Weekly Statistics : Malware Campaigns Feb 2018

Week 6, saw the huge activity of malware campaigns delivering Crypto-Currency Miners, Banking Trojans, and Ransomware.

Ransomware Attacks have been on the rise in past week, however, the long weekend seems to have an adverse effect. However, the number of phishing attacks have risen during this period.

Trickbot – Monero

With the emergence of Crypto-currency, we are observing exploit-kits and banking Trojans delivering/adding Crypto-Currency Mining modules. Recently, Trickbot was observed delivering Monero Miner.

File Hashes

   CRC-32: d59be37a
   MD4: 5a435aa7282aa4d6143ba6e109a5666c
   MD5: 20b8afc10cc2a709d29a73892a857bde
   SHA-1: bfcce6ea6d286162c4487846be79033176b76294
   Detection: Gen:Variant.Johnnie.88817

   CRC-32: 16928cb2
   MD4: da91ac496990dfa5c656f4305ae2d7b4
   MD5: 2ac0b2c2498761d198fe69e5c2ed25cb
   SHA-1: 484acb4068ce1e02db0bbfea33bcf67cdf40f1b0
   Detection: Gen:Variant.Johnnie.88820

Dridex

Dridex is using PDF files to push itself through spam emails. A link to the 7Zip archive is embedded within the PDF file, which contains VBS file to infect Windows systems with Dridex.

EMAIL ATTACHMENTS:

d23d516fde33edb6986a53decaa3377f21bac5cc1602c4cef6caa98af472a5c5 – SCAN_0502_38DC4.pdf
ed39236e0dc0aaec11ac46202ec587d7d505888e0fc151440fa7d72874416a16 – SCAN_0502_4F16.pdf
759082d5f352ba7c24de89ec079e89dca882bb1506c4231d4f175375afebfa84 – SCAN_0502_5AFA7.pdf
136cbad1799316ffb8a4050f0bc854a2d1d6d3b46e381e71448daf6dcc33d923 – SCAN_0502_8739.pdf
ead747473d7737b06d820e2ebd4f2bc538cac19dee2b79baa558c2f2a65575de – SCAN_0502_A2B7.pdf
890a79251f62afee8a708e4e8dbee29d7f0c302c9a68a7ef40d0e45e15c99fdc – SCAN_0502_BB5D.pdf
f90e5e027b4a3ca096651944ae0be8f3a3e03b7fbf7174fe73a9d8d35de05bb2 – SCAN_0502_CAB1.pdf
187eec96c7d722b2fa58f67c697a76f433808349c492b7542a56186f26e6309b – SCAN_0502_EA2EC.pdf
a6b7a89a073be96dcfaac63ef0093e3186171995df90c9c3f966083338e858e9 – SCAN_0502_FA2C8.pdf
c327f7f91d942fa146c474ee052f838ed1ab49ef25db6dfdcaff3c7a5f7ba0f4 – SCAN_0502_FF56B.pdf

Payload Binaries:

db05a65efdeef1787aa70c519358b403 sample1.exe
925da3a10f7dde802c8d87047b14fda6 sample2.exe

Hancitor – Zeus/Panda

Hancitor has been consistently pushing Zeus-Panda Banking Trojan through email spam.

Document Files with Macros:

b1421f67a9b12e14d3551ca71e022021 inv_748294.doc
5fb3cfffa94f1adebde4005aaa4b70fa receipt_820562.doc
6ec4f663e633d010e57d1c5201fa61be fax_387521.doc

Payload Binaries:

d6df4e333c1466ec65ab932989d15b56 ZPB-sample1.exe
76670d4790c0c3e9436b1726cde89567 ZPB-sample2.exe
da67bb25fa38d0802dd1105f3335a57 ZPB-sample.exe

Gandcrab Ransomware

Quant-Loader is oscillating between delivering Dridex and Gandcrab Ransomware. The email contains a link to Google drive which is hosting PDF files.

Document Files:

39e3ac234bd278e874e3e77be32a3a38 10451.pdf
a2d3520a9ce2a22de621fe23e33d4107 1552982.pdf
5951b2aa14aad42d3aec881f6666f2a5 21774.pdf
ab81b7c63285830fb616869232babd6b 3178376.pdf
75ea794ee99d61bdd38e6feb03b86975 32098.pdf
932fc6237661f3b75f7321adde5e5eb2 4565089.pdf
2f1ced11c345675495ee502cff6aa933 65114.pdf
cfa883abd0cbee67136121b81c09950b 7149280.pdf
c272c68512f4d418346d5e99bb3e0f75 7526400.pdf
65973d71c8d4ed83abcecef5da54cc64 81711.pdf
befaa3afcc1cb3d55946255da96cad63 8960982.pdf
43597b04dd0f62bd3eaf22f0ffdfe965 93111.pdf
b20039b29f3cb9f6bf0f2a5b0acc2167 00973.doc
535c757d9824918ecee70bc759e13c55 Feb-00974.doc
54bf4d94bca01dbcfb027c54a59e0156 PowerShell-script.txt

Payload:

3e44e8bae380bbaa3bb905b10ae6d256 GandCrab-ransomware-Font_update.exe
8311adf0f15e0322a3d0834410f1a06b Dridex-malware.exe
6393f064aeb0381fbfa67593f636d6b5 GandCrab-ransomware.dll

All Payloads and Documents triggering malicious behavior are detected and quarantined by eScan.

Share

Tweet

Share

Share

Share