Date: 11/07/2024
Severity: Medium
Summary
Threat actors are using copyright infringement phishing lures to deploy infostealer malware. The attackers craft deceptive emails or messages claiming that the recipient has violated copyright laws, prompting them to click on malicious links or download attachments. Once activated, the infostealer malware steals sensitive information, such as login credentials, financial data, and personal details, which can then be used for further exploitation or sold on the dark web.
Indicators of Compromise (IOC) List
URL/Domain | declaredczxi.shop messtimetabledkolvk.shop applyzxcksdia.shop justifycanddidatewd.shop detailbaconroollyws.shop raiseboltskdlwpow.shop notoriousdcellkw.shop varianntyfeecterd.shop understanndtytonyguw.shop deprivedrinkyfaiir.shop relaxtionflouwerwi.shop strwawrunnygjwu.shop freezetdopzx.shop falseaudiencekd.shop landdumpycolorwskfw.shop conferencefreckewl.shop catchddkxozvp.shop pleasurenarrowsdla.shop considerrycurrentyws.shop arriveoxpzxo.shop horsedwollfedrwos.shop replacedoxcjzp.shop conformfucdioz.shop tribepresentaitsi.shop marathonbeedksow.shop ohfantasyproclaiwlo.shop barebrilliancedkoso.shop bindceasdiwozx.shop contemplateodszsv.shop feighminoritsjda.shop flourhishdiscovrw.shop liabiliytshareodlkv.shop parallelmercywksoffw.shop patternapplauderw.shop richardflorespoew.shop |
IP Address | 139.99.82.239 |
Hash |
1ccf7f8b3a9b20bb87bc18a3fcfb41948f65dfb43b2fad1440a0eaef2656f414
96f672a9fffb168fb7bf40b8acff4d827388ee2825a32e7aecdf63182cb23d8e
8d782d769de826212ae7519aae41877acf2a4f35d97067cc996b06c148cc218e
a3c6d66308eced2a2b12c96860b1097b84065730d67308f7b05db4b09b3acf05
80231f19168b5f326bd1fbcd7a093aeb0415c84e5036c7991b3eaef2f9be77a2
b9c100b9739aab1db7263c68bf55270eb65971f71e1ce38c89a3078164ff97bb
b5f1554f61873bd6777812f7d2578fc8f5c6d48d4901bdea3d07673698d306d2
33aaf3109c1c8a477cbcdd942a9b60acc236fe56ddd8d0262d7ad63d9434e12f
86bef968254fc4288b9f481878fc46b1e236cefa93a1c9374a234573ad25d051
1b80e9c51d418ce5ac3a6741e70a6a0235b43bb7548299278865f604d41d7675
213c8a51972fdd17d3f8c20a94e76123004d4e8f21a4a06d50f87d2c65379ac0
76c711c56c95009506347691c44ba9cc61ce0056e47784799f6429642c224d3a
cd217bbd68146c9c95a94f2cb810d7d87c397b1f290b7659e395ba86b4d96adb
feb8e3dcb8631b13643b95b4d84d936183742a7b333857463656a5523dfbba3d
51c1e25a546dbf2d9a17ccd1f0e95cff68ead96d4dc77c995fe3d9cb67d4ee17
ba865bacd3de8c261efd9e1a4e9ada62a417e8027a0aafe7c7eac3c69ca82ebd
df9fdb0fcefa0255fd41405f57e7950fa736eff1fd12fed63cd337b8752c3766
b096f74c64f1acf07bda1bff9f8a0a8372055cdd6573523772b6fc5f63a47c18
9ef9c88cef51ee0fb77ea9a78dbe60651603ef807ddb6c44d5bda95cc9026527
bfa188194c91e509262d0924cfd0ae70d120d50e904982d54d1d5a58de72bde4
f47589765df2ce3a5476d0b83569876c57e26f9ce2ba19227903396296f8cc22
e12ca221e597b760c912613b0bd8eff29c25f31c8b4a7687de3690fcfb66ab28
2175a1f8f798b0daf05965eb860166c65a8d227d1309cd3545dba3174fd2292f |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "declaredczxi.shop" or url like "declaredczxi.shop" or userdomainname like "messtimetabledkolvk.shop" or url like "messtimetabledkolvk.shop" or userdomainname like "applyzxcksdia.shop" or url like "applyzxcksdia.shop" or userdomainname like "justifycanddidatewd.shop" or url like "justifycanddidatewd.shop" or userdomainname like "detailbaconroollyws.shop" or url like "detailbaconroollyws.shop" or userdomainname like "raiseboltskdlwpow.shop" or url like "raiseboltskdlwpow.shop" or userdomainname like "notoriousdcellkw.shop" or url like "notoriousdcellkw.shop" or userdomainname like "varianntyfeecterd.shop" or url like "varianntyfeecterd.shop" or userdomainname like "understanndtytonyguw.shop" or url like "understanndtytonyguw.shop" or userdomainname like "deprivedrinkyfaiir.shop" or url like "deprivedrinkyfaiir.shop" or userdomainname like "relaxtionflouwerwi.shop" or url like "relaxtionflouwerwi.shop" or userdomainname like "strwawrunnygjwu.shop" or url like "strwawrunnygjwu.shop" or userdomainname like "freezetdopzx.shop" or url like "freezetdopzx.shop" or userdomainname like "falseaudiencekd.shop" or url like "falseaudiencekd.shop" or userdomainname like "landdumpycolorwskfw.shop" or url like "landdumpycolorwskfw.shop" or userdomainname like "conferencefreckewl.shop" or url like "conferencefreckewl.shop" or userdomainname like "catchddkxozvp.shop" or url like "catchddkxozvp.shop" or userdomainname like "pleasurenarrowsdla.shop" or url like "pleasurenarrowsdla.shop" or userdomainname like "considerrycurrentyws.shop" or url like "considerrycurrentyws.shop" or userdomainname like "arriveoxpzxo.shop" or url like "arriveoxpzxo.shop" or userdomainname like "horsedwollfedrwos.shop" or url like "horsedwollfedrwos.shop" or userdomainname like "replacedoxcjzp.shop" or url like "replacedoxcjzp.shop" or userdomainname like "conformfucdioz.shop" or url like "conformfucdioz.shop" or userdomainname like "tribepresentaitsi.shop" or url like "tribepresentaitsi.shop" or userdomainname like "marathonbeedksow.shop" or url like "marathonbeedksow.shop" or userdomainname like "ohfantasyproclaiwlo.shop" or url like "ohfantasyproclaiwlo.shop" or userdomainname like "barebrilliancedkoso.shop" or url like "barebrilliancedkoso.shop" or userdomainname like "bindceasdiwozx.shop" or url like "bindceasdiwozx.shop" or userdomainname like "contemplateodszsv.shop" or url like "contemplateodszsv.shop" or userdomainname like "feighminoritsjda.shop" or url like "flourhishdiscovrw.shop" or userdomainname like "liabiliytshareodlkv.shop" or url like "liabiliytshareodlkv.shop" or userdomainname like "parallelmercywksoffw.shop" or url like "parallelmercywksoffw.shop" or userdomainname like "patternapplauderw.shop" or url like "patternapplauderw.shop" or userdomainname like "richardflorespoew.shop" or url like "richardflorespoew.shop" |
Detection Query 2 | dstipaddress IN ("139.99.82.239") or ipaddress IN ("139.99.82.239") or publicipaddress IN ("139.99.82.239") or srcipaddress IN ("139.99.82.239") |
Detection Query 3 |
sha256hash IN ("1ccf7f8b3a9b20bb87bc18a3fcfb41948f65dfb43b2fad1440a0eaef2656f414","96f672a9fffb168fb7bf40b8acff4d827388ee2825a32e7aecdf63182cb23d8e","8d782d769de826212ae7519aae41877acf2a4f35d97067cc996b06c148cc218e","a3c6d66308eced2a2b12c96860b1097b84065730d67308f7b05db4b09b3acf05","80231f19168b5f326bd1fbcd7a093aeb0415c84e5036c7991b3eaef2f9be77a2","b9c100b9739aab1db7263c68bf55270eb65971f71e1ce38c89a3078164ff97bb","b5f1554f61873bd6777812f7d2578fc8f5c6d48d4901bdea3d07673698d306d2","33aaf3109c1c8a477cbcdd942a9b60acc236fe56ddd8d0262d7ad63d9434e12f","86bef968254fc4288b9f481878fc46b1e236cefa93a1c9374a234573ad25d051","1b80e9c51d418ce5ac3a6741e70a6a0235b43bb7548299278865f604d41d7675","213c8a51972fdd17d3f8c20a94e76123004d4e8f21a4a06d50f87d2c65379ac0","76c711c56c95009506347691c44ba9cc61ce0056e47784799f6429642c224d3a","cd217bbd68146c9c95a94f2cb810d7d87c397b1f290b7659e395ba86b4d96adb","feb8e3dcb8631b13643b95b4d84d936183742a7b333857463656a5523dfbba3d","51c1e25a546dbf2d9a17ccd1f0e95cff68ead96d4dc77c995fe3d9cb67d4ee17","ba865bacd3de8c261efd9e1a4e9ada62a417e8027a0aafe7c7eac3c69ca82ebd","df9fdb0fcefa0255fd41405f57e7950fa736eff1fd12fed63cd337b8752c3766","b096f74c64f1acf07bda1bff9f8a0a8372055cdd6573523772b6fc5f63a47c18","9ef9c88cef51ee0fb77ea9a78dbe60651603ef807ddb6c44d5bda95cc9026527","bfa188194c91e509262d0924cfd0ae70d120d50e904982d54d1d5a58de72bde4","f47589765df2ce3a5476d0b83569876c57e26f9ce2ba19227903396296f8cc22","e12ca221e597b760c912613b0bd8eff29c25f31c8b4a7687de3690fcfb66ab28","2175a1f8f798b0daf05965eb860166c65a8d227d1309cd3545dba3174fd2292f") |
Reference:
https://blog.talosintelligence.com/threat-actors-use-copyright-infringement-phishing-lure-to-deploy-infostealers/