Fake Tsunami Alert Malware

FortiGuard Labs reported on a spam email campaign targeting people living in the North East Region of Japan. The email message contained a fake link to the Japan Meteorological Agency (JMA) which, when clicked, downloaded the Smoke Loader (November time-frame) and AZORult (after the 25th of November) Trojans.

The report mentioned that both of these Trojans are sold on Russian underground forums. Analyzed Smoke Loader samples utilized the same shellcode loader and final payload. Once downloaded, the Trojan attempted to obtain other plugin DLLs or next stage malware. The AZORult version used was version 3.3 (first found in October 2018). Some of its information stealing functionalities include searching through browser history, cryptocurrency wallet, Skype, Telegram, and Steam. For additional technical details, we recommend reviewing FortiGuard Labs report.

Indicators of Compromise

Samples

Donwloaded URLs

  • http://www.jma-go.jp/jma/tsunami/tsunami_regions.scr – Malware
  • http://jma-go.jp/jma/tsunami/1.exe – Malware
  • http://thunderbolt-price.com/Art-and-Jakes/Coupon.scr – Malware
  • http://bite-me.wz.cz/1.exe – Malware

C&C URLs

  • http://jma-go.jp/js/metrology/jma.php – Malicious
  • http://www.jma-go.jp/java/java9356/index.php – Malicious

Other URLs

  • http://montepaschi-decreto-gdpr.net/ – Phishing
  • http://montepaschi-decreto-gdpr.net/procedura-per-sblocco-temporaneo-decreto/conferma_dati.html – Phishing
  • http://certificazione.portalemps.com/ – Phishing
  • http://certificazione.portalemps.com/verifica-conto/ – Phishing
  • http://Craigslist.business – Phishing
  • http://Craiglist.news – Phishing
  • http://www.3djks92lsd.biz – Phishing
  • http://www.38djkf92lsd.biz – Phishing
  • http://www.38djks92lsd.biz – Phishing
  • http://www.348djks92lsd.biz – Phishing
  • http://www.38djks921lsd.biz – Phishing
  • http://writingspiders.xyz – Malicious
  • http://catsamusement.xyz – Malicious
  • http://oatmealtheory.xyz – Malicious
  • http://canvasporter.pw – Malicious

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:

Notice: ob_end_flush(): failed to send buffer of zlib output compression (0) in /home/systemte/public_html/wp-includes/functions.php on line 4339