Malicious Documents Targeting Security Professionals
Jigsaw Security has been watching (and receiving of late) many malware laden documents. Starting about 2 weeks ago we started seeing an uptick in documents in our inboxes. Shortly after Cisco Talos posted a bulletin and several organizations to include Alienvault and Cisco began sharing information.
Upon researching the documents we have decided to release the list of host that are involved as well as some of the recent detections.
Here is what Cisco Talos had to say about it:
Cisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy, APT28, Fancy Bear…). Ironically the decoy document is a flyer concerning the Cyber Conflict U.S. conference organized by the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. Due to the nature of this document, we assume that this campaign targets people with an interest in cyber security. Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day, it simply contains a malicious Visual Basic for Applications (VBA) macro.
Cisco provided a list of indicators and Jigsaw Security has performed additional research. Here are the findings.
Indicators of Compromise:
The following host are involved in this campaign
200200.duckdns.org 357.duckdns.org 184.108.40.206 ahr0cdovlzkyljiymi4ymdkundkvywn0a.0.d.255.adobeproduct.com bonjourcheck.com carlos88.ddns.net d6231738c34.john-pc.c.mswordupdate17.com d6238051c34.placehol-6f699a.c.mswordupdate17.com d6238111c34.placehol-6f699a.c.mswordupdate17.com d6238158c34.placehol-6f699a.c.mswordupdate17.com d6238210c34.placehol-6f699a.c.mswordupdate17.com d6261013c34.placehol-6f699a.c.mswordupdate17.com d6261024c34.placehol-6f699a.c.mswordupdate17.com d6261034c34.placehol-6f699a.c.mswordupdate17.com elaxo.org fastfileconverter.org faststoragefiles.org flashcontentdelivery.net fsportal.net googlea.net63.net hhcghibvywzedwa2iyvsuzzhx8.2.d.255.adobeproduct.com ikmtrust.com ip113.ip-91-134-203.eu jeremizo888.ddns.net jflynci.com maskulan.duckdns.org maskulan.dynu.com microsoftupdated.com msoffice-cdn.comns3.cdnmsnupdate.com myinvestgroup.com n.3.f.255.adobeproduct.com n.n.c.255.adobeproduct.com n.n.c.26055.adobeproduct.com n.n.c.303ff7b225c14f1498a2.cdnmsnupdate.com networkschecker.net ns1.cdnmsnupdate.com ns2.cdnmsnupdate.com ns2.ntpupdateserver.com ns3.cdnmsnupdate.com peacefund.eu protectingsearch.com runssnetworks.com sinkhole.tigersecurity.pro vascothreatscan.org w9umi9wrvzsvlvstvfvslbumdfdvda5tl.1.d.255.adobeproduct.com windows.mswordupdate17.com windows81.duckdns.org www.adobeproduct.com www.cdnmsnupdate.com www.sdhjjekfp4k.com
Here are the associated hashes
522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805 c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18 efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52
Customers of Jigsaw Security can get additional information here.
In addition to this event Jigsaw Security is also aware of a similar campaign also targeting security professionals and is investigating the actors. More information will be posted to the Jigsaw Security Threat Intelligence platform.