Water Orthrus’s New Campaigns Delivers Rootkit and Phishing Modules
------------------------------------------------------------------------------------------------------------
Indicators of Compromise
------------------------------------------------------------------------------------------------------------
SHA256									Description
------------------------------------------------------------------------------------------------------------
8a21eae144a23fffd35f8714964ff316caaa37fe464e8bbc143f4485119b5575        Downloader (CopperStealth campaign)
------------------------------------------------------------------------------------------------------------
293a2adf60a94437cc0f92545b7caabdaed0a63007b51e2b3d449cdb1e00f5a8        CopperStealth
6c3995155e0e5cbb17e6f71b8d8b89d4dfc77849e869da7901a79053e8e8232b        CopperStealth
5558eaebeeeb4c5c731b531305e7c97c9cf1b1449b0466f46430aa0549c256e9        CopperStealth
ad5f59c497f423a07cfb4affc82aac408eafeeefef22f8ba25cabff2ff991754        CopperStealth
636772857bd9b88d5b530586c7008f48e61ec429fb50a82019d0505dcf994930        CopperStealth
7246dbf235f66034bd7042408f01b8670c3f45d39082fcbf5b893d7952614833        CopperStealth
73fd83a9eb267fed5a3178b75a9bff0bac9e0864daed830fddf6a8686c286cbb        CopperStealth
7fd6cb3e1648dd9d1994c65762826772ae32dc58fbc7ac51179a0b3526f1395f        CopperStealth
e3f31eabaa0b3bebe0c5152fc6097a8fbf1c6fd9e57d06fe8e9bd8860e8f07a6        CopperStealth
033ba1740ba105bf4a5081f438f46f1d7ad17a175aab132bd844edcf8e30949f        CopperStealth
ed88b019b3a8346c89aaf6ba7ce6c6be0b9a88c121312f3db9b6ebd776a9af5a        CopperStealth
ecdd5adb40297ec29c0e8a8f50223069db3d32c2a1d223adfb52c3a695d41fa2        CopperStealth
f916f4d1d8c1df0d31b8d18b7c94109b4303412880538f64ec3eb2e257732ead        CopperStealth
53f4306d30b4f7b731c0cd7be6df39f02613fb4c0e9b5aa85f754e145dca080c        CopperStealth
------------------------------------------------------------------------------------------------------------
139f8412a7c6fdc43dcfbbcdba256ee55654eb36a40f338249d5162a1f69b988        Rootkit (CopperStealth campaign)
5b932eab6c67f62f097a3249477ac46d80ddccdc52654f8674060b4ddf638e5d        Rootkit (CopperStealth campaign)
6994b32e3f3357f4a1d0abe81e8b62dd54e36b17816f2f1a80018584200a1b77        Rootkit (CopperStealth campaign)
32882949ea084434a376451ff8364243a50485a3b4af2f2240bb5f20c164543d        Rootkit (CopperStealth campaign)
50819a1add4c81c0d53203592d6803f022443440935ff8260ff3b6d5253c0c76        Rootkit (CopperStealth campaign)
770f33259d6fb10f4a32d8a57d0d12953e8455c72bb7b60cb39ce505c507013a        Rootkit (CopperStealth campaign)
86047bb1969d1db455493955fd450d18c62a3f36294d0a6c3732c88dfbcc4f62        Rootkit (CopperStealth campaign)
bb2422e96ea993007f25c71d55b2eddfa1e940c89e895abb50dd07d7c17ca1df        Rootkit (CopperStealth campaign)
06c5ebd0371342d18bc81a96f5e5ce28de64101e3c2fd0161d0b54d8368d2f1f        Rootkit (CopperStealth campaign)
6661320f779337b95bbbe1943ee64afb2101c92f92f3d1571c1bf4201c38c724        Rootkit (CopperStealth campaign)
f9f2091fccb289bcf6a945f6b38676ec71dedb32f3674262928ccaf840ca131a        Rootkit (CopperStealth campaign)
e6f764c3b5580cd1675cbf184938ad5a201a8c096607857869bd7c3399df0d12        Rootkit (CopperStealth campaign)
e1cb86386757b947b39086cc8639da988f6e8018ca9995dd669bdc03c8d39d7d        Rootkit (CopperStealth campaign)
4734a0a5d88f44a4939b8d812364cab6ca5f611b9b8ceebe27df6c1ed3a6d8a4        Rootkit (CopperStealth campaign)
ea50f22daade04d3ca06dedb497b905215cba31aae7b4cab4b533fda0c5be620        Rootkit (CopperStealth campaign)
fa9abb3e7e06f857be191a1e049dd37642ec41fb2520c105df2227fcac3de5d5        Rootkit (CopperStealth campaign)
f936ec4c8164cbd31add659b61c16cb3a717eac90e74d89c47afb96b60120280        Rootkit (CopperStealth campaign)
------------------------------------------------------------------------------------------------------------
a292fd3792ef81f3a3afd73c5b19878677e0293528e646e244ef50a36c4a0fb2        Statistics module (CopperStealth campaign)
8b141803aeaa4f696fb19711d45a2628c73476c893ac1ba7967eb8d84862ea9a        Statistics module (CopperStealth campaign)
ac4bcb31d35428d8147d413d3354b9fdf70d9e9f3463ead04783805fdd306d86        Statistics module (CopperStealth campaign)
04d2cb7d5f0e28797c1fde9036f06535040c223ecd66828e21c55971241adbbf        Statistics module (CopperStealth campaign)
bf5ae3846ada31fdf91f7d9c03c54dd10598571a5a24ed96c582a6a6fe20006f        Statistics module (CopperStealth campaign)
e257b8efdb3719bf21ed15d5abb30b0cbdbf9027a3db17ad0baca319eec13889        Statistics module (CopperStealth campaign)
------------------------------------------------------------------------------------------------------------
49337a65b01dd6e634456bca17ca28118a8126e4706d92b4673afe1c9cfea638        Task module (CopperStealth campaign)
4934e4990928dbec77463f383b693f4f4a9fc40256e72a36e98c292722b84cf1        Task module (CopperStealth campaign)
------------------------------------------------------------------------------------------------------------
48211c6f957c2ad024441be3fc32aecd7c317dfc92523b0a675c0cfec86ffdd9        Downloader (CopperPhish campaign)
------------------------------------------------------------------------------------------------------------
8c01578891b08d168c1919c4f2ed4fdac991e063263bbb63963ea616f5d5333e        CopperPhish
39c9f743528eb317340cdd53a65630785b1168f6f0a6b253ae2518fb450f0b81        CopperPhish
28d1d1c6fb23ef5f92b16e2701c49bb34b4a81af11f95ff5674d291c5ffb3b28        CopperPhish
07cccf04854a58e43a5043e240b662f84ac512b2d2432b1b7e4cd5465d1dde33        CopperPhish
bff741d972e1dac7fa1197ac9365106b49bd07cea868d69c660aa569fe75f005        CopperPhish
036a689038dfaa195c899d57a4d3fdcf5f99b91bdbf9739a4d05f9bd1dcfe15e        CopperPhish
65a632de69bcb62c8f344a9cc0951d3c599301ca6d8aed66bbdab9f1b977799a        CopperPhish
971259ae3eb7dc843c6872b22154e5cf74e48ca35fb895145df63fa50e8e8792        CopperPhish
58eb8b6fd34406316438e2e17ed3c44b6c26695b28c71db7b062a63a116ee33b        CopperPhish
0a596289cb9c6dcb065d96fb33c1e9509f62ff42b00a0d679bb8b9e64dce8ea5        CopperPhish
fcf49a50a3b86adeea6b1cfbb0d86dfed774673a5900570878197f822f6f2126        CopperPhish
8c01578891b08d168c1919c4f2ed4fdac991e063263bbb63963ea616f5d5333e        CopperPhish
6f52f36d84ea04d00f307d5aafedcda98118d140c1ac1af0525ecb374c0f5cf2        CopperPhish
688de5bbd2cb1e5556304002c1b7f5fdfe147251217f93b8733017161a834fa5        CopperPhish
1a1a70fd2c5a012c4e8547713a3abf1dc2dbd05a81ab1fcca4ab1ad71ad36979        CopperPhish
15430150c081728440618aac046cc1d50a4391b55fa7f8fa66325d9b462e57c3        CopperPhish
acac571f03810d6e8408d4df25fda741cf492c7d842113155034da1f871c10ea        CopperPhish
f340e0ef5f90024b9626a83c2c1eed2011417372073088169d7c2c7ec842f228        CopperPhish
699873a949ca1e3a15f8428d1e28e3bdf7b95ec1606e10785f3f51b118e2669e        CopperPhish
dda6bc4618cd6f723d6ad5f45f171a075c208b5b2693a35f24dd6607a3f167f0        CopperPhish
------------------------------------------------------------------------------------------------------------
7e3f5a8f6fc490736ba7e04389cf83d9ea47a5079e63901300e2dec79c1f77ab        Main payload (CopperPhish campaign)
1fd3c8d5ec7043fb01ea9d9985075d0b014f7153e88cd56d267fb10f1f979a1c        Main payload (CopperPhish campaign)
50fae4fe4a258854c629a3dd24262e1a35a09d317f2d1b7bb31d5a81a237c258        Main payload (CopperPhish campaign)
a5f00b52c99b951009334c6c52524c4e494c8ee77da1340a623a35a35e96b935        Main payload (CopperPhish campaign)
00ff5f2af303cee7ede802b8a013f415bc69caa023330143df746b9b23aa60fd        Main payload (CopperPhish campaign)
------------------------------------------------------------------------------------------------------------
dd3ffec50a0ef7434b85f85330cebb9a2afa2123bed19ac39179806bacf48775        Webbrowser process (CopperPhish campaign)
------------------------------------------------------------------------------------------------------------
URLs and Domains							Description
------------------------------------------------------------------------------------------------------------
hxxp://cnzz.fnxitong.com:99/gg.html                                     CopperStealth Statistics URL
hxxp://chromei.org/tj/                                                  CopperStealth Statistics URL
hxxp://so.fnxitong.com:99/tongji.php?u=e002                             CopperStealth Statistics URL
hxxp://so.fnxitong.com:99/tongji.php?u=001                              CopperStealth Statistics URL
------------------------------------------------------------------------------------------------------------
hxxp://cnzz.fnxitong.com:99/gg.txt                                      CopperStealth Task URL
hxxp://chromei.org/encode.txt                                           CopperStealth Task URL
hxxp://up.chromei.org/e002.txt                                          CopperStealth Task URL
hxxp://www.chromel.cn/encode.txt                                        CopperStealth Task URL
------------------------------------------------------------------------------------------------------------
hxxps://0zpt4.za.com/                                                   CopperPhish Phishing URL
hxxps://3hdr0.za.com/                                                   CopperPhish Phishing URL