New OpcJacker Malware Distributed via Fake VPN Malvertising ------------------------------------------------------------------------------------------------------------ Indicators of Compromise ------------------------------------------------------------------------------------------------------------ SHA256 Description ------------------------------------------------------------------------------------------------------------ FEB3AB1217F993D9214BB0E1A9561709BD9A1172CEEE719FA9051D9FA6AA9622 Archive file (malvertising campaign) 565EA7469F9769DD05C925A3F3EF9A2F9756FF1F35FD154107786BFC63703B52 Installer (malvertising campaign) 13ED3739782EB2FEAE32AA2176CD8B0C0B5F9E45259B1C22FFE960B5FEF31FFC Patched DLL (malvertising campaign) 7F29C4EE1CE8C8D3CD04AC2BCEB9A48763900E4AA298368310F3CCD9C782D86E Malicious DLL (malvertising campaign) ------------------------------------------------------------------------------------------------------------ 09D3A3EAB810CD5DC37641F4F74B6DE7F634589D68F6A990B8F5296E4E48501D ISO file (older campaigns) 388BBD8B592CEBE4A0A32351969FE2E19E454AF24FF6683524C71F74E0320AC0 ISO file (older campaigns) 3DD172BF8A7E2985F8387FFC4B6F2FC3EE05435B69A43D714D3137D9A5147127 ISO file (older campaigns) 5CFF2193811FF0103DD8F05ECDF3416164648468CBE7E870594EEC57EDD87B1C ISO file (older campaigns) 76B3D17196DD9E99EADD46E8BC760EC8809A0C723F66FB687AB8576DD1299E34 ISO file (older campaigns) 8A32BF7E28FBA8461A44EFEB77BBF61D13111EEC960EFCF27E088FB95D77D91E ISO file (older campaigns) BE5ABB0C31679BE378F4BE5D8D099F37E7DB1BBF3122BE1F38F7DF2B086A0A02 ISO file (older campaigns) C1DADB7ED2A9BA97BD440DCFC18519DA5887F473D9F635A0975D742FA3F80EE6 ISO file (older campaigns) EFB0BB2FA8929E4889EB982D7351E844AF05B7EFD0D0B721A2911D89F0A66EEA ISO file (older campaigns) ------------------------------------------------------------------------------------------------------------ 0097A6BDAC122BD4EEEA03142B319B96ED3977DAC703D78EE98241C43BC2C2C0 Installer (older campaigns) 0A64984C1E2454458CF52D728710966F523887C64CD575B7E20287A55ECE37E2 Installer (older campaigns) 0B2498C984C35D8C485D64CBD146ACAA25B2E05ACFAE76EFC2776E72DE05EB0F Installer (older campaigns) 350180B0AF74453BE42B8965DCBC09849B2D73A7A3E40050CD894F24DD280C38 Installer (older campaigns) 35CB687175871C875E74137029AEE73373E125F76666A984692DCB47B4FCDB18 Installer (older campaigns) 371EB99803DF2CA6481EADD40E176BC3E968238B11D0D7B1001B97455FF4BBE1 Installer (older campaigns) 3743A76F5A4A709236CCAC39DA482154ABBCEE35A8DDA80230304E44620307B0 Installer (older campaigns) 609E04639A80A270FCB12548B6F3C03F9AE34B458905120B3765B9FAF48E6FAF Installer (older campaigns) 68F54DA86189841C040DBFD3BF1985492C621AD99B62DF895A16D5DB900B4968 Installer (older campaigns) 6BF95E99682B1BA114A6A639F20715BC10A316E3C6B79A12C83E105E94FBF373 Installer (older campaigns) 7749809E7BEC6CDE04B8042D7C6A4212ADBDD71C73AA32E9004784D7D44C5457 Installer (older campaigns) 7829B07BEA9AB1972FE61112DDD95AF2320349B97EFC05756177DAF92D34A0EE Installer (older campaigns) 813C56703736EB752B2A63ED823E7C17C40E12A1A70004298DE9CC2C3DFD8CCC Installer (older campaigns) 8E61894BDBD5E1C817754AEBE6AFC705D81E1D70EB330E59DE419810985566DE Installer (older campaigns) 900007491002DEBE93C5FB130D7514AFE7EE3B84EC33494D75C0E575F1A0982D Installer (older campaigns) 955F6130CECB2012644699E6AD37AC60DBAD7214DFAAC79FD2A771451DA5F158 Installer (older campaigns) A7729778CFC1C739A7C9DF267AC7A6378A595140A6238C82B7CE2F08BB49589B Installer (older campaigns) A8E36C87B13E47B622E49D475449C892C9DD52BD496AE8653B4804A8CE7E1C7F Installer (older campaigns) AAE49AA30FF57D97291D3783A1717B3D80E1F67291A04BCF13B158F733C4274C Installer (older campaigns) AECE788681D2A7A3BC76F78C65EC5418138DBD1F08BC042C4EF18C82946795C2 Installer (older campaigns) AF7DDAA90B42EDD1D35FAD9C1C81D5E0548B0C40B38F23BC2E2ED3E8EE8DB03F Installer (older campaigns) B6B7C1D52D9D6A3EF073485145E49D36EAFAC70CB0C8E0C94EEDC115CD4A25EE Installer (older campaigns) B715F22A9E37049D09B06C26CA899C4BE3C6C21386F70D6D357B3BD481EE1794 Installer (older campaigns) C5B499E886D8E86D0D85D0F73BC760516E7476442D3DEF2FEEADE417926F04A5 Installer (older campaigns) F0778EF6A8D569A4C3E0C2397CFC3B46C8A34AFA2CB56B1211AD9EA7DD962299 Installer (older campaigns) FFE9068A2C192FF8BBE3D7049D56FB3BA459C3822B56036E3EED7F5C07E118E1 Installer (older campaigns) ------------------------------------------------------------------------------------------------------------ 0489E667F339A52B6804D2F55353C7DE8CC50FCE6A6CA1F98C81A2D78657EB85 Patched DLL (older campaigns) F210954C65B90A47BE99CD8B977900E7A6CB6F04D5BA48FD8B315E586FF1F195 Patched DLL (older campaigns) A9FB96412E739F17075ED1DBA6B0E4442E0EFCE06B33F657ECDFC33F115FF676 Patched DLL (older campaigns) 98390078ED7D1077C07C09F2C5080465CB1B9AAC191CD554CC416F63D9A24B87 Patched DLL (older campaigns) 4B5FDA9D2CE0C3DAE68CF1F0CF8805B25D547F4FF9F688C7DCF77C997A602C73 Patched DLL (older campaigns) CFCE71839B1F7ACA5E32FB72905F6E3AC4569982B47164EF25CD912699476811 Patched DLL (older campaigns) 13ED3739782EB2FEAE32AA2176CD8B0C0B5F9E45259B1C22FFE960B5FEF31FFC Patched DLL (older campaigns) 3E55BC263F473177EF12DB88021597A370E1A305EA33576E220D36E19671A430 Patched DLL (older campaigns) 79CB81C74B994B2B2DD351BB567C82E64C666192E25B8D571D00CAFFD3FDEF76 Patched DLL (older campaigns) 032D251F6FCD1B095792AFFA73FCAB72E3DD13ECE54B4B6F72E16EBE3B85E583 Patched DLL (older campaigns) D2729637265D3247B8872371A8579E3E042519EDEA0CED83C512163F66DF554A Patched DLL (older campaigns) 26E2637290A5691DAD106FF1A0B1F23A3D6E5527655B0791FFB2AA4449ADE855 Patched DLL (older campaigns) 49D9182FFBBAFBEB634C15548A00931A9465E17B1DC5CAEE995C56B70FA33EC2 Patched DLL (older campaigns) F13E014CE258DC5FF00E43BD274751F773DF0EEFD69E44EF7EE4CE45461CC5E0 Patched DLL (older campaigns) 1D3581DAA5E60802B7A3382A03B1447A3F69593C6CD09C1FD4F3FEDA862042D4 Patched DLL (older campaigns) 47B616DC8CAFC75E8A975F2DF508539AA0CC41C328539F243D0FE93AFE25136D Patched DLL (older campaigns) 1E75C0AACF39257B626018EBB4A6C790E29BB47FA1776E9099C5B0028BBD564B Patched DLL (older campaigns) E00B8B5AE5A8437186BCFB4115E2466590753F8C268609E5D62FD7F438C7FAAE Patched DLL (older campaigns) 4705E0AB85C59D783E209445AD57B402ACB6CD999CCDA82B9BFAA185C10948EE Patched DLL (older campaigns) B42BCB8ACBA2822D71A84608EE5DA3C8CF80530EB0D09F74D7F12CBEBBEBB599 Patched DLL (older campaigns) 87EB8BC7404A7F7019DDA05896831F77649479DBE761AC1EFC8AF37E4EA2BCB0 Patched DLL (older campaigns) 221F766BBF6705BB502A9ABB1E6AD363A3A10DAF084043605F069AC38E86528C Patched DLL (older campaigns) A533CA19AD0F98FFC58C461AFC3E7612F297135762252ED78F8BE82E71BE31E9 Patched DLL (older campaigns) F46076AA03B64DA37D0C3E9A6B336FE276E60B0288C9351F7089B0605057323D Patched DLL (older campaigns) ------------------------------------------------------------------------------------------------------------ 07A0873764FE9150252B56A84BACEE9D62FDF1F4529B1C92E9263A6314DBED7B Malicious DLL (older campaigns) F210B8D8E984DF19B27FB6184ED0212467C219B418B94B01003D5E6C11EFDEF3 Malicious DLL (older campaigns) 653D4CA3DF3C44D7CCF876FBFECBC32C09462A0F72830CB3DEE57118F3097661 Malicious DLL (older campaigns) BB65B98C75ADE7CBBF05D35E7A15B3C220F6E2C3262A5103F4D0844D1409289E Malicious DLL (older campaigns) E74FA53CC4580D18DEF6E2F27CCCE51C8B9634D3532F5406F6DD7DC7D0E15157 Malicious DLL (older campaigns) 2B45D9E7E9DA3D024C9891C43DC06C155A8A71A4BDF9B6A0EB522EAB2744275B Malicious DLL (older campaigns) F31FDEAEB4D38D2E3D3C5994BD65C87A669B7530933DE881319FA07830B5ADC4 Malicious DLL (older campaigns) F5FE3540415B9CDA7AE2F580ADAE1B8B40990C09741ED3CFE36A9BAFFFDC192A Malicious DLL (older campaigns) 968FB7C732D99D45C39685CF5F30C104BE13EC50E3789D68405A333B9000A812 Malicious DLL (older campaigns) CF95BDFD3A75F32AB9642104AEE2AB879E90A4B791432951C360029815FF577F Malicious DLL (older campaigns) 7BA2FD9C4DD159B1CFC9C693826EE10C2FBB6922E08DAB5AA7EF2CAA60C1EADC Malicious DLL (older campaigns) BA94BFE5BCF3197F1E571ADA6B710C4267283C596C09635182597DD46018043E Malicious DLL (older campaigns) 85E9F28BC839619CF1DF3EC9115CDA40741D2D169BAA93FC8144A8957D23AA88 Malicious DLL (older campaigns) A37B3818A1706D3003C41EE30B6DFA9A2B3E6898B71B2D00497889A1EB91A7E9 Malicious DLL (older campaigns) 09BD3D062D2F57BB82C47857298278578464CECAB1F29B1B8CBBA83F5AB9A3DE Malicious DLL (older campaigns) ECAF6DA2A4DBE72FCA16B9A758ED0BC2751884D9315411285555D8781617EF58 Malicious DLL (older campaigns) 37EA5C9C4779619E5F8E546C920BDAAF192B29E97436B82F77ED25D55BE23E8C Malicious DLL (older campaigns) 0E0502F9945A3A874387E65A49C9BBB9F19F51CD9A5E96448ECAF24F62C67DD0 Malicious DLL (older campaigns) 74081C1779AFC036E4DD3BA17111829F1E98FF2DD090362E290359C8E4322188 Malicious DLL (older campaigns) ------------------------------------------------------------------------------------------------------------ 79F868FD318B66B0B9374A32C8FB5CE5488D5418EF266E269CDECB56857387FF OpcJacker ------------------------------------------------------------------------------------------------------------ 2C0D6A36293A0EA88E7B6D23845755D8A3AC39EBF04944ACBE82EEF2557653B7 NetSupport RAT C1C8FDEC79FE2C133C1BC0790EAC7D01E86A0216A3FBEC2FFA05597727225657 NetSupport RAT 682E839E84C8510B3F4728743C34277CB22A5B8A16BC09E7757615B453D6C10E NetSupport RAT F991735AA2FD2511053D615B56A59CAA3DCDEDFCEA82D6D42512A07AEDDB6DBF NetSupport RAT ADCBABBC51D07202087B6D5911EFF2ADA0D128E85F252B8B954535C3DB1460C0 NetSupport RAT 938F2A778F092950D73C4F84BF7916A8AE48DC38A92ED3A2D2403D9EC8327E6C NetSupport RAT ------------------------------------------------------------------------------------------------------------ 708C2A26A836ABF057F0C03FE174DCB9E3044C363845C93A1F233552160AD480 NetSupport RAT downloader C68096EB0A655924CA840EA1C71F9372AC055F299B52335AD10DDFA835F3633D NetSupport RAT downloader BBB8373549079C5FCF5B78A2A68CDF314D5814AAD5FDD2F3493D0BC3929993E1 NetSupport RAT downloader 1ADE68B2AC855730719E36BC46A981082E99AFB67670F0A00AB7F9EB76D5500A NetSupport RAT downloader D4D02D34C9030CB481ED06F17BE601FFF474840CDCC260C7D740668536837EB4 NetSupport RAT downloader 914DA01D63BDE3964DBAAA45F2DA93DA451A0D96919BC5ED054E7102520D833B NetSupport RAT downloader BD2779B87974A6E55BF1A3BE54DE3FD122C0D0D8249FD51855C055911BFD35CB NetSupport RAT downloader E8B9FFB303BF651E1BD471E13E32FA556E25C326CE2757573B4FE43027BB7D07 NetSupport RAT downloader E8B64C06D1078D9D427679A43EF9E932F70AE83B50FC5A713D1FDF058019170A NetSupport RAT downloader 56E70BAB56F521D1FB5C3AFD99A8C66422105B9D778D54F07C24250CB3538529 NetSupport RAT downloader ------------------------------------------------------------------------------------------------------------ F772B652176A6E40012969E05D1C75E3C51A8DB4471245754975678F04DEDAAA hVNC EF6500E8A1743E01840063544CD4E880ABCFE489283C0B32920F9347A77AC4E6 hVNC 849DBD23546AAE1DB8648DD24992AAAA84FE61739DFB5C06704CCD83078C5640 hVNC 94D8827D8FBE8998A8D3073334FF799455F84557211E2B407F3C86B69312A6B6 hVNC ------------------------------------------------------------------------------------------------------------ URLs and IP addresses Description ------------------------------------------------------------------------------------------------------------ irbxvpn.site Malvertising domain irexvpn.site Malvertising domain irfxvpn.site Malvertising domain irhxvpn.site Malvertising domain irixvpn.site Malvertising domain irkxvpn.site Malvertising domain irqxvpn.site Malvertising domain irtxvpn.site Malvertising domain iruxvpn.site Malvertising domain irwxvpn.site Malvertising domain uhcoxvpn.site Malvertising domain installer-xvpn-n.site Malvertising domain installer-xvpn-k.site Malvertising domain installer-xvpn-h.site Malvertising domain installer-xvpn-g.site Malvertising domain ------------------------------------------------------------------------------------------------------------ gattri1.com:5256 NetSupoort RAT C&C domain and port number gattri2.com:5256 NetSupoort RAT C&C domain and port number she32rn1.com:5511 NetSupoort RAT C&C domain and port number she32rn2.com:5511 NetSupoort RAT C&C domain and port number alle13net1.com:5511 NetSupoort RAT C&C domain and port number alle13net2.com:5511 NetSupoort RAT C&C domain and port number 185.163.45.36:5051 NetSupoort RAT C&C domain and port number uzurtela42.com:3961 NetSupoort RAT C&C domain and port number uzurtela1.com:3961 NetSupoort RAT C&C domain and port number 94.158.244.118:1203 NetSupoort RAT C&C domain and port number manigiajabae32.com:2006 NetSupoort RAT C&C domain and port number manigiajabae35.com:2006 NetSupoort RAT C&C domain and port number ------------------------------------------------------------------------------------------------------------ nesupcli.com Delivery server domain neskrab1.com:1133 Delivery server domain and port neskrab2.com:1133 Delivery server domain and port comes1.com:1255 Delivery server domain and port comes2.com:1255 Delivery server domain and port ------------------------------------------------------------------------------------------------------------ 206.188.197.199:443 hVNC C&C IP address and port