UKRAINIAN LANGUAGE MALSPAM PUSHES RMS-BASED MALWARE

    Thursday, October 3, 2024 In: Threat Research Print

    Date: 10/03/2024

    Severity: High

    Summary

    Initial phishing attempts involved Ukrainian-language emails sent on October 1, 2024, themed around "payment orders," with a common attached PDF. Three examples were found on VirusTotal; two targeted .gov.ua recipients and one was sent to a US-based university. The spoofed PDF mimicked Ukraine's PrivatBank and included a Bitbucket link to a now-defunct repository hosting a malicious 7-zip file. Inside, the 7-zip contained a zip file with a password-protected RAR file and a text file providing the password. The RAR file ultimately held a Windows EXE for RMS-based malware, which is a freely available remote desktop management tool from TektonIT

    Indicators of Compromise (IOC) List

    IP Address

    111.90.140.34

    65.21.245.7

    Hash

    6cbd58c4773098a46682ecefe243803a719f5aa01f9e3372665575efb2836e66

aa5ddc58a7719415335111344d1acc9acff79feb07bc7a86ad3414b8bdd90e37

f84e05c4ae4782ddf3f489874b66aeba2e4c4de92d1eeb2765940909e3b9d8f6

ef773e11dc10641e01df827e5fece81272397e3eae6989f4dd3f48ec3dc3a751

4555d7cb750d0a60496f06aa8b5e16b333626adfc9e150e033745b3c95d8dc5e

    Sender name 

    Щербаченко Миролюба Янівна
    Алчевська Дорофея Добромирівна
    Федун Рудана Охримівна

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("111.90.140.34","65.21.245.7") or ipaddress IN ("111.90.140.34","65.21.245.7") or publicipaddress IN ("111.90.140.34","65.21.245.7") or srcipaddress IN ("111.90.140.34","65.21.245.7")

    Detection Query 2

    sha256hash IN ("6cbd58c4773098a46682ecefe243803a719f5aa01f9e3372665575efb2836e66","aa5ddc58a7719415335111344d1acc9acff79feb07bc7a86ad3414b8bdd90e37","f84e05c4ae4782ddf3f489874b66aeba2e4c4de92d1eeb2765940909e3b9d8f6","ef773e11dc10641e01df827e5fece81272397e3eae6989f4dd3f48ec3dc3a751","4555d7cb750d0a60496f06aa8b5e16b333626adfc9e150e033745b3c95d8dc5e")

    Detection Query 3

    senderaddress in ("Щербаченко Миролюба Янівна", "Алчевська Дорофея Добромирівна", "Федун Рудана Охримівна")

    Reference: 

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-10-01-IOCs-for-RMS-based-malware.txt 


    Tags

    MalwarePhishingRATGovernment Services and Facilities

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.