Mitiga Advisory

Jan 18, 2021

On 13 January, a malicious .docx file was uploaded to Virus Total. The attacker who created the malicious file used several of Mitiga’s publicly available branding elements including logo, fonts and colors, to lend credibility to the document.


It should be stressed that:  (i) Mitiga’s network and cloud environment were not breached; (ii) the malicious document is unrelated to any activity conducted by Mitiga (e.g. red team exercises); and (iii) the file was created by a threat actor, most likely for use as part of phishing or malware spreading campaigns.


During preliminary research conducted by our team we discovered the following:

  1. In addition to Mitiga’s branding elements, the .docx file contained a job description for “Raytheon Technologies”.
  2. The .docx file contained downloadable content from a malicious URL address that is no longer active.
  3. The URL address is connected to a wider campaign whose Command-and-Control (C2) uses domains abusing other well-known brands, including Dropbox, Microsoft, Adobe and Imgur.
  4. The C2 infrastructure is connected to an older campaign dating back as early as 2019. The older campaign appears to have focused on targets in Republika Srpska of Bosnia and Herzegovina.
  5. The campaign’s indicators of compromise (IOCs) are:
    1. .docx file (Sha256): ea69141d912626d60d57b68a38281347cde100eec728aa649efc6d6769948125
    2. IP addresses: 185.205.210.24, 193.37.213.252, 185,203,118.2
    3. Domains: dropbox-online[.]com, imgur-online[.]com, imguronline[.]com, adobe-view[.]com, adobe-documents[.]com, microsoft[.]update-store[.]com, share-download[.]com, safe-redirect[.]pw, elvacometpro[.]co


Recommendations

We will update this post as new information becomes available.

Copyright ©️ 2020 Mitiga, Ltd. All rights reserved | Terms of Use | Privacy Policy