Cybersecurity researchers have uncovered a sophisticated malspam campaign targeting users via email and phone. Attackers are exploiting AnyDesk and Microsoft Teams to gain unauthorized access to victims’ computers, highlighting evolving cybercriminal tactics.
All about the Malspam Campaign
The campaign starts with an “email bomb” to flood the victim’s inbox and hide malicious intent. Attackers then use Microsoft Teams to call the victim, pretending to be a legitimate representative and persuading them to install AnyDesk. Once AnyDesk is installed, the attacker gains full control of the victim’s computer.
Once remote access is established, attackers deploy malicious payloads to steal sensitive data, including login credentials, financial details, and personal documents.
The remote control also allows for additional malware installation, increasing the risk of prolonged system compromise and data exploitation. This campaign highlights the urgent need for increased vigilance from users and organizations.
Cybersecurity experts advise caution with unsolicited emails and phone calls, particularly those asking for software installations or remote access tools.
Organizations should enforce strong security measures, train employees to recognize phishing attempts, and use multi-factor authentication to protect platforms like Microsoft Teams. Staying informed and adopting proactive security practices are essential for defending against these advanced threats.
Indicators of Compromise
Network Based Indicators (NBIs)
| Domain/IPv4 Address | Notes |
|---|---|
| spamicrosoft[.]com | Used to make external Microsoft Teams calls after email bombing users. |
| 37.221.126[.]202 | C2 address used by the threat actor to connect via Anydesk. |
| 91.196.70[.]160 | Socks proxy server. |
| halagifts[.]com | SystemBC C2 domain |
| 217.15.175[.]191 | SystemBC C2 IP address |
| preservedmoment[.]com | Cobalt Strike domain |
| 45.155.249[.]97 | Cobalt Strike C2 IP address |
| 77.238.224[.]56 | C2 address. |
| 77.238.229[.]63 | C2 address. |
| 77.238.250[.]123 | C2 address. |
| 77.238.245[.]233 | C2 address. |
| 91.142.74[.]28 | C2 address. |
| 191.142.74[.]28 | C2 address. |
| 195.2.70[.]38 | C2 address. |
| falseaudiencekd[.]shop | Lumma C2 domain |
| feighminoritsjda[.]shop | Lumma C2 domain |
| justifycanddidatewd[.]shop | Lumma C2 domain |
| marathonbeedksow[.]shop | Lumma C2 domain |
| pleasurenarrowsdla[.]shop | Lumma C2 domain |
| raiseboltskdlwpow[.]shop | Lumma C2 domain |
| richardflorespoew[.]shop | Lumma C2 domain |
| strwawrunnygjwu[.]shop | Lumma C2 domain |
Host Based Indicators (HBIs)
| File | SHA256 | Notes |
|---|---|---|
| AntiSpam.exe | ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef | Credential harvester, version 1. |
| AntiSpam.exe | d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08 | Credential harvester, version 2. |
| AntiSpam.exe | dc5c9310a2e6297caa4304002cdfb6fbf7d6384ddbd58574f77a411f936fab0b | Credential harvester, version 3. |
| update1.exe | 24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793 | Original filename: YandexDiskSetup.exe. |
| update4.exe | 9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7 | Original filename: APEXScan.exe. Socks proxy. |
| update6.exe | ac22ab152ed2e4e7b4cd1fc3025b58cbcd8d3d3ae3dbc447223dd4eabb17c45c | Used to attempt exploitation of CVE-2022-26923 for privilege escalation. |
| update7.exe | ab1f101f6cd7c0cffc65df720b92bc8272f82a1e13f207dff21caaff7675029f | Original filename: KLDW.exe. SystemBC malware. |
| update8.exe | 9ED2B4D88B263F5078003EF35654ED5C205AC2F2C0E9225D4CDB4C24A5EA9AF2 | Original filename: YandexDiskSetup.exe. SystemBC malware. |
| update2.dll | ab3daec39332ddeeba64a2f1916e6336a36ffcc751554954511121bd699b0caa | Original filename: atiumdag.dll |
| update5.dll | 7d96ec8b72015515c4e0b5a1ae6c799801cf7b86861ade0298a372c7ced5fd93 | Original filename: Log.dll. Socks proxy. |
| update7.ps1 | 9dc809b2e5fbf38fa01530609ca7b608e2e61bd713145f84cf22c68809aec372 | Socks proxy script. |
| AntiSpam.exe | fb4fa180a0eee68c06c85e1e755f423a64aa92a3ec6cf76912606ac253973506 | Not analyzed in this blog, likely cred harvester. |
| AntiSpam.exe | fcf59559731574c845e42cd414359067e73fca108878af3ace99df779d48cbc3 | Not analyzed in this blog, likely cred harvester. |
| update5.dll | 949faad2c2401eb854b9c32a6bb6e514ad075e5cbe96154c172f5f6628af43ed | Not analyzed in this blog, likely socks proxy. |
| update2.dll | b92cf617a952f0dd2c011d30d8532d895c0cfbfd9556f7595f5b220e99d14d64 | Not analyzed in this blog, likely Golang HTTP beacon. |
| APEXScan.exe | cff5c6694d8925a12ce13a85e969bd468e28313af2fb46797bdcf77092012732 | Not analyzed in this blog, likely socks proxy. |
| unnamed | cb03b206d63be966ddffa7a2115ea99f9fec50d351dce03dff1240bb073b5b50 | Not analyzed in this blog, likely the same BOF contained within update6.exe. |
| update1.exe | ccaa8c8b39cb4a4de4944200936bcd4796367c16421a89e6a7d5476ae2da78cd | Not analyzed in this blog, likely Golang HTTP beacon. |
| update4.exe | 1ade6a15ebcbe8cb9bda1e232d7e4111b808fd4128e0d5db15bfafafc3ec7b8e | Not analyzed in this blog, likely socks proxy. |
| lu2.exe | ce1f44a677d9b7d1d62373175f5583d9e8c04e16ebd94656e21aa296e00e93d7 | Original filename: swi_config.exe. Packed copy of Lumma Stealer. |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment