Threats Feed|MuddyWater|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date30/11/2023

Phishing Campaign Targets Albanian Government with Microsoft Exchange Vulnerability

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Vulnerability Exploitation,Malware,Spear Phishing
  • Attack Complexity: Medium
  • Threat Risk: Low Impact/High Probability

Threat Overview

A phishing malware campaign targeting Albanian governmental entities was discovered, involving an archived file named "kurs trajnimi.zip." The malware uses "ScreenConnectWindowsClient.exe" for command-and-control (C2) operations, exploiting CVE-2023-36778, a Microsoft Exchange Server vulnerability. Static analysis revealed techniques for screen capture, anti-analysis, and system discovery. The malicious program requires Administrator or SuperUser privileges to execute, indicating an intent to evade detection and exploit higher-level system resources.

Reference and Credit: Albania National Cyber Security Authority (NCSA) - November 2023

Malware analysis “kurs trajnimi.zip”

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
RegionAlbania
Verified

Extracted IOCs

  • fp2e7a.wpc.2be4.phicdn[.]net
  • fp2e7a.wpc.phicdn[.]net
  • instance-s1t9su-relay.screenconnect[.]com
  • server-nix94cc63a0-relay.screenconnect[.]com
  • 31313c859e23c86b348948df8bf8ed45
  • 6086601a8560a2037f5091d8632d0509
  • ee8deccb67551d1ae4d2a0a11072d129
  • 058a250ca155bfe571ca51cce218727d2ea873bf
  • 04a6ba13d7f014c6650a05c55f7fef2d465903ab900bc37a2a28f4bf08a658c0
  • 083eb9b90e04e39514c50e296593c3652f05cf3fe3ba41cb7adeed82930e4ddf
  • 0c24251ea5d08874813ddd046d4b8d45cd1a45830f4d948401123df5bb372ad9
  • 62b405f32a43da0c8e8ed14a58ec7b9b4422b154bfd4aed4f9be5de0bc6eb5e8
  • 7863a1d2d90b2b739663843f977876640a10760896e74f15655fbbefa444ccc2
  • 87c640d3184c17d3b446a72d5f13d643a774b4ecc7afbedfd4e8da7795ea8077
  • affb342d2dce754b4ddbeeb4ed344806fda531d68346df12629b7bd8c0fa753c
  • bcaa3d8dcba6ba08bf20077eadd0b31f58a1334b7b9c629e475694c4eeafd924
  • bf61fdbdc3db66c762cca24d0e06a533063b1912dbd6a83807457bd37e65befd
  • d53c71db8d714a194ca40720a007557b354056ed0d88110b293b4469944b4bd6
  • ea38cff329692f6b4c8ade15970b742a9a8bb62a44f59227c510cb2882fa436f
  • f8c648e09fb42f145b581ed80b2a0c88e9f18041efd03ad3187a6229f17a14b8
  • 147[.]28.129.152
  • 192[.]229.221.95
  • 224[.]0.0.252
download

Tip: 23 related IOCs (3 IP, 4 domain, 0 URL, 0 email, 16 file hash) to this threat have been found.

About Affiliation
MuddyWater
View MuddyWater's Insights