Date: 05/09/2025
Severity: High
Summary
The IR team recently identified a new email campaign distributing a Remote Access Trojan (RAT) targeting organizations in Spain, Italy, and Portugal. The attackers use the serviciodecorreo email service, which is authorized for multiple domains and passes SPF checks. They also employ sophisticated evasion tactics, such as abusing file-sharing platforms, applying geolocation filters, and leveraging Ngrok for secure, obfuscated tunneling. These techniques obscure the campaign’s origin and enable the effective delivery of RATty malware.
Indicators of Compromise (IOC) List
Domains \ Urls : | jw8ndw9ev.localto.net l5ugb6qxh.localto.net |
IP Address : | 143.47.53.106 130.51.20.126 199.232.214.172 199.232.210.172 |
Hash : | a1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731
d20d14792c91107f53318ff7df83b9cd98acd3c394959a74e72278682822b600
9184ff2cdd05fcaf111db23123479c845b2ece2fedccc2524b2de592f9980876
5f897fec78e2fd812eb3bc451222e64480a9d5bc97b746cc0468698a63470880
6153c80b17cb990caad1d80cac72c867d4ecfa1a84b7ab286b7373cd4168794e
469b8911fd1ae2ded8532a50e9e66b8d54820c18ccdba49d7a38850d6af54475
af8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | domainname like "jw8ndw9ev.localto.net" or url like "jw8ndw9ev.localto.net" or siteurl like "jw8ndw9ev.localto.net" or domainname like "l5ugb6qxh.localto.net" or url like "l5ugb6qxh.localto.net" or siteurl like "l5ugb6qxh.localto.net" |
IP Address : | dstipaddress IN ("130.51.20.126","143.47.53.106","199.232.214.172","199.232.210.172") or srcipaddress IN ("130.51.20.126","143.47.53.106","199.232.214.172","199.232.210.172") |
Hash : | sha256hash IN ("9184ff2cdd05fcaf111db23123479c845b2ece2fedccc2524b2de592f9980876","5f897fec78e2fd812eb3bc451222e64480a9d5bc97b746cc0468698a63470880","a1c2861a68b2a4d62b6fbfc7534f498cefe5f92f720466d24ae1b66ebc9f5731","af8b6ac45918bc87d2a164fae888dab6e623327cba7c2409e4d0ef1dde8d1793","d20d14792c91107f53318ff7df83b9cd98acd3c394959a74e72278682822b600","6153c80b17cb990caad1d80cac72c867d4ecfa1a84b7ab286b7373cd4168794e","469b8911fd1ae2ded8532a50e9e66b8d54820c18ccdba49d7a38850d6af54475")
|
Reference:
https://www.fortinet.com/blog/threat-research/multilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware