for screenshots)Īpple Uniform Type Identifier ( Read more)Ībsolute URL to preview file, required e.g. Will be replaced with preview image (if possible, e.g. Within the HTML, you can use HTML, CSS, JavaScript and other web technologies to create your individual landing page design.Īdditionally, the following variables are provided and will be automatically replaced: Variable name Select the "Custom" design to enable your own landing page design, and edit the HTML for your design. You can either use the default landing page design, or create your very own design with HTML, CSS and JavaScript. In case you want to disable the landing page for a single upload, press and hold the option key (⌥) while dragging a file to Dropshare. Select Create landing pages for uploaded files if you want Dropshare to create a landing page for your uploads. If you want to enable this feature, open the Preferences and select the Landing page tab. Please note that the phone number and mailbox number listed can change (we’ve received multiple iterations with varying phone and mailbox numbers today).Dropshare optionally creates an HTML landing page for each of your uploads. This time, the email is disguised as a voicemail notification ( Figure 15). Today, we received a third set of emails with a similar Dropbox link. Let’s see how the attackers have changed their tactics after our first report… or rather how they haven’t changed. User awareness – While some will debate this topic, we had 10 users who reported this email, and that’s $5,000 we don’t have to pay Search / remove emails containing the subjects discussedĤ. Be wary of any zip file being downloaded.ģ. Be on the lookout for zip files that contain executable or screen saver files.Ģ. Currently, this address has received 88.58 bitcoins, giving a potential of 95 bitcoins belonging to the attackers, or roughly $62,000 USD which may have been paid to the attackers to unlock files.ġ. Both of these wallets have transferred funds to bitcoin wallet 18dwCxqqmya2ckWjCgTYReYyRL6dZF6pzL, and this looks to be one of the main wallets held by the attackers. The 19y bitcoin address currently balance is 2.46 bitcoins. The 1L7 bitcoin address currently contains 3.96 bitcoins. (Figure 7)Ī text representation of the wallets are here (for your research): Once infected, users are instructed to pay 500 USD in Bitcoins to unlock their files. Assuming half of these are sandboxes and researchers, half of 348,637 is still a very large number. Keep in mind this number will include researchers, malware analysts, sandboxes, and infected users, and a few non-existent numbers scattered in between. Using this, we can calculate and convert how many hosts have potentially been infected. With the lack of entries such as “0001”and “000q” existing (contains all letters of the alphabet) this tells me the attackers are using the following base 36 number scheme: In querying the attackers infrastructure, infected hosts start at “000q” as no entries exist prior to that. With the closeness of the numbers, this tells me the numbers are not random, but are actually incrementing. However, by executing the malware a second time, I was given a “number” very close to this, only a few letters off. Take note of the URL of my “personal” TOR page used during analysis:Īt the end of the URL, “7gzc” appears to be somewhat random to the naked eye.
0 Comments
Leave a Reply. |