2018-03-05 - MALSPAM FROM THE BOLETO MESTRE CAMPAIGN

ASSOCIATED FILES:

NOTES:


Shown above:  Updated flowchart based on the original Unit 42 blog.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

EMAILS


Shown above:  Screenshot from the email.

 

EMAIL INFO:

 


Shown above:  The PDF attachment, and it's link for the VBS file.

 

TRAFFIC


Shown above:  Infection traffic filtered in Wireshark.

 

TRAFFIC TO DOWNLOAD THE INITIAL VBS FILE FROM LINK IN THE EMAIL:

POST-INFETION TRAFFIC AFTER RUNNING THE VBS FILE:

 

FILE HASHES

MALWARE ASSOCIATED WITH THIS INFECTION:

 

NOTES:

1) legitimate system files being used for malicious purposes or
2) script-based files that can easily change each infection.

 

IMAGES


Shown above:  Same type of IRC botnet traffic that we saw last year, just on a different domain now.

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.