Focus Mode
Threat Research

August Email Malware Campaigns

Securonix

Short Summary:

This article discusses a series of malicious email campaigns that occurred in August 2024, targeting various users with different types of email payloads, including attachments and links. The campaigns utilized various malware types, such as xloader, snakekeylogger, and originlogger, to compromise users.

Key Points:

  • Multiple malicious email campaigns reported throughout August 2024.
  • Email payloads included attachments (e.g., rar, zip, docx) and links.
  • Various malware types were used, including xloader, snakekeylogger, and originlogger.
  • Targeted users varied, with some emails aimed at specific individuals or departments.
  • Campaigns included themes like purchase orders, invoices, and payment notifications.

MITRE ATT&CK TTPs – created by AI

  • Credential Dumping – T1003
    • Procedures: Various malware types may attempt to extract stored credentials from the system.
  • Data Encrypted for Impact – T1486
    • Procedures: Some malware may encrypt user data to extort victims.
  • Remote File Copy – T1105
    • Procedures: Malware may download additional payloads or tools from remote servers.
  • Command and Control – T1071
    • Procedures: Malware communicates with external servers to receive commands or exfiltrate data.
Date,Summary ,Details,Email Payload Type,Users Targeted 8/1/2024,Malicious email campaign; morning,Purchase Order; rar ->,Attachment,3 8/1/2024,Malicious email campaign; evening,SIGNED ORDER CONFIRMATION FOR; zip -> xloader continued to 8/5,Attachment,4 8/1/2024,Malicious email campaign; evening,ARRIVAL NOTICE FOR YOUR; zip -> originlogger continued to 8/5,Attachment,9 8/2/2024,Malicious email campaign; evening,Purchase Order PO0001277 – N34 PAX SUITES SO0002124; z -> xloader,Attachment,5 8/3/2024,Malicious email campaign; evening,RE: UPDATED SOA FOLLOW UP PAYMENT; rar|zip -> originlogger,Attachment,3 8/3/2024,Malicious email campaign; evening,Fw: PAYMENT NOTIFICATION; zip -> snakekeylogger,Attachment,2 8/6/2024,Malicious email campaign; morning,DHL BILL OF LANDING SHIPPING INVOICE DOCUMENTS; lzh -> originlogger,Attachment,2 8/6/2024,Malicious email campaign; evening,Re: Payment for Proforma Invoice 0000000056789007689-pdf; zip -> purelogs,Attachment,3 8/7/2024,Malicious email campaign; morning, PI-J/005 : PFI for Netazox 500 mg; rar -> snakekeylogger,Attachment,4 8/8/2024,Malicious email campaign; evening,Payment Advice – Advice Ref:[A1WBFVjTVOhi] |SOA – 2024 ? 8 ???-PL&IV-1219-23A; rar -> snakekeylogger,Attachment,4 8/9/2024,Malicious email campaign; morning,PR # 3000005991 – Quotation Required; rar -> snakekeylogger,Attachment,4 8/9/2024,Malicious email campaign; morning,???SOA – 2024 ? 8 ???-PL&IV-1219-23A; rar -> snakekeylogger,Attachment,4 8/12/2024,Malicious email campaign; evening,Invoice; docx -> xloader,Attachment,3 8/13/2024,Malicious email campaign; morning,QUOTATION REQUEST FOR VALUE-48764-FBU8; rar -> remcos,Attachment,2 8/15/2024,Malicious email campaign; morning,Document Awaits Your Review & Signature for ; link -> zip -> lummastealer,Link,7 8/16/2024,Malicious email campaign; morning,Payment; rar -> guloader continued to 8/20,Attachment,2 8/18/2024,Malicious email campaign; evening,”Request for Quotation (19 Aug,2024); rar -> snakekeylogger”,Attachment,4 8/19/2024,Malicious email campaign; evening,Invoice numbers 112 and 113; rar -> snekekeylogger,Attachment,4 8/25/2024,Malicious email campaign; morning,Quotation for Blue DMU Spare Parts; 7z -> snakekeylogger,Attachment,2 8/26/2024,Malicious email campaign; evening,New Shipment – Order 103; lzh -> xloader,Attachment,2 8/27/2024,Malicious email campaign; morning,request for quotation : rfq1310; rar -> xloader,Attachment,8 8/27/2024,Malicious email campaign; evening,RE: Urgent Request for Proforma Invoice (Reminder.); rar -> guloader,Attachment,5 8/27/2024,Malicious email campaign; evening,DHL SHIPMENT NOTIFICATION; lzh -> xloader,Attachment,3 8/27/2024,Malicious email campaign; evening,Re:Fwd: Re: Purchase Order; lzh -> xloader,Attachment,4 8/28/2024,Malicious email campaign; evening,New PO – 230102; z -> xloader,Attachment,4 8/28/2024,Malicious email campaign; evening,ENQUIRY REF NO: 2024003; zip -> viplogger,Attachment,2 8/29/2024,Malicious email campaign; evening,DEBIT NOTE July 2024 // PART 2; rar -> xloader,Attachment,4 8/29/2024,Malicious email campaign; evening,PO-2024-00069; rar -> viplogger,Attachment,3 guloader-originlogger, 82ee5c8372f9bc8ac9cfac2833c19d238fa8a60fa32e6d27d9fc781d2e64dc25, nffplp.com guloader-snakekeylogger, cae5d52bb56e392baab2b81722461e13bcf266f7c3d1520ee3cfa911e6d2890e, https://api.telegram.org/bot7453999531 lummastealer, 3d41b5711c676681001ba6e507142336b926c88aba41232514c0da8befe67bb1, https://mennyudosirso.shop/api originlogger, 08a3597e4284ae295e34dbac9193cc53d8a1aa9106e9eda71d0f4724af42ecc3, mail.unitechautomations.com originlogger, 0d045677fbab19a80b17225c90ecca8fb973f67db71e7f86df8af5c25e0ac7a6, mail.mahesh-ent.com originlogger, 15aab7af44a87536d4b928f5cc2b4888107adf5302374bd6ebf912620251d502, cp8nl.hyperhost.ua originlogger, 31ed160a5d6da518efe41113124db5c203316a965ccce18cca9e0ead7bac96f6, mail.mahesh-ent.com originlogger, 3f084903c5b689b3d88e36e524bd3fcbda689a2b6d2446b8b10fbd97b145db7a, phoenixblowers.com originlogger, 468fdf7f7ac681b8ad34959240f8a8dfebaaddcbd2a0915a762ee086f23fd4eb, ftp://cash4cars.nz originlogger, 567d0908ac95f5cffcc257768220ed029f66dec64ebe65cdd1dbf01d33e9f3e0, cp8nl.hyperhost.ua originlogger, 5dd25e32ca50fdacf6b304cfebd5d222141b9a13d9120c3a61342ff4588c85f0, mail.mahesh-ent.com originlogger, 621a363a147f420089dabc6f28709f6882f0c4bf1247aba30f8a8e88f75225d1, mail.azmaplast.com originlogger, 6659e8c041d7b2bf5ca0756ea730d0f8cfb7a81da170c1e4c4210df200b0dee2, phoenixblowers.com originlogger, 6d4a4773e58d272f90abdde88661ce929741814276e20ea43384114f6e6cbbe9, mail.showpiece.trillennium.biz originlogger, 7a43feca0b94dac643e10cc217a4dd5d519399791611fb9629aa186ba277ab00, phoenixblowers.com originlogger, 7bc7edf2f2fafaa8457fb596cbbcdedafd23544d75e739e777b73790965df6bb, mail.azmaplast.com originlogger, 7ff50e2ac12ad29d4b4d13feb4464a768a11b2081167ee6010062ec98c106b28, phoenixblowers.com originlogger, 87044fd80bd4cb7069021fa48e337e1ffc5d6f192932645045536ffccab8c4db, mail.mahesh-ent.com originlogger, 8cc7f9ea751b48b63f76db2a3cff30f22a341aaff8ec2d44d1d4d5ce41b0a21a, mail.wassadadvogados.com.br originlogger, 96d2a9befbbed1913469d5e03f50cbbd700311f7cb8d87dc28d325be258cf35b, mail.mahesh-ent.com originlogger, a76d6e19ac59db6afea91b625c29f06f25316ccb74e1b7bdd59c68cb0aefac34, mail.azmaplast.com originlogger, c8bc2a9c8544716a04976357e3e6f338ae0c788bb0986912f07524ba36b6b3ee, mail.azmaplast.com originlogger, cd0ad4d29a0d644a39002797c2942a4ea94cdbffbf0e8eeff45649b2875a53fd, ftp://ftp.fosna.net originlogger, d54abd6ac9348ed05c33f77ae723cb262bd89fcce7d4d449f16b31ed01f401f4, mail.thelamalab.com originlogger, d640346d2d3a0a345d2186701a0a619eba72c1f7dee74f5ae7833ee4b66776d8, ftp://ftp.fosna.net originlogger, e4d1908e539f5c7bcc6960d7616c88db9a0382e76186f28026e4f659b1ae058d, mail.mahesh-ent.com originlogger, f1f0bec966133d4ded3564bb3202346d671bd38b843375e542055b31a7b01acc, mail.controlfire.com.mx originlogger, f9898f9bbef6d022dd0ce4343009f8d8ec465322ec384723e565a7ff0db259e7, mail.mahesh-ent.com purelogsstealer, f6dc4037a3d8dd7578e952a0c714814046c92cbcad459f3efc93db909c32a489, 88.214.59.166:7702 remcos, 3b97b5da457f961783873c0c1f09924e4e1b16931811a9118a6185290103b918, 45.95.169.139:2403 remcos, 643392c6e6e08f0b36bebb32b6c14a32185db723dabbb36b910dd65025522b3a, 178.23.190.118:52499 remcos, ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890, whitelend-ind.com:30901 snakekeylogger, 13f0a05e86fdf85e8891b494574421ff3da0be5e7a71e48f7e32f6c9f35eb2f7, us2.smtp.mailhostbox.com snakekeylogger, 21531c1129b59b72fb5edb736ae88b8037b8f3ff09aa5632e3191b607efb6e03, us2.smtp.mailhostbox.com snakekeylogger, 328a09676b78f9b7b5686511b491f3d16dd6e58783a051e45fa49377eb8b8e81, https://api.telegram.org/bot7356382775 snakekeylogger, 3a9871ede5f830a6a8f55061045d4f4697632abec7cb138cd94c6bf831066f69, https://api.telegram.org/bot7303457820 snakekeylogger, 4152197ecd541c3b62d3ada6ff29bf7bb90edf2e57f96f27980f802513420897, https://api.telegram.org/ snakekeylogger, 5d691afca26ebbdcf9bc73673667580f07a47cd63b5061831ad1a8fb5eccd1d0, https://api.telegram.org/bot7356382775 snakekeylogger, 60aa6a070f260883351f22982529cf5ae022d11621b6fdb0655eb7cc0b8fe917, https://api.telegram.org/bot7303457820 snakekeylogger, 7d50338fe1feeb6944bfd552e44f266d764dafc089b853a6ee24f67ef322c124, us2.smtp.mailhostbox.com snakekeylogger, 8e10e309a71f3819d28b56e936d4ee3d3f8302de39ebebb0cec97166e941b8a7, difeba.com snakekeylogger, 921ec74f64c67534a59a595ab238dd0274100bb5f66ba0597984fe289b120886, us2.smtp.mailhostbox.com snakekeylogger, b8d723a1c3a3fd42eebbf246571cf7704bc34001cf1a7599b0e2838957537140, mail.ghostfilesuccess.com.ng snakekeylogger, d9863b7b710599bc2b308a0b78970da8c42ee5bc6d3dcda05c2de52a88125726, us2.smtp.mailhostbox.com snakekeylogger, e5797ef4bea22b1d24a9147c48726e9960ffa1b5866e04c11de117531483fe9d, us2.smtp.mailhostbox.com snakekeylogger, e71b1065a4b1b0fc1174cecf0963797fd2cb8a0dc4d0b5e7166ecc8722071bee, us2.smtp.mailhostbox.com snakekeylogger, ec828ec2fbfe987cf12c1556a14e1eb0e1d84e66d5392011d95860ce2783789d, bisttro.shop snakekeylogger, fa3abba5968db877ff3aa4341799f3ae6b88f874373e973ec7d4ed04446ef78a, https://api.telegram.org/bot2135869667 viplogger, 08b172741a85d073da0d29b5291a588030a4d145a7db4458e3647fc5dd591acd, us2.smtp.mailhostbox.com viplogger, 7f8b4ff72b5a59f4c7bc7ce3d38bb959fe5773e98a9996b92bdc901e56a49ce3, mail.bellstone.in xloader, 156f46b40abc916927a1b178418b0dc9d96ae445ddd88a3ddda75d6329d6363c, www.u9games.xyz/5p8u xloader, 1587c4fd9dae065e7798d27b9b5a482a92b53386cea1a362ac903bfe0d0b68dd, www.u9games.xyz/5p8u xloader, 24442a381dd7b787104241b7e26d1377053a607ea042fe1a3dedbe608f25c4b6, www.teandone.buzz/byzj xloader, 339faca706c98cf8713cd3b56122442461c3810ab69988b1ef1ecd2275e33b41, www.jiyitf.top/rua4 xloader, 4ca5781d934fdeadbc12e6be77fc48ff210818354bb4d10dc2978115c3a56b48, www.bahrainproperty.net/cqz9 xloader, 5d11fdb4cd576bd6d6785cc8fb787a36777347d69861c465797fb8b9875577f2, www.psychicseraphina.info/8ez3 xloader, 6139902e3873552385dfc103fe1db9ba336bbce8d3db180cbfb588352c055776, www.izen.group/kg2d xloader, 6664b2f256e822c8576d023fb1e11714d47b00c26ead3e1e7049d71367bf48d8, www.jiyitf.top/rua4 xloader, 8485bf03cc8dcae3bbd2a1a7abfb54a91a6590e8f4da85c834c58c9debd4c07c, ursociotheory.xyz/bi05 xloader, 8ac8568934d1a0ab9a9923449bf11c0d44d97abca0bcabd60b94348642f046ac, boinga.xyz/oi12 xloader, 8bb2d8c3017d5c13c41ae3a6793a1eec65b313bef854ec4130d2e33ee43502f8, www.rajveena.online/wptv xloader, 9a3e01c0866b7052796e2baf554cf507efcd0f773a68ab5dfa78be73e5f25f69, www.ordient.net/kd3b xloader, 9b5230cce5bbf44aa307fc0be0a6f17cb2c3a4c60368abbe1a1fb420c29f131c, www.kej-sii.cloud xloader, a5edb017a2c0bf9834ff392e81d47ed90dade6e41c0549a8b3e9522e76d2c8c2, www.u9games.xyz/5p8u/ xloader, adb39641974266e1efaceacdf7ef0eb7508dfaea9e385cd3725d80e7543ee694, www.jobworklanka.online/c85h xloader, bac08253e102c87b2ccdf9f495fd934418ab784ec88951fbf30ee47475f266e4, www.gloryastore.site/6oc5/ xloader, cc73d75eff5c3d7a4a1e40777695f259593403492dda902ab4486c8dd9c8398f, www.u9games.xyz/5p8u xloader, d289da91e981e0e9e025cfa0d3dd4eaac6e0c1bf19724f90808e8e3521b1dbe4, www.gloryastore.site/6oc5 xloader, db87b7e683d92aa8d013663c6bc6ba116023af2cb7f9ec6c2ad88694235f2b12, www.hotelswithpools.org/w88n xloader, e32676eddc6b5971701a8fb044715f8becc13e0285d23dea5f5f005c4ccac2a4, www.mondoor.life/q6ss xloader, e801fc69d4d730346c6ec81d9c9ab0bfc8471a345faf8cce76737115dccd87dc, lytracker.xyz/bi05 xloader, fbe048c713eda8c6d74504c440ecba4507760aed537fbba6171a4566b6452455, www.care-for-baby-1107.xyz/ixvk/ xloader, fe985b1cc581849d8bf8a73c1e09c2ff6ef636ba836deff5d045723456333f0e, www.teandone.buzz/byzj xworm, 49d0a1bc300d325c3fa9bbfa24300b83ac6b9557980a4e1229fc96abdccdafbb, wiz.bounceme.net:6000 aaronlog@tycoelectronics.top apama@controlfire.com.mx backoffice@phoenixblowers.com billing@thelamalab.com bin@ghostfilesuccess.com.ng design@unitechautomations.com info@azmaplast.com info@mahesh-ent.com jocelyne.bourbie@mam-hmmel.com logbox@cash4cars.nz majicboyyy@wassadadvogados.com.br sarthiever@fosna.net sendqpostal@bisttro.shop teresa@difeba.com wethem@aklaneah-sa.com

Source: https://gist.github.com/silence-is-best/252f23cff687506a22f36b6286794b23

Tags: CLOUD, IMPACT, EMAIL, SMTP, PAYLOAD, CREDENTIAL