickBot are always re-tooling and adapting to threat mitigation controls. By moving the web browser credential harvesting feature to a standalone module, threat actors trim down their initial footprint of infection. This adaption allows for fewer detections and the ability to download specific modules for better results after the infected host has been fingerprinted.

Safeguarding against this attack requires educating users about the importance of not saving credentials in the browser. For protection against other attacks, use technology to limit the number of times this type of payload gets to end users and educate them on the impacts these executables can have.

Technical Findings

The ‘Cookie Grabber’ module is downloaded in the same fashion as the other modules used by TrickBot. This module’s stark difference is the ability to parse through web browser databases locally to extract the targeted information. The module is placed within the %APPDATA%/Roaming directory with the other downloaded modules, all of which include ‘cookiesDll64’ in the naming convention.

This information stealing module targets Firefox, Chrome, and Internet Explorer web browsers. With Internet Explorer, the module targets the text files that store browser cookie information located within the user profile directories, as shown in Figure 1 (Appendix A). Additionally, it targets Firefox and Chrome cookie information that is housed within a SQLite database on the local host. The ‘Cookie Grabber’ module appears to have pre-defined SQL queries to gather the targeted information from both Firefox and Chrome. This module also makes use of a SQLite 3 embedded engine to allow for further database manipulation from the threat actor.

Once the infection has taken hold on the victim’s machine and the modules have been downloaded, decoded, and injected into svchost.exe, the sample then attempts to exfiltrate the gathered information using two HTTP POST commands.

  • The first HTTP POST is a form-data content-type to the Command and Control (C2) server containing other credentials harvested outside of the web browsers. Appended to the C2 URL is a unique string identifier containing host fingerprint information. This POST contains two distinct sections of information, one is the harvested credentials, the other is the source of the credentials. Figure 2 (Appendix B) shows the first HTTP POST to the C2 and contains FTP credentials gathered from the legitimate application, WinSCP.
  • The second HTTP POST to the C2, shown in Figure 3 (Appendix B), has a different User-Agent string, which has changed from a legitimate value to ‘dpost.’ The dpost value comes from the name of the configuration file used and serves as an identifying marker for the TrickBot’s network traffic used while exfiltrating the data. The destination port has also changed from 80 to 8082. This second HTTP POST includes the harvested web browser information, which is base64 encoded. The encoded information appears to contain the user profile name, the browser the information was harvested from, the URL, user name, password, time last used, and time created. These values are separated by a pipe (‘|’) and resemble the format below:

‘User Profile | Web Browser | URL | User Name | Password | Timestamp | Timestamp |/’

Each record collected by TrickBot and exfiltrated through the HTTP POST is separated by a forward slash (‘/’) character. In both HTTP POSTs, the C2 server was named ‘Cowboy’ and replied with a HTTP 200 OK containing a small text response of ‘/1/’. Figure 2 (Appendix B) shows the first HTTP POST to the C2, while Figure 3 (Appendix B) shows the second HTTP POST to the same C2. Notice the User-Agent value differences as well as the base64 encoded data strings within the second HTTP POST.

Recommendation:

CofenseTM encourages organizations to train users to be cautious in clicking links or opening attachments that could lead to harmful malware being installed on their machine. It’s also important to encourage users to report a suspicious message even if they clicked on the link or opened the attachment as malware can still get installed in the background.

The appendices below contain figures related to this sample of TrickBot. For more information please contact Intelligence@Cofense.com.

Appendix A:

Figure 1: Locations that ‘Cookie Grabber’ searched for Internet Explorer cookies

Appendix B:

Figure 2: The First HTTP POST to the C2 containing gathered non-web browser related credentials

Figure 3: The second HTTP POST to the C2 containing the base64 encoded credential strings

HOW COFENSE CAN HELP

89% of phishing threats delivering malware payloads analyzed by the Cofense Phishing Defense CenterTM bypassed email gateways. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense IntelligenceTM.

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. Understand the evolving landscape—read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Cofense Labs Shares Research on Massive Sextortion Campaign

Are you one in two hundred (or so) million?  

Today, CofenseTM announced the launch of Cofense Labs. Our experts are sharing the details of some deep research into the inner workings of a large-scale sextortion campaign that to date has over 200m recipients in its sights – and you might be one of them.  

What’s Sextortion? 

You may be lucky enough to have not encountered the threatening narrative of a sextortion email. If so, the threat actor’s M.O. is typically this: 

Send an email in which they claim to have installed malware on your system and have a record of your browsing history to some websites of an adult nature, and also footage from your webcam. If you don’t pay the stated ransom in bitcoin, they will release the footage to your family, friends, and co-workers. To add credibility to their threats, they include passwords hoovered up from data breaches of old that they have found littering the web.  

Show me the money! 

Find Out If Your Business Is at Risk 

During the research into this campaign, Cofense Labs identified over 200m recipients on the target list. Over 7.8m sextortion emails have been analysed and bitcoin payments have been tracked. In this single campaign, over 17,000 bitcoin wallets were identified, with 1,265 payments being made across 321 of them, with one payment = one victim. At the time of analysis, these payments were worth over $1.8m.   

We have made it possible for you to check whether your email address, or email domain, is on the list. Just visit https://cofense.com/sextortion to perform the lookup and download an infographic and educational guide regarding sextortion campaigns and how to defend against them. 

Why Cofense Labs? 

Knowing is everything, and to be able to effectively defend against the fast-evolving phishing threat landscape, you’ve got to have a deep understanding of it. Cofense Labs allows us to share the results and the output of the pioneering research that our R&D team undertakes to provide this knowledge. By sharing what we know, we can hopefully enable organizations of all sizes to collaborate and protect their most precious assets against the latest phishing threats. 

If you’re at Black Hat in Las Vegas this week, come and see us at Booth 938 in the Shoreline Business Hall. You can meet members of the Cofense Labs team, and see whether your email address or domain is on the target list. 

 OTHER WAYS COFENSE CAN HELP 

Reports of sextortion and other ransom scams to the Cofense Phishing Defense CenterTM are increasing. Condition users to be resilient to evolving phishing attacks with Cofense PhishMeTM and remove the blind spot with Cofense ReporterTM. 

Quickly turn userreported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains – do YOUR research with Cofense CloudSeekerTM. 

Thanks to our unique perspective, no one knows more about REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review. 

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Threat Actors Subscribe To Patches

Cofense IntelligenceTM has analyzed a relatively new malware known as Alpha Keylogger, which appears to be part of a growing trend among threat actors to use subscription-based malware that doesn’t deliver on its original promises. Part of the reason behind this trend is that threat actors are more frequently releasing malware builders that are incomplete and still under development, then charging users a subscription fee to have the builder updated with a “patch.” This practice has become increasingly common with enterprise software as well as video games, so it is not surprising to see the trend in the criminal underworld. The patching subscription model may be a burden to some enterprise environments, but its underworld equivalent is a significant boon to law enforcement and network defenders. Personnel tasked with combating nefarious software can leverage the patching and licensing mechanisms of subscription-based malware to track down distributors.  

The Reasons Behind The Model 

Much like with legitimate software, threat actors decide what malware to buy based on several factors including the reviews, price, type (such as a keylogger or a Remote Access Tool (RAT), developer, and marketing. However, to make money in this competitive environment, malware developers need to take different approaches, such as: 

  • Sell the product for much less than similar malware. 
  • Give the product away. While this strategy may appear to be a good deal, malware developers have been known to include a back door enabling them to steal their “customer’s” stolen data.  
  • Base the new malware on a pre-existing and well-known malware, such as WSH RAT. As discussed in a previous CofenseTM report, the developers of this RAT billed it as a “new” RAT with advanced features and offered it at a starting subscription price of only $50 per month. However, in reality, WSH RAT wasn’t new at all and was a variant of the pre-existing and long-lived Houdini Worm with some minor feature improvements. 
  • Focus on spending heavily on marketing. While concentrating on marketing can be profitable, it is likely the reason that some malware perceived as the “next big threat” disappears shortly after making headlines – probably because the budget was spent mainly on marketing rather than development.  

Possibly taking a lesson from legitimate software companies and the frequent failure of the options mentioned above, more and more malware developers have started to adopt the patching subscription model. This model allows them to take the middle road, charging relatively smaller subscriptions (in the case of Alpha Keylogger, $13 per month) while claiming to deliver more and being able to delay feature release.  

The glut of available products, however, often leads malware developers to over-promise on features for which they then must include a basic test or example of in their code. Expedited or rushed releases of the software lead to buggy code, in turn hurting the credibility of malware authors. For instance, Alpha Keylogger claims to have a suite of features including the ability to exfiltrate data over email, FTP, or via the API of the messaging company Telegram. In practice, customers (threat actors) can choose FTP or email, and the keylogger will still attempt to exfiltrate information via Telegram API even when the configuration data is blank. This attempt creates a distinct and apparent HTTPS request on infected machines that do not successfully exfiltrate data and can be used to help identify this malware in network traffic. 

Why Network Defenders Like Updates 

The “bug” in Alpha Keylogger that causes extraneous network traffic could allow network defenders to look for such malformed URLs as signs of malicious activity despite the involvement of a legitimate domain. Even intentional updates on the part of malware developers can assist network defenders. An example of this is when the Geodo/Emotet botnet began distributing a new module. The nature of this deployment allowed Cofense to correctly assess and prepare for the delivery of more sophisticated phishing emails. If the changes had been made by a new family of malware rather than as part of an update that Cofense was looking for, it would have been more challenging to prepare. 

Why Law Enforcement Likes Licensing 

The bugs and hints provided via malware updates are helpful to network defenders, but the licensing system behind these updates can be even more useful to law enforcement. Many RATs store the license key of the individual that purchased the malware builder as a registry entry on infected computers. Depending on the method used to obtain this license key, the payment information may be associated with the key even if it is not directly associated with the individual who purchased the key. Subsequentially, a receipt of some sort may be sent to an account that is accessed by the threat actor who bought the license key. Under the right circumstances, a license key saved as a registry entry on a victims computer could be linked with a receipt in a threat actor’s inbox, attributing them to the attack. Law enforcement organizations could then build a case using this link and additional information, such as the IP address used to access the inbox. 

Applicability In Enterprise Environments 

Organizations with enterprise-scale infrastructure often encounter “shadow IT” software or malware applications that can be difficult to spot and eradicate. The licensing mechanisms found in subscription-based malware—to include potential receipts in email—can be used by threat hunters to identify insider threats. Organizations impacted by malware akin to Alpha Keylogger can weed out further infections by leveraging incident response tools and YARA rules (such as the ones provided by Cofense IntelligenceTM) which inspect registry keys. Furthermore, the potential for attribution and legal action against a threat actor through license tracking provides large corporations with enhanced defensive capabilities. 

Table 1: Malware Artifacts 

Filename  MD5 
Company Profile.doc  b46396f32742da9162300efc1820abb3 
bukak.exe  3ceb85bcd9d123fc0d75aefade801568 

 

Table 2: Network IOCs 

IOC 
biz[@]Bootglobal[.]com 
kamonubilel[@]gmail[.]com 
hxxp://ktkingtiger[.]com/bukak[.]exe 

 

 

HOW COFENSE CAN HELP 

Cofense Intelligence processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats. 

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats. 

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM. 

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM. 

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeekeTM. 

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review. 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.  

Ransomware: A Mid-Year Summary

By Alan Rainer

Recently, ransomware has given off the appearance of widespread destruction and rampant use. 2019 alone has seen headlines such as “Florida City Agrees to Pay Hackers $600,000” and “Baltimore City Operations Impaired by Cyber Criminals.” Yet, despite the resurgence of large-impact headlines, phishing campaigns have delivered less ransomware overall since 2016, per Cofense analytics. The decline in Ransomware-as-a-Service (RaaS) operations demonstrates an impact on threat actor ransomware activity. Attackers find that emerging protection technology, improved law enforcement tracking of cryptocurrency payments, systems patching, and costly infrastructure upkeep all pose a deterrent to broad-spectrum targeting.

Ransomware Is Down Holistically, But Targeted Infections Are Up

Threat actors find that targeted ransomware attacks against high-value victims can be accomplished with greater efficiency, enabled by other malware families such as Emotet/Geodo. These secondary malware families provide an effective attack vector that increases the success of phishing attempts and targeted ransomware campaigns. Emotet—an email-borne Trojan which actors use to install other nefarious tools—has gone offline with no activity since June 2019. If the Trojan were to resurface, we assess that threat actors could rather easily carry out more email ransomware attacks on a broader scope. Without the efficiency provided by Emotet or even a Ransomware-as-a-Service such as GandCrab (which has supposedly shut down permanently), targeted infections continue to be the more lucrative option for ransomware operators.

Recent headlines have drawn attention to exceptionally costly targeted ransomware attacks against local US governments, healthcare services, and the transportation sector. Also spurring great debate: cyber insurance companies are recommending payment of ransom and are directly contributing to those payments as part of their insurance coverage. Taking this into account— along with the hefty price tags associated with the recovery costs of cities who have not elected to pay the ransom, such as Atlanta and Baltimore—Cofense Intelligence™ assesses this could lead to an uptick in ransom payments and further embolden an increase in targeted ransomware campaigns.

Only last week, the cyber insurer of La Porte County in Indiana contributed $100,000 toward an equivalent of $130,000-valued Bitcoin demand. The firm advised La Porte County to pay the threat actors, who infected local networks using the Ryuk ransomware. Similar stories have emerged across the United States. What remains to be seen is how effective recovery is following payment. Often, decryption is not as immediate or successful as ransomware operators would have their victims believe.

Will Cyber Insurance Create New Targets?

It makes sense that organizations seek indemnity to protect their financial portfolios. But while everyday scams or fraud occur in a traditional insurance setting, cyber criminals may look to specifically target insured organizations for a guaranteed return in the future. Cyber insurance companies known to pay out ransom could present a surefire target for actors.

Regardless of targeting potential, all organizations should engage in appropriate planning and preparation with defense technology and user awareness. Threat intelligence will help to ensure that your organization’s defense is as proactive as possible. Educating and enabling your users to identify and report phishing messages ensures preparedness at every line of defense. As an industry leader in phishing defense solutions, CofenseTM provides security professionals with tools and skills to combat email-borne threats, so that you can defend against even those threats that bypass your perimeter technologies and reach user inboxes. Only by stepping up our collective defense will we reduce the efficacy and proliferation of ransomware campaigns for good.

More Ways Cofense Can Help

Cofense IntelligenceTM processes and analyzes millions of emails and malware samples each day, providing a view of emerging phishing and malware threats.

The Cofense Phishing Defense CenterTM identifies active phishing attacks in enterprise environments. Learn how our dedicated experts provide actionable intelligence to stop phishing threats.

Condition end users to be resilient to ransomware and other attacks with Cofense PhishMeTM.  It includes a variety of ransomware templates to help users recognize the threat. Empower users to report phishing emails with one click using Cofense ReporterTM.

Quickly turn user reported emails into actionable intelligence with Cofense TriageTM. Reduce exposure time by rapidly quarantining threats with Cofense VisionTM.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about current REAL phishing threats than Cofense. To raise your understanding, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.