Fake Tsunami Alert Malware
FortiGuard Labs reported on a spam email campaign targeting people living in the North East Region of Japan. The email message contained a fake link to the Japan Meteorological Agency (JMA) which, when clicked, downloaded the Smoke Loader (November time-frame) and AZORult (after the 25th of November) Trojans.
The report mentioned that both of these Trojans are sold on Russian underground forums. Analyzed Smoke Loader samples utilized the same shellcode loader and final payload. Once downloaded, the Trojan attempted to obtain other plugin DLLs or next stage malware. The AZORult version used was version 3.3 (first found in October 2018). Some of its information stealing functionalities include searching through browser history, cryptocurrency wallet, Skype, Telegram, and Steam. For additional technical details, we recommend reviewing FortiGuard Labs report.
Indicators of Compromise
Samples
- 27aa9cdf60f1fbff84ede0d77bd49677ec346af050ffd90a43b8dcd528c9633b – W32/Kryptik.GMMP!tr
- 42fdaffdbacfdf85945bd0e8bfaadb765dde622a0a7268f8aa70cd18c91a0e85 – W32/Kryptik.GMOP!tr
- fb3def9c23ba81f85aae0f563f4156ba9453c2e928728283de4abdfb5b5f426f – W32/Kryptik.GMVI!tr
- 70900b5777ea48f4c635f78b597605e9bdbbee469b3052f1bd0088a1d18f85d3 – W32/GenKryptik.CSCS!tr
- a1ce72ec2f2fe6139eb6bb35b8a4fb40aca2d90bc19872d6517a6ebb66b6b139 – W32/Generik.CMTJTLW!tr
- 7337143e5fb7ecbdf1911e248d73c930a81100206e8813ad3a90d4dd69ee53c7 – W32/GenKryptik.CSIZ!tr
- 748c94bfdb94b322c876114fcf55a6043f1cd612766e8af1635218a747f45fb9 – W32/Generik.JKNHTRB!tr
Donwloaded URLs
- http://www.jma-go.jp/jma/tsunami/tsunami_regions.scr – Malware
- http://jma-go.jp/jma/tsunami/1.exe – Malware
- http://thunderbolt-price.com/Art-and-Jakes/Coupon.scr – Malware
- http://bite-me.wz.cz/1.exe – Malware
C&C URLs
- http://jma-go.jp/js/metrology/jma.php – Malicious
- http://www.jma-go.jp/java/java9356/index.php – Malicious
Other URLs
- http://montepaschi-decreto-gdpr.net/ – Phishing
- http://montepaschi-decreto-gdpr.net/procedura-per-sblocco-temporaneo-decreto/conferma_dati.html – Phishing
- http://certificazione.portalemps.com/ – Phishing
- http://certificazione.portalemps.com/verifica-conto/ – Phishing
- http://Craigslist.business – Phishing
- http://Craiglist.news – Phishing
- http://www.3djks92lsd.biz – Phishing
- http://www.38djkf92lsd.biz – Phishing
- http://www.38djks92lsd.biz – Phishing
- http://www.348djks92lsd.biz – Phishing
- http://www.38djks921lsd.biz – Phishing
- http://writingspiders.xyz – Malicious
- http://catsamusement.xyz – Malicious
- http://oatmealtheory.xyz – Malicious
- http://canvasporter.pw – Malicious
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.