Figure 1. Data from the Trend Micro Smart Protection Network™ showed a spike in malware spread beginning 2019, with January 3 having the most number of detections.
Figure 2. Countries with the most number of detections for infections.
Figure 4. Malware payloads spread by this campaign.
[Read: Spam campaign abusing SettingContent-ms Found dropping same FlawedAmmyy RAT distributed by Necurs]
The sudden increase in our detection systems revealed thousands of unique SHAs in a matter of days. The IP address (which we traced to have been registered in Russia) is no longer accessible as of writing, but the payloads can still be sourced online. Interestingly, the cybercriminals change the malware included in the .EXE files, and spread different kinds of malware depending on the region and industry targeted.
Figure 5. The script downloads different malware from the IP address. As of writing, this .EXE was analyzed to download GandCrab.
Figure 6. Even when the registered IP address has been blocked, other sites source the file for the malware and send the spam emails.
[Read: Same old yet brand new: New file types emerge in malware spam attachments]
Opening malicious email or attachments can launch malware downloads, not only to access, collect and steal proprietary and system information, but to possibly enable other functions such as remote administrator controls with malicious intent. To defend against these types of threats:
- Avoid clicking on or opening emails, URL links, or attachments from suspicious or unfamiliar senders.
- Regularly back up important files. Practice the 3-2-1 system.
- Install a multi-layered protection system that can detect and block malicious emails, attachments, URLs and websites.
Trend Micro Solutions
Indicators of Compromise
92[.]63[.]197[.]48 (C&C server)
With additional insights from Raphael Centeno, Junestherry Salvador, Paul Pajares and Franklynn Uy.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.