2018年11月13日火曜日

HookAds->FalloutEK pushes Nocturnal Stealer, And new GlobeImposter


@malware_traffic posted about New GlobeImposter sample. And Bleeping Computer posted an article as well.
https://www.bleepingcomputer.com/news/security/hookads-malvertising-installing-malware-via-the-fallout-exploit-kit/

We also encountered new GlobeImposter with HookAds Campaign-> Fallout Exploit Kit in Japan.

https://app.any.run/tasks/7bbfdafe-4fee-4f26-8c3b-01d975868c02

Nocturnal Stealer


The first malware is a loader.
The following points are very similar to Nocturnal Stealer.

  • make those files
    • C:\ProgramData\BEJ9QK4EIV6EK30NDC91\files\passwords.txt
    • C:\ProgramData\BEJ9QK4EIV6EK30NDC91\files\infomation.txt
  • Contents of infomation.txt
These are similar to the information on the Proofpoint's blog.

Other gathering items.

GlobeImposter

Nocturnal Stealer downloaded the malware of the next step.
GlobeImposter is almost the same type as before.
Encrypted file extension changed to ".pptx".



Ransom Note [READ_ME.txt]



Payment Page

Conclusion

  • Fallout EK pushes Nocturnal Stealer
  • The information stealing by Nocturnal Stealer has changed.
  • Nocturnal Stealer downloads New GlobeImposter 
  • There were change in the extension, intimidation sentence, payment page.

0 件のコメント:

コメントを投稿