The team at Jigsaw Security is watching closely a campaign known as Capesand. It appears as though the exploit kit is in active development and we have been tracking activity associated with the threat actor. The exploits observed are not all new but newer vulnerabilities are being leveraged to gain a foothold on victims computers.
Observed Vulnerabilities
Some of the observed vulnerabilities include CVE-2019-0752 aimed at targeting Internet Explorer users and CVE-2018-4878 as well as other flash exploits. Today we observed additional flash based exploits including older ones such as CVE-2016-4117 which is pretty old. Since these exploits have a very low detection rate, we have decided to push updates to stop this utilizing our FirstWatch sensor product.
Indicators of Compromise
It should be noted that while we are providing indicators of compromise for this event, Jigsaw Security as an organization is moving away from providing indicators as they are typically outdated by the time they are published. In order to be proactive and stop threats, Jigsaw Security is focusing on our stream libraries to stop threats even when the IP address, domains and binary hashes change. In short we create one signature and it prevents the entire campaign through identification utilizing advanced techniques including DNS sinkholing to render the campaign ineffective against our customers.
In addition to the indicators provided below, we would like to give credit to Trend Micro who had identified this activity early and alerted us to the exploits being utilized.
Associated Vulnerabilities
CVE-2015-2419 CVE-2018-4878 CVE-2018-15982 CVE-2018-8174 CVE-2018-8120
CVE-2016-4117
CVE-2019-0752
Associated IP's and C2 Addresses
138[.]68[.]15[.]227 107[.]167[.]244[.]67 68[.]65[.]122[.]140 104[.]24[.]105[.]123 104[.]28[.]16[.]137 104[.]28[.]17[.]137 68[.]65[.]122[.]140 104[.]24[.]104[.]123 198[.]54[.]125[.]171
Associated Domains
blockchainblog[.]club blockchainblogger[.]club shophandbag[.]store amrins[.]com angelcreati[.]com agenziaimmobiliare[.]xyz amazonscrapper[.]com algarvesingles[.]com 1gom[.]co[.]uk alldefinition[.]com 5stardesigners[.]com africaexpofestivalgermany[.]com acemedina[.]online 2016holisms[.]com 21mainstreet[.]com accommodationinrwanda[.]com adinent[.]com amajamberecamp[.]org 1gom[.]biz amnaherb[.]com alwatikon[.]com agedcarecontent[.]com 123buyonline[.]com ajwilliamsfamily[.]com amplifyedge[.]com 5star-designers[.]co[.]uk activ[.]services about-bitcoin[.]com airbnb[.]com[.]rooms-3535790[.]town 3mstorage[.]com andreabroad[.]com algarve[.]pro activeofficeblog[.]com 641studio[.]com advantagebusinesssystemsphone[.]us 1gom[.]site 1gom[.]mobi acingenieriaconstruccion[.]cl 365one[.]online 8ballpoolhack-game[.]com 4k[.]moviesnets[.]com alhakyka[.]com algarve[.]rentals abosseyokiaonline[.]com allpaleodietrecipe[.]com alfazhouse[.]com aleorosa[.]com 69e[.]fun angelesbarberstudio[.]com 5400[.]net allblocks[.]nz angles[.]company anantpatil[.]in affordablenearme[.]com alucostar[.]ph allvideoplayer[.]net all4usa[.]info alucostar[.]website 1gom[.]club 1gom[.]me abhineos[.]com admin[.]wazaps[.]com 2dehandsbe[.]org allbestrangefinder[.]com ammu[.]dev afterschoolspecial[.]band aljannah[.]org andrewsharp[.]co 1-gom[.]net www[.]blockchainblogger[.]club albashayir[.]com 1-gom[.]com amazingparrots[.]com alreemproductions[.]com algarve-villa-rental[.]com alalia[.]co 247sportsfrenzy[.]com adakwan[.]com 1000websporno[.]com 24fit24[.]com a-new-look[.]com 11wallstreet[.]us aleahhowell[.]com 24honlinenews[.]com 7faktaunik[.]com 10hacks[.]net alessandrogualdi[.]club alvorada-mar-pedras[.]club 24x7helpandsupport[.]xyz addictioncounseling[.]rehab anantpatil[.]com 4k[.]moviestvnews[.]com airport-duty-free[.]com airfixcollector[.]co[.]uk 79-h[.]xyz absphone[.]com acneridof[.]com alvisperu[.]com 1gom-vn[.]com amalgamated[.]ai 1dongho[.]com 10betcvp[.]com 1gom[.]link altwerdenohnealtzusein[.]info
Associated Hashes
dad77b4e03da0b316a68760e47d7fa73d38b6aee78c004fbf5cb41b5a5d83ebf 30ec8a81c0ad807da7d134af02e3cec30c04998cec6c3f19cae71093d9683e55 e6b023a6f718627fcb11c45fb294032655e0558ac1f1d0a4959cfcaaf6fcdac0 0b52c5338af355699530a47683420e48c7344e779d3e815ff9943cbfdc153cf2 0e78b2994cd230e03bd79ab741dd4122400a04c2f1ff4be0af0accef4db1a933 dc2b90121765698d3e0ddc8859f505a9048e6424393c85f0040a3ba7722f1fe1 3ca0e628bc72ffdefe4ea68f73f15e502b0a06fa01b85768184deae284f3f5d0 cdacf09627672244e1a07243388166aead4a90a43fc69f31ec4c9d50549c6712 0d45c4423d5a5b714de61eb15cbd7a7166764433ff006f5f42017f482ad8606f 8515e17ea8dee56116945402a349fb8c36562d1249b63ae133c47393fc6f2689 e828060a30589fa1f88d095defafe3261893b0efe16b7f9bd324aa5775a7b1e7 4340a3d2535cc0333e96f580bd0bc50365adec68728e1a945f81db73c4567460 bc66575e0a9008aa0d54f868187c4c7e933107574054abbe9d04789048ada0f2 942085862869cb750d9606410226ab1854d7d9e4ef03bad9320e56119cea48f4 be40e365bcc92c366c97b606e262a83a076737d92f7748af3ef34634cf9c7536 86a483962ec9a15242fec7abf8fcc4ebf5c9fb9e9084f84de889e01aac8f3806 7eb2b9eea4d516f77887761117ec8cc90ad1196193c799ee73f56e3d968f9f5f 9ab6c4aa72a95f3509ac9fe4e83836b46de5bc22ea1a15d72c1ac67a3755f235 17fa2f3324d45c27a318ed51dab739c7f09b573185b76889b955ad2c9ad1d7b8 701e0b44cd59322ef6a485af1ffb69649fdf6a4f439dae813257c5264d10c9cc b124957014243c90e7ec62c0f98c03368f374d31cc7f29bbab0181ca1e751712 492c7cf209a5fb554d2d366cf5d921ffcdd0aa39a27f6fcd403f87d2dfe4b728 137922975f10cfbee119b1096a07b9234412bec6e93b875e5e14d2206a494b0c 3b1b323c00f434104badb8d26d27fecfc71d0b07d3b76be943e42044f3e9b577 5422b9f8bf3a9ac5081fb5bccaaceff8ffb0a3926e1b327a5133a53a5f699619 2a13a23c684b8e875c102d2879dc3ec3ebca1572b0785aee1a277133e6295a12 fdf900267092bc67bd7786b86c462e69f9ed52bed838809b6ba28b298be879f6 9b51278d857b45f833648f7d02bb38369839b3eb4c37f85aeb6c6665f7e0741d 77795c8a3c5a8ff8129cb4db828828c53a590f93583fcfb0b1112a4e670c97d4 319c9e15da329e8be50735eef869832c9fc9f4a5cdbe6e82e6cb9f0b3dfb0e8d 2db035a7c01ab6665f2d9de45566a176c0a3eb001b8c14f1ec13f2d0a1aff3bb 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 7ea4492ed088100153f3590bce841ceb621ce16d2994531f9f4fa18671ba457c 9278d16ed2fdcd5dc651615b0b8adc6b55fb667a9d106a9891b861d4561d9a24 a094ce5432089bb66427491137c13d5332cae0d21684a3bfa57f3bb2a14d4638 4bce352eed116a0e8bb6edcf4ffbbbac8bdc89d8a2d1bd08c3db806bf7e54a71 b7eab220236cf2123b66057262e0ce0e9e9b5987d2b5634d225ea29ec311653a 56b97f9bcb141cc4e04ebe1320dd6dab5fac7166c6977f92783e5762d2688e10 a84d87ba845383bb85f08df7736791afae96fb7b5923b12c27d81d1b8b124685 4bb7073a502aad4b76360daf16268a145051587618478a5b3c3c78a71fc0a66e 1c461e7a50408d459872d13c0113f0fcc2a5e782ed32574f8b077970281bd4f4 e2137ddfd12fd144a817a650c845a9c16a0f3ce3c96cf6ac372041f210233677 d5a89e26beae0bc03ad18a0b0d1d3d75f87c32047879d25da11970cb5c4662a3 42ee183e5f70ac2cdd3fe795aa698647c7ee53d357496643e7fe27102ff5743d de5b34f1687c9acac92b41fd4d7ad9c5b1d482c30d21cfb858472197168102a2 b4f2b3eb93fb3821690d914952f3a7df8f74db61f828fd549c446ba7dd979b9b 5762b49744842a7ce9a1f7427d1dbce013f568128bdca76bb3beca8899e38c50 6b62a3658ad247e8f30d3e9f35da5e00ffac1ea09785bd1f0a9830f659cf01da f59c4692d342d65220dd7f74e03548087f99ca88244b971c7c1fe4fb67c5f730 4e523a5ae5b4636c75901b79fafbd3912e41dc7987414e688b09d4b436ff22b3 2c6ed5689813f40064fc8620d97aa85754551b7454568791bb75043cfe75e4f3 77d5aa68e1f9483d6bc4bbb0758b89d8d6611c068f8173bec407c830c84d50ec 4ca56ebefb58bbd61e94673955e9d656461d365cfbb2c6b21853a3289cab0797 d64f52d6e4be0178585566cef8677beabb0254b39e9d2f65690a0a4407a0d1f0 f669222a6f4c969e70797b8c47451d827276b0d68570341db43ee24c6faaaa60 2de581adf492a87ef116f6405cdf0a1daca570621a123929c8a97b0a24e4d6c3 71ba9506fe646d3c3c87ba4e24879eb5f68e9873ed8324974b818b9ef9a5a523 f9e1c2f42eb3837e2d192b3309b595996d5047c5f583e9352fa406a6ba1c5fe5 83e3a62d6a2558656606a62e7ee89f68d43b03bde763a53a5dde22dca9fd92e9 3a108f9280fd2feec6bb3d3544fb745d51f7d322eb1b1d6f6f6c477e94e1e72d 016e9a972146d4033fb0ab6deb764e3241bb0ad53bd5a451dbc3b43275cd606a 761cb6c23d787b908dec31ee245ce48d14abff9b5fbb3adba392385e96102cfc 28d4a5a35c868b70aa7fb8b609af73b25f4a4fe7ca2a98345d4eff0048b5873a 09e120c82e2e38e68a3aacbfc84373e7d9ac1506ec0053d2104b2e8cdebc18da 17040cfa9ca73e3b0e5ebe80d43a91471a0626c23f2708f0942cf80262957470 6288de662d6dd1a57e99cf8b9259eef467c461e378d431fc53243ecede155b38 a8391b08478ba333bfc7f377d5ee7b0a697b638e9987a6db614c7f192b22a384 79f2250d10ebf83352b7715c30b60cecea14c7edd94fb164afb9353f4f91b038 1f1bb98b7e4e23913ff25b50d1ffd44e6ef447053188eca255d9bd0378602625 eb1be3f00e93a7dfcca563e564ab7d7319676161b56039f4968ceddf791d110a 8e4d24eeb56d50d11338a65aef1e6a88d7ccf6ca347419963dd201f38ae6bcea 559f23832f5b115fc6169ed7f9ac75518ec58b7f5d7206e9be4afc2ecfd7152f b00cc9a4292fc5cc4ae5371ea1615ec6e49ebaf061dc4eccde84a6f96d95747c
Associated Infection Vectors
hxxp://138[.]68[.]15[.]227/njcrypt[.]exe hxxp://198[.]199[.]104[.]8/njcrypt[.]exe hxxp://www[.]blockchainblogger[.]club/njcrypt[.]exe
Additional Information: Additional information on this event is available on the Jigsaw Security Threat Intelligence platform and big data solution.