This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Our Blog

The persuasiveness of a remote job

Share

Tuesday, Nov 12, 2019

Advances in technology can be witnessed on different levels in our everyday life. Internet connected devices help us in virtually every aspect of the daily routine, providing tools and information on just about any subject that one can think of. Increasingly it is no longer necessary to commute to an office to fulfil a job as more companies embrace the advantages of home workers. But what if a seemingly perfect home-based job opportunity is not all that it seems?

We have recently encountered two methods attempting to scam people linked to this trend of home working. The first is an attempt at cybersquatting, and the second is a small scale botnet pushing out home-working related lures. Both scams offered remote employment opportunities, but with an ulterior motive, and either could negatively impact an organization if contractors or part-time workers are tricked into responding. We also believe Forcepoint is the first to reveal this particular botnet family – with its precursor - and provide deep technical analysis on it.

Approach One: Site Squatting

When I first got contacted by a personal friend with whom I share a common hobby, I was surprised to learn about an ongoing police investigation related to his profession. He had a small language-teaching business in Austria that he suspended years ago due to inactivity. It came to light that a new website had been created for a business in the same industry, using his name and the address of his prior activities as the contact information, and since he had no knowledge of the new site I was asked to check it for anything suspicious. The website itself was nicely designed (better than the original according to my friend!) but it had nothing to offer beside an email address and phone number where you could apply for a job. After a little digging, matching job advertisements could be found online on multiple local sites. There was no phishing attempt, no exploit kit hidden in the page, or any online payment service pointing to obvious malicious activities. Initially, there was no obvious purpose for the newly created site.

That is until a phone conversation between my friend and local authorities made it clear why was there an open police case. Apparently, somebody had applied for a job (which was a full-time remote position) but the communication with the "employer" rang a few alarm bells for the applicant. Not only was the language less than fluent, but the details of the main duties were oddly ambiguous. The employer often seemed reluctant to give straight answers. Then a rather strange request was made "I'm transferring money to your account, and I would like you to move it to another one I later provide." At this point it become evident that the purpose of the cover site was to find individuals to assist in money laundering.

Inspecting further the newly created website also revealed yet another one registered by the same fake email address using the shady Airmail.cc service. The design, profession – mobile application development this time - and email address provided was changed, while the Austrian based phone number differed only in the last two digits, making it clear that it belonged to the same perpetrators.>/p>

Thanks to CERT.at the former site was soon taken down and notification was sent out in one of their daily emails.

Figure 1 – Screen capture of one of the fake websites prior to takedown.

Approach Two: Spamming Adverts Via Botnet

Separately, but within the same timeframe, the team received an unusual payload from a Smoke Loader campaign. This sample had several unusual characteristics which made it worthy of a deeper investigation, after which, it transpired also had remote working scams at its heart.

No smoke without fire

Initially the payload looked like yet another ransomware variant, but the recorded network traffic made no sense and no ransom request could be found during analysis. It quickly turned out that there was an additional exepacker layer that was rather unusual, and the real payload beneath was a UPX compressed Delphi application that bore no resemblance to ransomware at all. What’s more, the top-level binary was signed with a perfectly valid certificate.

The botnet client

When it comes to creating malware, Delphi has been far from the top choice for cybercriminals for a while now. However, it is still popular amongst certain groups - for example those focusing on Latin American banking malware - but its glory days are long gone. Our payload showed no similarity to Latin American banking trojans, but it was still trying to establish connection to a set of remote hosts, raising curiosity to engage.

An init phase - The Loader

Upon execution the very first objective of the client is to ensure persistence, and this is done in a rather unusual way. A registry key is created under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” but rather than pointing to the executable itself, it points to a text file which is located in the %APPDATA% directory. This text file is an XML and it will be loaded by the Script Component Runtime which will eventually execute the binary through ActiveX. Note that this method holds true only for current variants. Earlier versions used the same registry key, but pointed to the executable directly.

Figure 2 – Example of an XML used for automated execution.

 

Once persistence is assured the bot attempts to reach out to an active C2 by sending a POST request to a list of servers hardcoded in the binary. For example:

“http://smart[.]cloudnetwork[.]kz/t”

 

If it cannot establish a connection with any of the C2 servers it would sleep for five seconds and retry. Upon establishing a successful connection, it would retrieve two DLLs (libeay32.dll and ssleay32.dll) which are part of the OpenSSL package and load them into memory. As these modules are widely used in multiple applications, they are stored on the C2s as is, with no further encryption.

Once everything is set the bot enters into its main execution loop. It attempts to reach out to three common email services (Google, Yahoo, Outlook) to verify whether port 25 can be accessed - as its use is often prohibited especially in corporate environments. If at least two out of the three could be reached than it considers SMTP to be available for use.

There are two similar queries sent to the C2 at about sixty second intervals. One is a status report which also contains the state of port 25, the other is for requesting commands. While response to the former is just an acknowledgment, it is a simple digit which corresponds to a mode of operation to be executed for the latter.

 

Example of a status report:

Destination:
http://smart[.]cloudnetwork[.]kz/s
Content:
[bid]3[/bid][s]0[/s][v]3[/v][hwid]78e5ccb1846aff9b384f09eb581274ca[/hwid][t]EXE[/t]
Response:
[RESULT]OK[/RESULT]

 

Example of a command request:

Destination:
http://smart[.]cloudnetwork[.]kz/c
Content:
[bid]3[/bid][v]3[/v][hwid]78e5ccb1846aff9b384f09eb581274ca[/hwid][t]EXE[/t][status]0[/status]
Response:
[mode]0[/mode]

 

Note that [bid] is the bot ID, [v] is version, [hwid] is a unique client ID, [t] is type and [s] reflects the state of port 25.

Communication

With the exception of the initial C2 ping and the OpenSSL DLL downloads, all subsequent communication with the C2 server is encrypted. For the initial content it is using a static RC4 key which is hardcoded in the loader (“lkjertsd”), then it uses Base64 encoding on top which is rather common in web-based communication. This combination of RC4 and Base64 is pretty basic, yet it is effective enough to avoid plain text scanning of commands and data travelling on the wire. The RC4 key remained constant for all versions of the botnet that we examined.

Figure 3 – Example of the encrypted communication with the C2

 

Modes of operation

Mode 0 – Idle

In this mode there are no additional actions carried out, at about sixty second intervals the bot keeps sending status and command requests to the C2 as showcased above. This is a simple keep alive operation.

Mode 9 - The Updater

Updates to the botnet client are consistently being distributed every few days. These are downloaded directly from the C2, decrypted (only RC4 this time), saved to disk and executed with the help of a runtime generated batch file. They are just the re-packaged botnet client (loader) with the same exepacker over-and-over again. Assumedly, this is intended to provide a window of time to remain undetected until the majority of scan engines are able to detect it. The use of a valid certificate is expected to prolong that window in case security products are configured to trust properly signed applications.

Example of an update query:

[mode]9[/mode][i]187[/i][f]http://smart.cloudnetwork.kz/lfd/5d7791f14743d.exe[/f]

Plugins

The more interesting modes are 1, 2 and 3. For each of these, there is an additional plugin stored on the C2. The loader would download them, decrypt the content (once again only RC4, just like for client updates) and load the modules into memory without saving them to disk. Each of these modules are also Delphi DLLs, and have an exported function called "ShowMagic" which is used by the loader for execution of the module.

Figure 4 – Example of a plugin with the ShowMagic exported function

 

Mode 3 - The Finder

When a mode 3 command is received, the module "5c76acdb8964c.txt" will be retrieved and executed. In this mode the C2 is going to provide a list of domain names possibly running an SMTP service and it is up to the newly downloaded module to validate each of them and return the result.

 

Internal reference:

"Find.dll"

 

Example of a mode 3 plugin request:

[mode]3[/mode][f]http://smart.cloudnetwork.kz/fd/5c76acdb8964c.txt[/f][ki]60[/ki]

 

Example of a mode 3 query:

[domains]redacted[|][/domains][seller_id]99[/seller_id][task_id]99999[/task_id][threads_count]63[/threads_count][mode]3[/mode]

 

Example of a mode 3 response:

[hwid]78e5ccb1846aff9b384f09eb581274ca[/hwid][good]redacted[/good][bad]redacted[/bad][seller_id]99[/seller_id][task_id]99999[/task_id]

 

Mode 2 - The Checker

Similar to the module above, mode 2 also interacts with SMTP servers; however, it is meant to verify login credentials. There are plenty of those provided by the C2. Our data analysis suggests that one possible source of the login credentials are recent data breaches. Unfortunately, there were numerous leaks in the past 12-18 months providing input for this activity. The existence of [seller_id] fields in the queries also indicate the tracking of data sources, either for internal use or to pay by quality of data. In case a working login credential was found it would often send out a test email to a Gmail mailbox (these vary all the time) with details of the working account and using a short marker (the [mark] field) in the message body.

 

Internal reference:

"CheckDLL.dll"

 

Example of a mode 2 plugin request:

[mode]2[/mode][f]http://smart.cloudnetwork.kz/fd/5c76ae7d1dff3.txt[/f][ki]60[/ki]

 

Example of a mode 2 query:

[smtp_check][m]user@redacted.com[/m][l]login[/l][pas]password[/pas][s]redacted.com[/s][p]25[/p][i]12345678[/i][/smtp_check][threads_count]30[/threads_count][mode]2[/mode][mail_to]redacted@gmail.com[/mail_to][mark]ABCD[/mark][task_id]1[/task_id][seller_id]99[/seller_id][xmailer]Mozilla Thunderbird {1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9|||||}.{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}[/xmailer][from_name]Redacted Name[/from_name]

 

Example of a mode 2 response:

[hwid]78e5ccb1846aff9b384f09eb581274ca[/hwid][good]redacted[/good][bad]redacted[/bad][seller_id]99[/seller_id][task_id]9[/task_id][mark]ABCD[/mark]

 

Mode 1 - The Spammer

This is the least frequently utilized module of the three. The reason being, this is the one fulfilling the main purpose of the botnet - spamming. Usually this module won't be downloaded for a rather long time – sometimes for days. When it finally happens, a set of spam templates and an actual list of working SMTP credentials will be provided by the C2. The message body of the templates vary between text and HTML, and the format is changing frequently.

 

Internal reference:

SPamDLL.dll

 

Example of a mode 1 plugin request:

[mode]1[/mode][f]http://smart.cloudnetwork.kz/fd/5c76acdb4a262.txt[/f][ki]60[/ki]

 

Example of a spam template:

[mode]1[/mode][plain_text]1[/plain_text][send_log]1[/send_log][send_smtp_limit]100[/send_smtp_limit][send_email_limit]300[/send_email_limit][email_part_id]123[/email_part_id][threads_count]63[/threads_count][messages_from_server]100[/messages_from_server][xmailer]Mozilla Thunderbird {1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9|||||}.{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}{1|2|3|4|5|6|7|8|9|||||}[/xmailer][text]redacted[/text][subject][fname] [lname][/subject][reply_to][fromname] <{redacted@yahoo.com}>[/reply_to][emails]email:name[|][/emails][email_rule]email:fname:lname[/email_rule][delimiter]:[/delimiter][attach_file][/attach_file][from_name]Redacted Name[|][/from_name][camp_id]999[/camp_id]

Figure 5 – Code responsible of retrieving an actual list of working SMTP accounts

 

Emails

One thing has been constant during our investigation, the botnet is only spamming out fake job advertisements, and doing that on a low scale. There are no obvious traits of traditional spam, no links, no phishing attempts, no attachments in the emails (however the templates does support the latter), the servers and accounts used for delivery are legitimate. The only suspicious parts are the use of the recipient’s name in the subject, a Yahoo email address being provided for replying, and using non-existent versions of Thunderbird for X-Mailer. All this makes it challenging to distinguish from a real job offer.

Figure 6 – Example of a spammed out email

 

Compromised SMTP accounts

The C2s are maintaining an actual list of working SMTP server names and credentials used in the spamming process. The servers are on broad scale and mainly consisting of free email providers. That is of no surprise as those are getting compromised easier compared to the usually better protected corporate accounts.

Figure 7 – Top 20 SMTP servers and number of accounts used for spamming (4k total)

 

History and evolution

The existence of the botnet could be tracked back as early as February 2018 when v1 was first surfacing. The initial version was followed by v1.1 within a few weeks, and v2 appeared in May of the same year. That version lasted for almost a year before v3 appeared in late February 2019. As of today, the current loader is dated 2nd of April 2019.

Prior to 2018 a handful of samples could be found sharing an almost identical codebase to this family with an internal name of “Silent_SMTP_Bruter”. Their functionality was very similar to v1 except that the majority of code was residing within a single executable instead of the newer plugin based approach. Traces of the samples go back to as early as January 2016. We believe they were the precursor to this family.

Note that the actual version can be easily determined from the bot ID [bid] and version [v] tags in the various C2 queries.

 

Certificates

Since the first appearance of the botnet in 2018 we are aware of at least nine different certificates which have been used for the binaries. These were usually valid for a year and most of them are now revoked. The use of valid certificates might ease the execution of the malware in case security products were configured to trust them. The main issuers were Sectigo (formerly Comodo) and DigiCert.

Figure 8 – List of certificates used on the botnet loaders

Conclusion

As remote working gained traction in recent years, attackers have followed their targets from the office to the home, potentially increasing the victims’ liability when it comes to illegal activities. When people encounter a legitimate looking job opportunity - either being dropped into their mailbox or presented on a refined website - that might catch them unguarded.

These new techniques are not much different from last decade’s famous “Nigerian Prince” emails. Instead of a direct money extortion scheme, they showcase significantly higher level of sophistication by tricking individuals into participating in money laundering - and all the potentially serious consequences along with that. To achieve their goal, cybercriminals must heavily rely on thousands of compromised SMTP accounts. Maintaining such a list is no easy job as accounts won’t be available for use for an extended period of time, once the owners or the operators become aware of the breach. Unfortunately, due to their lower security standards, some free webmail services are going to be top candidates for keeping that list populated for a while.

We advise everyone to be always vigilant when assessing anything that arrives from an unknown sender, and be protective of personal assets such as login credentials to free services. Picking strong passwords and frequently changing them can greatly help avoiding compromised accounts. If there is suspicion of fraudulent activities, feel free to contact local authorities such as ActionFraud or the FTC for further guidance.

Protection statement

Forcepoint customers are protected against this threat at the following stages of attack: 

Stage 2 (Lure) – Malicious emails associated with this attack are identified and blocked.

Stage 5 (Dropper File) – Malicious files are prevented from being downloaded.

Stage 6 (Call Home) – Attempts to contact C2 servers are blocked.

IOCs

Files (SHA1)

Payloads

095334c844b96cc98291ee21630091fab59869b7
13b2f8a680703d57cefbd9972ecb8c96a6ebcef4
237aef3654922862db02586380985db95e214ba2
47c1aead3c9d508b8f0b7eb5c0d7559396b534b0
91a489fb1b0c080c11b218427e041095ce805b16
a9a879a8f97aab992ce91fb8854317e5ee0c3ecf
d4f701de2ee7744d5e2a017939c759204cb66923
d54b763fd76f3c36a9087383340e9f8fc04e836f
fdcd6fecd71b639700b46f4f4d57b59f3011fdc2

Plugins

5042b79c99e9d095b74cc95605dab75be3b21147
856960258a9bf362e2215b642254c772bc414a00
fa2ff8ec1b57934ba0a1385a02b7d8619ea6cb77

Loaders

021b491f036264ada2f4254805e2a66d43aa92e4
0720419fc29f8ec60143c1e3266b3357b27d1bf5
0a5b4c6e5beac6a6be23a5fdb6eb02090aab3cf0
0ccc4cd460ada3155331160d29c86c241181c2a8
0df624d63602ab7f5d429d6e6231a30a5d99e745
11042ac9cbd23fde283baceb96f14c67ffb0bc00
1114964a6d91bfee7adb3579236d5238ddade9af
12340ce9342816c738fc5f537b76f575932424e7
1302c6aff65474f9b85f1c4ec8b0da5a5165e2c6
1399597b63632429f80c5045ca9f124083e1157e
15662db96eedb3b06038542643f17f71bb89b7dd
16ad5223a593b998f36650be0a98e3a6d489ff63
176b671b0ce7c606132bcc28d09c652aed420bbc
184e5df0e132e604a1b53413ed4615c94a09fe70
186a9682e555a5af92bba86a6eebda7b59fa6abd
18940fc5f7ff980f068a39742b7f3f8705c14ce4
1c2d8afbd1311a46b890e656e7b8587224a4d1ba
1cba16e2c89784eb67bf9843d431faed67800605
1d698901854a7ae8e3ea6613d519045037049f90
1ea166ea1483a33b7c6d5c21dafc33edf891a7fc
1fb6fbaeff443c9abb34fc525fab691d65721b82
25869ccb87d88b62ea4c219eca16b51a64127849
265ed798fe78a26e2685f9addefc97f4dc5104d4
28380f006b6f0656088e4b81c404f4792c08177d
296243863fbad083a75f409cf079476d90dc3377
2acfbc5850823baf4b41230dda14949b4f432814
2b73bb895b3f0f1bc8802b6cf6c637ecd7428676
2fd8ffe442c8a524881f03d7c87d43fd88c77b32
326333dea60866fa15946e3257b249ab15c13c30
32a26aa8843b14f98140f10b3820c5a9f2e9a304
34bbcce52acc730765224ca53fa670b9c0168c6b
3841bbac6c9af651d9c8a24d721091be832f7b4c
3a86787faa2237d9907bb2343aa6ff552718826e
3d6f75a43c665d06de1da11d3ca5aae3e58ddff0
3f43acdda167d20fb0b8142d2e4a15f22aa93a93
3f86a82d78d73a374faa3534cf4ace39cf6a5430
3fb88c52958a3be9f6be0d1ef58c263e3ccbb471
4137b6d3b9bbab6112f97d24e71739f42654f859
41f446c50c9ad69831d2f912085ef1a712ccf139
43239987f815270e7e5fdf030212510d39731453
442ee25cb12f85440707dbfb67af7429f57ace06
44867c9c5ba69372b7ffa847b9898866a30623bd
4aa3f038ebd48042b5ca10537c18834a8409cbe7
4c2d01b4aa3505cfef9aebe991bfc44191adeb34
4da9c8a335df90e77a94365cc023d7cb71e38154
4e1854b8b5832ec5ce4575699f43790ebfec980a
508b6e08152d84dc59f3a9b0a35b9c8b6d288e76
519cc220d911def8f48013f8537518bd920c38b2
59a7610b9c5b2975314a51a36009e30e65e9f6b3
5a1f2aacb36d2a5d7551375633da4700804fface
5b10688d7dc01fd250e8f7c53f5c15c36cce7b22
6078c0525fb37f76bb440c409fcbbec8b92bb4e6
607ef39276193e50f2915f61d94e1ddef965cefc
608efcbcb941a9dd860f798f4118c6c83db88241
71a01fcaa7f6da9859019090986991d69fd04cd0
75373c9f9e7aa74916ead19aba5a1eff48babe45
755311dc5392096830ca8c8b5cfbf52b1f9cd86c
78e6c8ba12a5d4b21a9d36313004dc251317c555
79eba5840078ea3688d7dea7a832c43b91c120fb
7c125bc3751c21ece5d2974a589edaa05a22b650
7c13d5ca0e3905c84780a2931ef789ad4e085a2d
81a7a1140a6f5c14550a3d2cc109242265c821b0
8909eba6f28d2b2f9fb010ca79a33228917bd3a2
8b1c47c3656d62f694151d15281a6288f86c2862
8bf5a547f7d09d32d655a86d06c1f00f1ec78faa
8e6208aa31cd52503f0aae7a8a5f08e34c91cea2
8eccf9acaf3f1e33cba0f3d3cc4662126b8101ae
8f10b47af4bb574d9713d8b9d6ca838084bc29ed
8f2366ed72f7f23107d8668fe906b1cf2b323ff4
90dbe3543bedefd6f2a618fab0aa2c4c59f8b312
90dd407319afcb0a5b36f06778fd8a69fb09d7f7
91456322c56d653677b5bfac6d36fb17d198a5f2
918d0ca4e6163ed59b0ffce66891ed38da17815e
91c91bd29c024e621edb17a48362665ceca30c23
92b9e385da22ef5aad9c665d30febfe453ab6e6c
968fcc89f67b4a9bc242b7c105725b4fbb0c2080
9a1ae0d90c2a7d7b148a01c5943a3e5c1a515ed1
9b6494e659b461de145fdefcb5847c83b45f38ce
9d9ec372f95e6d3722f046c713de215955d8abc4
9e02f7ba0ddd1c1db82114380fc7f96eede64349
9e758de26dcd1758ac06a36fd88c621c2045a815
a70f51177718db3d94a28556ef3cd63bb483f113
a8ddc0ec44e26c6dc93132b3e68cb9983c6cd7e9
a8f2a1e6cce8f18d46c48aff6f40fe1712fccf8c
a905ff0cf102f7ee46841a6788ba7730e110230d
ae9edcf2935d8ce83792f701da4281be0f24a80c
aec9bbdb82db6bdf7e3aa019aa0a58a25628670d
af5185b8f1956020ed23ee2ae28d9c38e7b56051
b0c159ede1f7b896a29be6acc2c6983cbae3735c
b111f3f56237097ed8ca2826ee3367d00173a2ae
b1fdc89540adcb8da9c58fe5649978eda2d98d9a
b375569d12b3423d41a4ca291d38d33639f7b39b
b9f16a75e1aa6a9af9e912f4b567270b31889ee3
bfd2290f2a7b64a893f40181f183b75f51b6c3d8
c05ac8400b20b915b3b07a74d265bc0e67bf8856
c4978802dba52ff3bce46fe68a46d77d8d0a57e5
c4dc114b6fcc7b97c5551d865fb350184db4bb02
c532e8c2e5ec4e5e396a7303971717ed146ad4ee
cac7c5eedab3f6235e668e1728e1702e6f806c88
cb2270a8fd6a8b7dea77fbfb6e41db602783b55f
cbe76c01cac56818cc2cd8462a02a2046c008063
ce8a697e051cc9820ca868f0c36bb2eae06dceaa
ce92abb9a68495abf212f9a500e1dd4dc855d409
cf27b67b92a87be462326bff91d9d864b3229952
cf67eefc8ea65a2b7dbcbf0766a0bf0b95e6eb0a
d0679970fafceea468e062f3f47826a8052ab3ca
d0e30fb1bc8f4196de4cd1c7add6fa0c77afbf8e
d3bffc21f8036c19b2dc705fa8ce438271af3aa9
d44f7f5d3d74c52281a78325b43fa5ac0b2e3552
d7cb653fe8a853761964f72c37ccad9cc1fbe1ca
d86af0a2db0cc279823c4c004834288a200c6bb5
d9688301522083b8b2fae01af4b8dbdd1880c720
da2bfa4cf98f283bcefc97da2daa6be498392680
dc48e0da9984d82363dfed6bb89544f0dadf8be2
dc91c0d01dfb65172fb2a3c902ea2c2af5a1299d
e197be2fb0764695941989e1cbb1acc360de89bc
e64a1905da7d38c898062428514c447f8b5ac58e
e69c28496a9d3b69da7ee1322abb8778abcf1e9b
ec1e641ba58a6b2a4c550c01a12da9b7c0e1e4aa
f1aa14b0638b2591a349cf79784183bae0922b45
f1ada946e94370e5f5d7f22a728b3cf6d784125b
f25d88a9cfabe4fcd84658f022729cd5ef4eaf13
f46c9364113241bfc87b050fa98e8cd95dddfe0b
f7b79e6b4dfd9bc269340cf0e189ad48d68d0d86
f9eccae19b428b39bac279db90632ff4ba9b95b0
fb13bd55d36b544f9427e1b8c55d0466754eff79
fc3c85a9ff85b6bd3d032eff2535bb4372d5a8db

 

URL

C2

http://smart[.]cloudnetwork[.]kz/
http://static[.]apiinformation[.]kz/
http://secure[.]jscontentmaker[.]kz/
http://secure[.]jsc0nten1maker[.]com/
http://static[.]apiinformationsec[.]com/
http://mel[.]cloudcontentsmak[.]com/
http://nicru[.]supermicrotransapi[.]ru/
http://tel[.]jsapisettings[.]kz/
http://js[.]securetopdevelopment[.]kz/
http://noone[.]contentmakersbyakamai[.]ru/

Plugins

http://smart[.]cloudnetwork[.]kz/fd/5c76acdb8964c.txt
http://smart[.]cloudnetwork[.]kz/fd/5c76ae7d1dff3.txt
http://smart[.]cloudnetwork[.]kz/fd/5c76acdb4a262.txt

OpenSSL

http://smart[.]cloudnetwork[.]kz/fd/libeay32.dll
http://smart[.]cloudnetwork[.]kz/fd/ssleay32.dll

About the Author

Robert Neumann

Senior Security Researcher

Robert Neumann is a Senior Security Researcher in Forcepoint X-Labs. He focuses on various short- and long-term research projects, ranging from small scale malicious campaigns through niche malware and file formats to in-depth investigations and threat actor attribution. 
 
Robert is...