The email gz attachment contains an exe. This, if opened, triggers the malware infection. Stolen data is exfiltrated via Telegram.
The 265 URLhaus global network of cyber security experts over the last ten months took down nearly 100,000 malware sites. It’s a project by the Swiss Abuse.ch non-profit organization
A global network of cyber security experts over the last ten months have taken down nearly 100,000 URLs that were used to distribute malware. It has been reported by Abuse.ch, a Swiss non-profit organization that helps internet service providers and network operators protecting their infrastructure from malicious codes. These efforts were part of the URLhaus project, launched in March 2018. Its goal is to collect and share URLs that are being used for distributing malware. So the infosec researchers and providers can take action to blacklist or take down them. 265 security researchers located all over the world have identified and submitted in average 300 malware sites to URLhaus each day, helping others to protect their network and users from cybercrime and other malicious campaigns. Nevertheless, URLhaus in average counts between 4,000 and 5,000 active malware distribution sites every day.
Malware distribution sites stay active for more than a week, but 3 top Chinese network for more than a month. The top hosted malicious code is Emotet (aka Heodo), spreaded through malspam campaigns
According to Abuse.ch, in average malware distribution sites stay active for more than a week (8 days, 10 hours, 24 minutes). But the three top Chinese hosting networks have an average abuse desk reaction time of more than a month. On the malicious codes details, the cyber security experts explain that a vast amount sites tracked by URLhaus are related to Emotet (aka Heodo). It spreads through spam that hits users inbox almost every day. These malspam campaigns usually contain a malicious office document with macros. Once the victim opens the document and enables them, it will automatically download and execute Emotet from a comprised website. To bypass spam filters, these cybercrime campaigns sometimes point to a comprised website that hosts the malicious office document, instead of attaching it to the email directly.
The malware Top Ten hosted by these sites are: Emotet, Gozi, GandCrab, Breitschopp, Dridex, Dorv, Slimware, Loki, AgentTesla and Formbook
The weight that Emotet has in the current threat landspace also becomes more clear when having a look at the identified malware families associated with the payloads URLhaus received from the tracked malware distribution sites. Across the 380,000 samples (collected over the past 10 months, Emotet/Heodo is the top one. It’s followed by Gozi, the GandCrab ransomware, the Breitschopp adware, Dridex, Dorv, Slimware, Loki, AgentTesla and Formbook.
Photo Credits: Abuse.ch