polonus
February 10, 2020, 11:45pm
5
polonus
February 11, 2020, 4:58pm
6
polonus
February 13, 2020, 4:22pm
7
Only one to detect this address: https://www.virustotal.com/gui/url/16b54dada7849723b29282a497821b358a62d9d4c424d725659a270148540ab0/detection
lampion malware abuse on amazonaws dot com: https://urlhaus.abuse.ch/url/313860/
More on this payload: https://urlhaus.abuse.ch/browse.php?search=3881c4bacf37f5a37b21f6dca7f12d7c8eb91e094dc17f1a9306d015006d48be
Netcraft threat rating 7 red out of 10: https://sitereport.netcraft.com/?url=https://vrau-x.s3.us-east-2.amazonaws.com
Temp. redirect: https://www.shodan.io/host/52.219.84.168
Read on lampion malcode: https://securityaffairs.co/wordpress/95731/malware/lampion-malware-targets-portugal.html
The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket. Quoted info source = Security Affair's Pierluigi Paganini.
polonus
polonus
polonus
February 16, 2020, 10:12pm
8
polonus
February 25, 2020, 6:11pm
9
polonus
February 26, 2020, 10:21pm
10
Blocked as a PHISH by MBAM Browser Guard extension: -shell-storm.org
Website blocked due to phishing
Website blocked: -shell-storm.org
Malwarebytes Browser Guard blocked this website because it may contain malware activity.
We strongly recommend you do not continue.
Also consider the detections at VT with 6 detected URLs: https://www.virustotal.com/gui/ip-address/178.79.135.109/relations
pol