Date: 03/12/2025
Severity: High
Summary
Email continues to be a common method for malware distribution, with most malicious messages intercepted by spam traps and security filters. Threat actors constantly adapt their techniques to bypass these defenses, including altering file extensions for attached zip archives. In this case, the email contained a zip archive disguised with a 7-Zip file extension. On a Windows 11 system, File Manager successfully extracted the malware despite the archive using a .7z extension and 7-Zip not being installed.
Indicators of Compromise (IOC) List
Domains\URLs : | hftook7lmaroutsg1.duckdns.org http://geoplugin.net/json.gp |
IP Address : | 54.38.59.202 206.123.152.51 |
Hash : |
f21e796e0ea71e76542d7196593ad8337012760d9183eb5abdb78c74e4702531
f6946b226d21d0f716980980d61ef1a6ca429bed0c42c4ad51c9d813ee626469
1b0eb55bb50d0286b192accbe408826c4c2e6c59a78d52743ce4f84ac0b1d6d0 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\URLs : | userdomainname like "http://geoplugin.net/json.gp" or url like "http://geoplugin.net/json.gp" or userdomainname like "hftook7lmaroutsg1.duckdns.org" or url like "hftook7lmaroutsg1.duckdns.org" |
IP Address : | dstipaddress IN ("54.38.59.202","206.123.152.51") or ipaddress IN ("54.38.59.202","206.123.152.51") or publicipaddress IN ("54.38.59.202","206.123.152.51") or srcipaddress IN ("54.38.59.202","206.123.152.51") |
Hash : |
sha256hash IN ("f21e796e0ea71e76542d7196593ad8337012760d9183eb5abdb78c74e4702531","f6946b226d21d0f716980980d61ef1a6ca429bed0c42c4ad51c9d813ee626469","1b0eb55bb50d0286b192accbe408826c4c2e6c59a78d52743ce4f84ac0b1d6d0") |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-10-IOCs-for-Remcos-RAT-activity.txt