Threat Report

Wednesday January 16th 2019

A lot has happened over the last week, so we have a bit more to cover than usual. The malspam campaigns are getting more creative than ever and some recent news about Ryuk ransomware attribution could have a big impact on your cyber insurance coverage.

Love-Letter malspammer, “always thinking about you”

With Valentine’s day right around the corner, the “Love Letter” malspam campaign is using email subject lines engineered to tug user’s heartstrings into infection with GandCrab Ransomware, XMRig miner, and Phorpiex spambot. Here were some example subject lines:

  • This is my love letter to you
  • My love letter for you
  • Wrote the fantasy about us down
  • Always thinking about you

The campaign contains ZIP attachments, which contain a JavaScript file that runs a PowerShell command, resulting in a download of an executable named “krablin.exe from “slpsrgpsrhojifdij.ru”. Once executed, the malware will be copied to “%UserProfile%\[number]\winsvcs.exe” and downloads five other malware samples to the infected machine and executes them. Users should always be cautious when viewing email content that pretends to be legitimate from a company and asks for personal information to avoid any potential attacks. The following indicators of compromise were released by bleeping computer.

Hashes

32ee086fbc82ddd0675c0293656f813493ce6d96d02e0bcbeccee4d1a6adfb20 

f4d3ba58e91dc95877ba13804df6fe307ef6efcef74d3a00792387625a624cf4 

035ae8f389e0a4cb58428d892123bc3e3b646e4387c641e664c5552228087285 

ba23af4480611fb19fad2cd83a41bd347d183e0ef8e1c5477916bebe32955d87 

99fe714a365f8e4a74687592700b27f2016a59c7527b5d4ef7cfd97e63468349 

27ac0e9011294c2152d224052280f7fa434df572809a6f96f9a306f3d5c965e3 

99a1e83e77850b59995cdf29b61e9f29f9c38882363027668030df0a62059645 

12e3038b2ed0663cba3c6a05ac0a27b61dce694dffc27aafb4cb3f2f229ff6b8 

f3c369edc2ea96465c49a14f64bdce83c0a401e0ae12e809bced8f99b977c5dc 

72429571f4ca62fceb5a4fc0a17a8f8ab88c1ed01b9d657f7e9778c7939cea06 

4b9d5841d38b8658466dcaf409c34c0f6d2d1f9ecb64254391a4621465daf79b 

0de30f9dbe37aea5932e5df85b4f1aa5cefe28f3bffb58d4d8ae40ccd040a4a7 

4c0103c745fa6e173821035c304863d751bea9c073d19070d9ebf8685da95040 

06e61032bccfe0ccd51ddbab480e1eb6392bccb318639ecac0092e96b9d794ad 

b8bf5b607b305139db81c48e96010a67768488b01edc8c615306ed303c545b0d 

056b7eb0c06645e1f51ed77f4fa18a4bed47135108371a84f0482f141ae0d769 

9ff78056e225c08ef1f1ff71f305201387f3ec766c8727361851287a74de1f45 

6ad3e68e2e8c5088bc8544bc230a2e333645d3c246ace772bf61f80cd0e93002 

0a27af16b991cbe0f5445022cb1d752a9144abeede6b8de0055247e6fd6c1698 

d189f44528dfa3f8dba2632ae26f564a37931cb89668d31402fc7fb05ae63c1a 

cf9a20874089ec7aa1a84a27f74928c71266a684e7fee4c1ac8d37aaf57d6bf2 

7818e108a16f096eb71feb564ce92095c4ac1e613933630169cc16606bb5f68d 

c3683096f91b00dfe248e388b4302d5471fb090ab8092c96c991a467c26f26b0 

Email Addresses

deanne11@5387.com 

bob01@0437.com 

teddy31@8038.com 

deena49@1659.com 

ted93@4302.com 

bradford99@2804.com 

imogene99@0354.com 

imelda31@1529.com 

taylor74@4656.com 

teddy21@8381.com 

IP Addresses

198.105.244.228 

136.243.13.215 

217.26.53.161 

92.63.197.48 

74.220.215.73 

78.46.77.98 

138.201.162.99 

Domain

Slpsrgpsrhojifdij[.]ru 

Mjag pairs up with Punisher RAT

Zscaler security firm released a report for a variant dubbed “Mjag dropper” that is using decoy documents to deliver Remote Access Trojan (RAT). Mjag dropper is compiled in the Microsoft .NET framework and its original binary is obfuscated using Smart Assembly. Zscaler disclosed the flaw after they detected the infection cycle involving Punisher RAT. The malware is publicly available and can be configured with a range of features: Password stealing module, Anti-task manager, Keylogging, Persistence, Spreading vector, and AV checks. The following indicators of compromise were released with these findings.

Filename

NEFTIOBAN1830369427520181030ABBIdiaLtddt30102018_pdf.exe 

Hash

0a459c18e3b8bdef87a6fb7ea860acdb 

Domains

Chris101.ddns[.]net 

tenau[.]pw 

DarkHydrus grows back new heads in on-going Middle East campaign

The DarkHydrus campaign reemerged and is targeting Middle East entities. 360 Threat Intelligence Center identified that the attackers use VBA macros in the dropper, with DNS tunneling for C2 communication. The malware was uploaded to VirusTotal from Oman.

Domains

data-microsoft.services 

phicdn.world 

akamai.agency 

sharepoint.agency 

nsatc.agency 

akdns.live 

akamaized.live 

iecvlist-microsoft.live 

trafficmanager.live 

0ffice365.services 

azureedge.today 

microsoftonline.agency 

hotmai1.com 

skydrive.services 

asimov-win-microsoft.services 

akamaiedge.live 

0nedrive.agency 

skydrive.agency 

akamaiedge.services 

edgekey.live 

corewindows.agency 

akadns.live 

t-msedge.world 

cloudfronts.services 

microsoftonline.services 

onecs-live.services 

onedrive.agency 

0ffice365.life 

Hash

513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8

IP Addresses

88.221.117.88 

216.58.192.174 

Ryuk moves to Russia with Grim Spider

Multiple security intelligence communities, like CrowdStrike, report that Ryuk ransomware is most likely the creation of Russian financially-motivated cybercriminals, not North Korean state-sponsored attackers. The clarification came after several news outlets attributed a Ryuk ransomware infection targeting U.S. newspaper agencies to North Korean attackers.  We have previously reported on Ryuk activities and the U.S. newspaper hack

The ransomware was created by a threat actor, which Crowdstrike calls Grim Spider, who allegedly bought a version of Hermes ransomware from an underground forum and modified it into Ryuk ransomware. The confusion possibly stems from North Korea state-sponsored actors reportedly infected the Far Eastern International Bank (FEIB) in Taiwan with Hermes ransomware in October 2017.

Researchers believe that North Korean attackers purchased the same Hermes ransomware kit, similar to Grim Spider, and deployed it on the bank’s network as a distraction in an attempt to cover their tracks. Researchers believe there is no connection between North Korean state-sponsored attackers and the Ryuk ransomware strain. Researchers note that multiple Ryuk ransomware victims were infected with TrickBot before Ryuk was deployed on their systems and speculate that attackers selected machines infected with Trickbot to deploy Ryuk.

Since Ryuk’s appearance in August, threat actors have earned 705.80 Bitcoin across 52 transactions, for a current value of $3,701,893.98. The following indicators of compromise were released with these findings.

Hashes

78c6042067216a5d47f4a338dd951848b122bbcbcd3e61290b2f709543448d90 

795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f 

fe909d18cf0fde089594689f9a69fbc6d57b69291a09f3b9df1e9b1fb724222b 

5e2c9ec5a108af92f177cabe23451d20e592ae54bb84265d1f972fcbd4f6a409 

501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9 

ac648d11f695cf98993fa519803fa26cd43ec32a7a8713bfa34eb618659aff77 

Insurance Group declines payout for Russian attributed ransomware

Bloomberg shared their findings with ZDNet after they reported a lawsuit against Zurich Insurance Group by Mondelez in a bid to seek $100M in damages after an insurance claim that was not paid out in NotPetya attack. NotPetya is a type of ransomware similar to Petya. Researchers noticed that the actors had been executing the exploit through the use of the much-discussed and patchable EternalBlue and EternalRomance exploits of yesteryear to launch attacks. (Yes, these attack vectors are still being exploited today.)

Once executed, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransom note which demands $300 in Bitcoin. Researchers note that NotPetya impacted business worldwide including TNT, Ukrainian banks, energy companies, airports, and shipping giant Maersk. Users and organizations should enforce strong security awareness, recognize phishing attacks, exercise caution when clicking on malicious links, and deploy two-factor authentication to mitigate cyber attacks. No indicators of compromise were released with this report.

Zurich chose not to cough up the money, citing the NotPetya was, “hostile or warlike action in time of peace or war,” which voided the claim. The security industry will be following this case closely to set precedent around this topic. With Ryuk’s move to Russia will Tribune’s cyber insurance policy cover fallout from a Russian cyber cold war?

Which brings up a question for you: What would your cybersecurity insurer say if your organization suffers a ransomware attack? Now is a good time to open the discussion before an incident might occur.

After several cups of perch-olated coffee and a blood sacrifice, the Perch SOC successfully reviewed the activity and IOCs listed for each threat and found zero Perch customers subjected or targeted by these active threats for the last 30 days.

Paul Scott

Paul Scott
Has 6 Gold Stars
LinkedIn