WhiteShadow Downloader Exploits Microsoft SQL To Spread Malware TLP:Amber

Another malware downloader named “WhiteShadow” that misuses Microsoft SQL questions to drop pernicious payloads on contaminated gadgets has developed on the digital danger scene. White Shadow spreads by means of malware spam assaults that convey messages joined with vindictive Microsoft Word and Excel reports or containing a URL. These records are inserted with malevolent Visual Basic macros packaged with the downloaded, which, when empowered, builds up an association Microsoft OLE DB Provider for SQL Server (SQLOLEDB).White shadow at that point download and introduce the last malignant payloads. The accompanying malignant payloads are dropped on the unfortunate casualty frameworks from the aggressor controlled MS SQL Servers by the White Shadow down loader:-

·         Crimson – This is the most delivered payload.

·         Nanocore

·         njRAT

·         AgentTesla

·         AZORult

·         Formbook

·         Orion Logger

·         Remcos

*******************************IOC*****************************

Domains:

antinio.mssql.somee[.]com

BytesData.mssql.somee[.]com

fabancho.mssql.somee[.]com

jasoncarlosscot.dynu[.]net

tslserv.duckdns[.]org

bargainhoundblog[.]com

globedigitalmedia[.]com

mundial2018.duckdns[.]org

halwachi50.mymediapc[.]net

robinmmadi.servehumour[.]com

naddyto.warzonedns[.]com

www.scaker[.]com

hxxp[://]rebrand[.]ly/813ed538169eeeethczfz2346577777777788kfvmdkf

hxxp[://]rebrand[.]ly/purchaseorder54326

www.allixanes[.]com/ez3/

IPs:

193.111.155[.]137

51.254.228[.]144

176.107.177[.]54

139.28.36[.]212

45.92.156[.]76

192.3.157[.]104

176.107.177[.]77

193.228.53[.]0

185.157.79[.]115

87.247.155[.]111

185.161.209[.]183

185.161.210[.]111

Recommends:

  • Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and
  • downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
  • Restrict execution of Power shell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Use Loki or IOCFinder tool to scan workstation [https://github.com/Neo23x0/Loki]
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: