Today, using the same methodology I typically use, I did a google hunt. (site:cdn.shopify.com "free-tempalte"). This often yields some results, it used to get more live results from (site:sites.google.com), but those seem to be dead lately.
Quickly I found one called "Hole in One Certificate Template Free"
hxxps://cdn[.]shopify[.]com/s/files/1/0499/5570/0887/files/hole-in-one-certificate-template-free[.]pdf?v=1602361119
I notice a lot of these, maybe all of them have the pdf?v=[0-9] pattern. This may be normal for PDFs hosted here though.
I was hoping to find some new samples, many I've found lately were leading to the same EXE, incidently, the same DLL and C2.
Today however, I found a new sample. It mostly runs the same, however, this time the Icon Hash is no longer mimicing WinWord, it is mimicing an Adobe PDF Icon. It still utilizes the padding to pump up the file size, and still drops obfuscated powershell and the solarmarker.dat file. So with that, here are the most recent indicators and hunting techniques.
Domains/Redirects:
porcheddie[.]site
leholmudicatu[.]tk
noetopespeti[.]tk
xanagungeantwerra[.]tk
pubpipetekbio[.]tk
tracesnovmusi[.]tk
alunflirastu[.]tk
anewexca[.]gq
diromgfx[.]com
main_icon_dhash:b2b29696969ef66a
signature:"Ahkaawari Conisumi Jp. Ltd. "
main_icon_dhash:943a8c3333001100
64e378a0aebee41c5a438694fccc6188
f5f0ddaaa5eb7bfe910fd6f6f57c2ae3
Interesting Strings From HTM Redirect:
Soft+ware+to++unble+
eval(function(h,u,n,t,e,r)
decodeURIComponent(escape(r)
Comments
Post a Comment