welcome to netwrkspider

Friday, February 8, 2019

Orcus RAT IOC Details

A new highly sophisticated campaign that delivers the Orcus RAT embedded in video files and Images. The campaign mainly focuses on information stealing and .NET evasion.
The Orcus RAT is capable of steal browser cookies and passwords, launch server stress tests (DDoS attacks), disable the webcam activity light, record microphone input, spoof file extensions, log keystrokes and more.

IOC Details :

URLs
hxxps://syswow32batch[.]su/WOW/
hxxps://salesgroup[.]top/Micro18/
hxxp://bit[.]ly/2FRI9rE
hxxps://paste[.]ee/r/bOZW3
hxxps://paste[.]ee/r/O53RV
hxxps://pomf.pyonpyon[.]moe/wmtqck.mp4
hxxps://pomf.pyonpyon[.]moe/ggesuy.jpg (different info stealer)

Downloader:
2091F8A68BE181B0149C83DCBF2CFC05

MP4 Advertisement (embedded Orcus RAT)
09751BF69D496AAA3C92DF5ED446785B (mp4)
161307CD9FA201256B0D17D9F3085E78F32D642A (embedded Orcus)

C2:
weirdly.crabdance[.]com
poulty55.chickenkiller[.]com
194.5.98[.]139:9030




Gandcrab 5.1/5.09 IOC details


It was only a few months back that free decryption tools were made available for GandCrab version 5.0 - 5.0.3. And, while these tools are yet to be made public, a new version of GandCrab has appeared. The developers of GandCrab released the new version - GandCrab v5.1 - within 24 hours of the release of the decryption tools.

The latest version of the ransomware comes with a variety of distribution changes and UX updates to the GandCrab TOR sites.

Multiple attack vectors and distribution techniques

Highlighting on the attack vectors of the ransomware, the researchers said, “The primary attack vector for ransomware remains RDP ports, but GandCrab has a diverse array of distribution methods. While RDP-based ransomware attacks remain popular, automated attacks using exploit kits such as Fallout EK, Emotet, or credential stealers like Vidar have been linked to GandCrab infections as well.”


Given the wide use of these broadly available toolkits, the ransomware authors have increased the average size of GandCrab ransomware.

Hidden private chat

The ransomware’s TOR site comes with a hidden private chat that can be enabled using one of the discount codes. This allows dishonest data recovery firms to hide the final cost of the GandCrab decryption process from its customers, along with their chats with the GandCrab support.


The discount code can be requested over chat. However, it can only be activated on the systems of targeted users.
“After entering the code, the applicable discount is displayed and the USD ransom amount on the payment pages is automatically adjusted. Discounts range from 5-20% depending on the size of the ransom,” the Coveware researchers added.


The payment process for GandCrab v5.1 remains the same. Here, the affected users are required to pay the ransom in Dash rather than in Bitcoin. “The wallet address for each page is unique and is rigged to trigger an updated screen on the TOR site once the correct amount of coins hits the wallet,” the researchers explained.

In addition to chat support, the automated test decryption feature remains bug-free. Victims of an attack are able to upload a small image for proof of decryption. The site will offer the decrypted file back via download. We imagine considerably development went into making this feature robust. File restrictions ensure no files of value are decrypted for free.


GandCrab 5.1 Developers Invest in New Graphics, Sound Effects

In addition to the new distribution and infection patterns, the GandCrab developers invested some time into their UX. The GandCrab v5.1 TOR site features new crab cartoon graphics (an homage to Mr. Krabs a SpongeBob SquarePants character). The graphics give the impression that the developers feel their ransomware is little more a prank, rather than a serious existential attack on a business or a person’s data.

IOC Details :


HASH Value Ransomware Name
e07f475828212386fd2d2bd4564302546989a33ae5926e176e36ba0704172c44  pycoin/jigsaw Ransomware
3ea16fdf81960c5bd56902d4ea7dd448fd07d6a6a56dd8ad8a234bad6209439c  GandCrab5.1 Downloader
711a691cb3dbc151c34dfb05c72670ce724f97aeb28375777430cc16e784b72a  GandCrab5.1 Downloader
ce8a3474f1be9d750b5a5d5447e8f66b651d215799c1b5acb261296426542659 GandCrab5.0.9
7088cc169c4727bba6e2ac418ef356c93fdeeec5a305770a567ca04839d095fa GandCrab5.0.9



Maliciuos URL
hxxp://92.63.197.153/m/1.exe
hxxp://www[.]pushpakcourier[.]net/js/kukul.exe
hxxp://185.189.58[.]222/bam.exe
hxxp://gandcrabmfe6mnef[.]onion 
92.63.197.60 
92.63.197.48 
auoegfiaefuageudn.ru    
uwgfusubwbusswf.ru
78.46.77.98:80 (www.2mmotorsport.biz)
92.123.102.115:80 (isrg.trustid.ocsp.identrust.com)
92.123.102.25:80 (ocsp.int-x3.letsencrypt.org)
217.26.53.161:80 (www.haargenau.biz)
217.26.53.161:80 (www.haargenau.biz)
74.220.215.73:80 (www.bizziniinfissi.com)
74.220.215.73:80 (www.bizziniinfissi.com)
136.243.13.215:80 (www.holzbock.biz)
136.243.13.215:80 (www.holzbock.biz)
138.201.162.99:80 (www.fliptray.biz)
92.123.102.25:80 (ocsp.int-x3.letsencrypt.org)
192.185.159.253:80 (www.pizcam.com)
192.185.159.253:80 (www.pizcam.com)
83.138.82.107:80 (www.swisswellness.com)
104.18.20.226:80 (crl2.alphassl.com)
212.59.186.61:80 (www.hotelweisshorn.com)
212.59.186.61:80 (www.hotelweisshorn.com)
83.166.138.7:80 (www.whitepod.com)
92.123.102.25:80 (ocsp.int-x3.letsencrypt.org)
69.16.175.10:80 (www.hardrockhoteldavos.com)
104.24.22.22:80 (www.belvedere-locarno.com)
104.24.22.22:80 (www.belvedere-locarno.com)
80.244.187.247:80 (www.hotelfarinet.com)