Geodo Malware Targets Patriots with Phishing Attack on Eve of American Independence Day Holiday

By Brendan Griffin and Max Gannon

A classic phishing technique involves timing attacks to match major holidays and other global and regional events. One example of this scenario in a phishing attack captured by Cofense Intelligence™ delivering the Geodo botnet malware on July 3, 2018. In this attack the threat actor appeals to the patriotic nature of the Fourth of July holiday and recipients’ sense of patriotism in its content. In these messages, the attacker reminds the recipient of the sacrifices of American service member as part of a narrative designed to entice victims to click on the link in the messages to access an Independence Day-themed greeting card. In doing so, the victim will receive a Microsoft Word document equipped with macro scripting designed to download and run the Geodo malware.

Figure 1 – Invitations for victims to view online greetings are more commonly associated with major holidays.

Geodo is a financial crimes malware that, when run within the victim’s environment, establishes a connection to one of its many command and control locations to report newly infected machines. Geodo is tasked with exfiltrating sensitive information from the victim’s machine and will report that information back to the threat actors via its command and control location. The malware includes a worming functionality that leads it to generate new phishing emails to propagate additional infections.

Holidays and global events always make for a popular phishing lure as threat actors are eager to take advantage of the spirited celebration (and any eagerness to check those final emails quickly to get out of the office and on the road for your neighborhood BBQ)! Users should be wary of holiday-themed emails and report any suspicious messages. Celebrate responsibly and contribute to your network defense!

Cofense Intelligence customers can access the full report and analysis of this attack as Threat ID 12171.

IOCs:
hxxp://www[.]msuniversal[.]com[.]au/Greeting-Cards/

hxxp://www[.]lbbsport[.]pl/Izmqs/

hxxp://www[.]isaac[.]samjoemmy[.]com/H9TF8/

hxxp://www[.]hzwtdjd[.]com/Greeting-ECard-2018/

hxxp://www[.]huiduo021[.]com/4th-July-2018/

hxxp://www[.]electrocad[.]in/4qTumjs/

hxxp://www[.]efmj-eg[.]org/CdwOm/

hxxp://www[.]dmcmax[.]com/Wishes/

hxxp://www[.]audity[.]mx/Greeting-eCard/

hxxp://www[.]abilitymep[.]ae/mXss/

hxxp://96[.]94[.]189[.]133:8080/

hxxp://74[.]79[.]26[.]193:990/

hxxp://24[.]173[.]127[.]246:443/

hxxp://178[.]21[.]113[.]145:4143/

96[.]94[.]189[.]133

74[.]79[.]26[.]193

24[.]173[.]127[.]246

190[.]181[.]223[.]173

178[.]21[.]113[.]145

12[.]182[.]146[.]226

AZORult Malware Finds a New Ride with Recent Stealer Phishing Campaign
Zeus Panda Advanced Banking Trojan Gets Creative to Scam Affluent Victims in Italy

Leave a Reply