Threat Research

Hidden Threats Associated with Evasive Secureserver.net URLs

Securonix

A Forcepoint/X-Labs analysis describes a malware campaign that uses geo-fenced, secureserver.net–hosted URLs embedded in emails to gain initial access, followed by obfuscated scripts, HTA and VBScript/JS stages, and in-memory process injection to steal credentials and exfiltrate data. The campaign targets North and South America, evades detection with environment checks, and uses C2 servers to transmit stolen information while defensive measures aim to block the URLs, droppers, and C2 activity. #SecureServerNetUrls #HTA #AutoIt #Mobsync #Rekemchiwdnas #JPMorganFISRT

Keypoints

  • The malware is distributed via weaponized geo-fenced URLs embedded in emails, primarily targeting users in North and South America.
  • An HTA file connects to malicious URLs and downloads further payloads to begin execution.
  • Obfuscated JavaScript and VBScript are used to execute malicious actions on the victim’s system.
  • The malware performs checks (antivirus, VM, OS language) to evade detection before dropping payloads.
  • Process injection is used to inject malicious code into legitimate processes like mobsync.exe.
  • The malware connects to command-and-control servers to exfiltrate sensitive information.
  • Protection measures include blocking malicious URLs and dropper files at multiple attack stages.

MITRE Techniques

  • [T1071] Initial Access – Phishing – ‘Phishing: The malware is delivered via weaponized URLs in emails.’
  • [T1203] Execution – Malicious HTA file execution leading to further payload downloads – ‘Malicious HTA file execution leading to further payload downloads.’
  • [T1547] Persistence – Creating shortcuts in the Startup folder to ensure persistence – ‘Creating shortcuts in the Startup folder to ensure persistence.’
  • [T1203] Defense Evasion – Obfuscation of scripts to evade detection; Environment checks (antivirus, VM, OS) to avoid sandboxed environments – ‘Obfuscation of scripts to evade detection. Environment checks (antivirus, VM, OS) to avoid execution in sandboxed environments.’
  • [T1081] Credential Access – Stealing banking credentials and other sensitive information – ‘Stealing banking credentials and other sensitive information.’
  • [T1071] Command and Control – Connecting to C2 servers to exfiltrate sensitive data – ‘Connecting to C2 servers to exfiltrate sensitive data.’

Indicators of Compromise

  • [URL Pattern] Initial URL pattern – https://d{2,3}.d{2,3}.d{2,3}.d{2,3}.host.secureserver.net
  • [HTA files] HTA file hashes – 37768083ff57e77850667394e0d27e8717e3eb35, c76eff517bd7c5e6d1f8ede73e9d260195e42c42, 354b48288f2cc0eeefef2011e5ab38a7cb20fbf7, 70ebed2ed13a350e59faa5c254ee099e2653c61e
  • [VBS file] VBS file hashes – 8ae1dfa8e9544c0b9a6079aa18708f5fe5a82ee5, 4114fb23a7211f0721f87947e8b5b5258f5ed47a, 8655717e2a3ced90d352a7faf2586a73cefea7d8
  • [Obfuscated JScript] Obfuscated JScript hash – e156707c3ee3c40ca64f66447c5e36de3ae90eba
  • [AutoIt Script] AutoIt script hash – c1e2c1fddec0ed9676ed8ce38dbaf2006b50a31e
  • [URLs] Dropped URLs – hxxp://45.40.96[.]231/AutoIt3, hxxp://45.40.96[.]231/AutoIt3.exe, hxxp://45.40.96[.]231/jama1crt, hxxps://www.rekemchiwdnas.com/jm1, hxxps://198.148.167[.]72.host.secureserver.net/OQQst11/gV7Pus771.js, hxxps://198.148.167[.]72.host.secureserver.net/VFb51.vbs
  • [C2s] C2 domains – www.rekemchiwdnas[.]com, jpmorgan-fisrt.homelinux[.]com

Read more: https://www.forcepoint.com/blog/x-labs/malware-lurking-behind-secureserver-net-urls

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint