Another malware downloader named “WhiteShadow” that misuses Microsoft SQL questions to drop pernicious payloads on contaminated gadgets has developed on the digital danger scene. White Shadow spreads by means of malware spam assaults that convey messages joined with vindictive Microsoft Word and Excel reports or containing a URL. These records are inserted with malevolent Visual Basic macros packaged with the downloaded, which, when empowered, builds up an association Microsoft OLE DB Provider for SQL Server (SQLOLEDB).White shadow at that point download and introduce the last malignant payloads. The accompanying malignant payloads are dropped on the unfortunate casualty frameworks from the aggressor controlled MS SQL Servers by the White Shadow down loader:-
· Crimson – This is the most delivered payload.
· Nanocore
· njRAT
· AgentTesla
· AZORult
· Formbook
· Orion Logger
· Remcos
*******************************IOC*****************************
Domains:
antinio.mssql.somee[.]com
BytesData.mssql.somee[.]com
fabancho.mssql.somee[.]com
jasoncarlosscot.dynu[.]net
tslserv.duckdns[.]org
bargainhoundblog[.]com
globedigitalmedia[.]com
mundial2018.duckdns[.]org
halwachi50.mymediapc[.]net
robinmmadi.servehumour[.]com
naddyto.warzonedns[.]com
hxxp[://]rebrand[.]ly/813ed538169eeeethczfz2346577777777788kfvmdkf
hxxp[://]rebrand[.]ly/purchaseorder54326
IPs:
193.111.155[.]137
51.254.228[.]144
176.107.177[.]54
139.28.36[.]212
45.92.156[.]76
192.3.157[.]104
176.107.177[.]77
193.228.53[.]0
185.157.79[.]115
87.247.155[.]111
185.161.209[.]183
185.161.210[.]111
Recommends:
- Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.
- Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and
- downloads both on the host and at the mail gateway with a reputable antivirus solution.
- Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
- Restrict execution of Power shell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Use Loki or IOCFinder tool to scan workstation [https://github.com/Neo23x0/Loki]
Leave a Reply