Threat Research

August Email Malware Campaigns

Securonix

An August 2024 wave of malicious email campaigns targeted a range of users with attachments and links delivering multiple payloads. The campaigns deployed malware families such as xloader, snakekeylogger, originlogger, remcos, guloader, and viplogger, often using business-themed lures like purchase orders and invoices. #xloader #snakekeylogger #originlogger #remcos #guloader #viplogger

Keypoints

  • Various malicious email campaigns were observed throughout August 2024.
  • Email payloads included attachments (rar, zip, docx, lzh, 7z) and links.
  • Malware families used included xloader, snakekeylogger, originlogger, remcos, guloader, viplogger, lummastealer, and purelogsstealer.
  • Targets varied, with some emails aimed at specific individuals or departments.
  • Campaign themes commonly involved purchase orders, invoices, and payment notifications.
  • The article maps observed behaviors to MITRE ATT&CK techniques, including credential dumping, data encryption for impact, remote file copy, and command and control.

MITRE Techniques

  • [T1003] Credential Dumping – Various malware types may attempt to extract stored credentials from the system. ‘Procedures: Various malware types may attempt to extract stored credentials from the system.’
  • [T1486] Data Encrypted for Impact – Some malware may encrypt user data to extort victims. ‘Procedures: Some malware may encrypt user data to extort victims.’
  • [T1105] Remote File Copy – Malware may download additional payloads or tools from remote servers. ‘Procedures: Malware may download additional payloads or tools from remote servers.’
  • [T1071] Command and Control – Malware communicates with external servers to receive commands or exfiltrate data. ‘Procedures: Malware communicates with external servers to receive commands or exfiltrate data.’

Indicators of Compromise

  • [Domain] nffplp.com – observed as part of IOCs linked to guloader-originlogger
  • [Domain] mail.mahesh-ent.com – another IOC domain associated with originlogger
  • [IP] 88.214.59.166:7702 – sample host used by payloads (xloader/payloads)
  • [IP] 45.95.169.139:2403 – additional compromised host in the campaigns
  • [URL] https://api.telegram.org/bot7453999531 – Telegram-based C2 endpoint observed with snakekeylogger
  • [URL] https://mennyudosirso.shop/api – alternative C2/command channel
  • [Hash] 82ee5c8372f9bc8ac9cfac2833c19d238fa8a60fa32e6d27d9fc781d2e64dc25 – example payload/file hash
  • [Hash] cae5d52bb56e392baab2b81722461e13bcf266f7c3d1520ee3cfa911e6d2890e – additional payload/file hash
  • [Email] [email protected] – IOC contact address
  • [Email] [email protected] – IOC contact address
  • [File extension] rar, zip, docx, lzh, 7z – attachment types used in campaigns
  • [Domain] phoenixblowers.com – referenced domain within originlogger IOCs
  • [Domain] mail.azmaplast.com – referenced domain within originlogger IOCs

Read more: https://gist.github.com/silence-is-best/252f23cff687506a22f36b6286794b23

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint