This is just a short, quick update. It would appear that the initial vector has changed. CDN.shopify.com and Sites.Google.com no longer seem to be hosting these redirects/PDF files which contain redirects.
The link for this is "hxxps://www.braveheartmarine[.]com/rent-check-bounced-letter".
Running this in my lab, showed the same style of selecting "PDF" or "Doc" for download, which then lead to a series of redirects to the Exe file.
I have not been very successful running these on App.Any.Run... Here is the following attempt.
https://app.any.run/tasks/59c03557-c61b-4f89-87df-608e7079b8af
The end result is the same, the EXE file has PDF icon, and launches setup for Expert PDF installer while the malicious powershell scripts run in the background, hidden from the user.
The solarmarker.dat file remains, as well as the dropping of the .cmd file and encoded file that will load the .NET malware into memory.
IOCs:
Redirects:
tranorfermingcepo[.]ga
teuclinkilltingpere[.]tk
junheartportconmeicont[.]tk
dubaibaunstable[.]site
aszilmatetacon[.]tk
diromgfx[.]com
inousdyhatchpe[.]tk
repository.certum[.]pl
mispsymtcribimra[.]tk
terasatigapar[.]gq
Loaded DLL Hash: 8cf6d101b7f0892358ed8033e2960d83
C2: 195.54.161[.]84
Another Observed Lure link: hxxps://prismic-io.s3.amazonaws[.]com/comfortjournals/2c69a883-9ae7-4508-94d1-80282b3e0fa3_rli-insurance-surety-bond[.]pdf
Comments
Post a Comment