Introduction
Donot group, also known as APT-Q-38 within QiAnXin, is believed to have a government background in a South Asian country. This group mainly conducts network espionage activities against government agencies, defense military departments, and important figures in the business field. Victims include China, Pakistan, Sri Lanka, and other South Asian countries.
During the daily threat hunting process, the RedDrip Team of QiAnXin Threat Intelligence Center discovered that Donot's attack activities have maintained a high frequency since the end of last year, and this trend has continued until this year. At the end of January this year, we also captured attack samples [1] by this group using documents related to the Kashmir region as bait.
After combing through the recent Donot samples we captured, we found that the group 's main attack process still maintains its usual style, but attackers are also trying different malicious code implantation methods and changing the code details of attack components. Therefore, this article will provide a brief summary of Donot's recent attack techniques.
The Donot group often executes shellcode to download subsequent DLL components by carrying macros in documents. These DLLs can further download malicious components such as Trojan plugin managers and Trojan plugins. In attack samples using documents related to the Kashmir region as bait, attackers deliver downloader DLL components directly through self-extracting RAR archives. Additionally, in some attack campaigns, the Donot group also uses EXE components, which are released directly from compressed packages through macro documents, to download subsequent components.
DLL Component Implantation Methods
Macro Documents
Some of the file information for the macro document samples used by Donot are shown in the following table.
| - | - | - | - | - |
|---|---|---|---|---|
| MD5 | Size | File Name | VT Upload Time | File Creation Time |
| 06adbb4ba31a52cc5c9258bf6d99812c | 144384 bytes | REQUIREMENT LIST OF SPARES.xls | 2022-11-30 12:04:38 UTC | 2021-08-09 13:30:37 UTC |
| d98e2d7c8e91a9d8e87abe744f6d43f9 | 602624 bytes | Monthly Action Plan.xls | 2022-12-22 10:42:28 UTC | 2021-08-09 13:30:37 UTC |
| c839d8a01c97407526b3407022823c8a | 603136 bytes | 2023-01-24 05:10:11 UTC | 2021-08-09 13:30:37 UTC | |
| 1c4fb7c41e7928bfb74784d910522771 | 91781 bytes | PMDU Report 8-2-23.doc | 2023-02-13 08:59:03 UTC | 2021-03-30 12:06:00 UTC |
| e1d235c95a7c06b1203048972cf179fa | 69296 bytes | Cyber Security Instructions.doc | 2023-02-28 05:22:09 UTC | 2021-03-30 12:06:00 UTC |
| 6de75b200652eefa4a6a3bb84da7f798 | 603136 bytes | TRAINING NOMINATION.xls | 2023-03-02 04:09:53 UTC | 2021-08-09 13:30:37 UTC |
| 0ec8911f9764ea7b254ea19cd171535e | 87870 bytes | 2023-03-03 10:01:33 UTC | 2021-03-30 12:06:00 UTC |
From the above, it is seen that the xls and docx class documents have the same creation time respectively, indicating that these attack samples may be generated based on the same original documents.
(1) VBA
Take the above sample (MD5: d98e2d7c8e91a9d8e87abe744f6d43f9) as an example for analysis
VBA code uses a mixed case name generated with the letters ijl to obfuscate variable and function names. NtAllocateVirtualMemory is called to allocate memory. The encoded shellcode is decoded using the WideCharToMultiByte function according to the character encoding used in the document, and then the EnumUILanguages function is called to execute the shellcode. The specific shellcode executed depends on the system architecture.
(2) Shellcode
In the case of the 64-bit version of the shellcode, self-decryption is performed by taking the byte inverse and then XOR.
APIs are imported using hash, and XOR with 0xBAADC0D3 is performed during import.
The URLDownloadToCacheFileA function of the urlmon.dll module is called to download the payload, with the following URLs:
http://orangevisitorss\.buzz/QcM8y7FsH12BUbxY/XNJxFhZdMSJzq1tRyF47ZXLIdqNGRqiHQQHL6DJIjl2IoxUA.png
The downloaded payload is loaded into memory in the same way as reading a file. The decryption operation is also performed by taking the byte inverse and then XOR, and the first byte of the decrypted data is checked for verification. If the verification passes, the decrypted data is executed.
The first thing to do with the obtained second-stage shellcode is to self-decrypt by XORing the bytes, and then importing the relevant APIs. Wow64DisableWow64FsRedirection is called to disable file system redirection. GetLocalTime is used to obtain the system time. If the current time is greater than the hard-coded date, the shellcode ends its operation. As shown in the figure below, the hard-coded date is 0x7e70214, which can be decomposed into 0x07e7-0x02-0x14, and converted to decimal is 2023-02-20.
Each antivirus driver file is checked in turn to see if it exists in the "C:\Windows\System32\drivers" directory. If a certain antivirus driver exists, the value of the corresponding flag variable is determined based on whether the current date is greater than the corresponding built-in time data: if it is not later than the time data, it is assigned a value of 1, otherwise it is assigned a value of 2.
| - | - |
|---|---|
| Name of antivirus driver file | Related vendor |
| gzflt.sys | Bitdefender |
| klif.sys | Kaspersky |
| ehdrv.sys | ESET |
| aswsp.sys | Avast |
| bsfs.sys | Quick Heal |
| 360AvFlt.sys | 360 |
If there is no antivirus software, URLDownloadToFileA is called to download the follow-up payload, which is saved as the Unincored.dll file in the current user's temp directory, i.e. "%tmp%\Unincored.dll". The URL for the follow-up is:
http://orangevisitorss.buzz/QcM8y7FsH12BUbxY/XNJxFhZdMSJzq1tRyF47ZXLIdqNGRqiHQQHL6DJIjl2IoxUA.mp4
Open the download file and modify the first 4 bytes to "4D 5A 90 00" in order to fix the PE file header. Load the DLL with LoadLibraryA and obtain the address of the specified exported function (tripoliro) with GetProcAddress, and then call the exported function.
In the presence of anti-virus software, if the corresponding flag variable is 2, the shellcode will be terminated by executing the int3 interrupt or other instructions to trigger an interrupt or exception. If the flag variable is 1, the execution of the shellcode corresponding to some anti-virus software is consistent with that when there is no anti-virus software; however, when other anti-virus software is present, current shellcode will load bcrypt.dll and copy the subsequent shellcode into the memory mapped by bcrypt.dll for execution.
The 32-bit version of the shellcode launched by macro code is basically the same as the 64-bit version, but the URLs for downloading subsequent shellcode and DLL payloads are different.
| - | - |
|---|---|
| Follow-up payload type | URL |
| Shellcode | http://orangevisitorss.buzz/QcM8y7FsH12BUbxY/XNJxFhZdMSJzq1tRyF47ZXLIdqNGRqiHQQHL6DJIjl2IoxUA.ico |
| DLL | http://orangevisitorss.buzz/QcM8y7FsH12BUbxY/XNJxFhZdMSJzq1tRyF47ZXLIdqNGRqiHQQHL6DJIjl2IoxUA.mp3 |
The SFX File
The basic information of the SFX file is as follows:
| - | - |
|---|---|
| File name | Kashmir Solidarity Day Material .exe |
| MD5 | 4eaa63dd65fc699260306c743b46303b |
| File type | WinRAR SFX |
| File size | 1684242 bytes |
The self-extracting file is disguised with a folder icon. After running, it is released in the temp directory. The export function of the DLL component is executed through rundll32.exe, and the folder "Kashmir" containing the compressed PDF bait document is opened.
DLL component analysis
The DLL component used by the Donot group is mostly the classic three-step process of "downloader-plugin manager-plugin", but there are also cases where the DLL component first implanted is a plugin downloader.
The Three Steps of DLL
Taking the DLL component attack process implanted by the SFX sample as an example for analysis.
(1) Downloader
The DLL information used by the downloader is as follows:
| - | - |
|---|---|
| File name | dn2272iosUp.dll |
| MD5 | 07a3c19bc67c5f44c888ce75d4147ecf |
| File type | pe32 dll |
| File size | 296960 bytes |
| Compilation time | 2023-01-10 14:16:06 UTC |
The downloader DLL generally has two exported functions: one exported function starts another exported function by setting a scheduled task, while the other exported function reports the collected host information to the C2 server, downloads and executes the DLL component as a plugin manager.
The SFX file calls the export function StTskloipy of dn2272iosUp.dll. This function writes the current DLL file path encrypted by AES into "C:\Users[user]\AppData\Local\windin.txt". If this DLL does not exist in the temp directory of the current user, it will be copied to the temp directory. Then, another exported function, SDtuiopnhukm, is called by setting a scheduled task through the COM interface.
In addition to directly calling the COM interface, the Donot group has also used the method of releasing and executing bat files in other downloader DLLs to set scheduled tasks. The released bat file runs the schtasks command and deletes the bat file after completion.
The other exported function SDtuiopnhukm of downloader dn2272iosUp.dll first creates a mutex "olgui1Pigg" to ensure single instance operation, and creates the "C:\Users[user]\AppData\Local\Nsget" directory. It collects software information installed on the local machine through the registry.
It obtains the current username, computer name, and CPU identifier information through the cpuid instruction, and combines these three to form a victim ID. The victim ID is concatenated with the collected software information and ending identifier "|||S4", and the resulting string is encrypted with AES and encoded with Base64. The encrypted data is sent to the C2 server as the "batac" parameter of a POST request. The URL for sending information back is as follows:
https://briefdeal.buzz/Treolekomana/recopereta
If the C2 server responds, it requests to download the subsequent component WingMndre.dll. The name of the victim ID and the subsequent component are concatenated, encrypted, and sent as the "data" parameter of a POST request. The URL for downloading the subsequent DLL is as follows:
https://briefdeal.buzz/Likorecasta/mikachar
If the download is successful, WingMndre.dll is saved in the Nsget directory created earlier. The windin.txt file released by the export function StTskloipy is deleted, and a scheduled task is set to call the export function “StConectert” of WingMndre.dll. Because this scheduled task has the same name as the one set when the export function SDtuiopnhukm ("OneDriveUpdaton"), the original task's execution content is effectively modified.
A Uwn.txt file is released in the Nsget directory, its content is AES-encrypted victim ID. Then, the following formatted string is called through CreateProcessW to delete the current DLL file on the disk.
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
(2) Plugin Manager
The subsequent component WingMndre.dll functions works as a plugin manager, with the following basic information.
| - | - |
|---|---|
| File name | WingMndre.dll |
| MD5 | d7e123fe7fb8a5f56ec9d89f7787340d |
| File type | pe32 dll |
| File size | 343040 bytes |
| Compilation time | 2023-01-24 06:42:57 UTC |
The main part of the function sub_100112D0 called by the export function StConectert is a while loop. At the beginning of each iteration, it sends the victim ID as a beacon message to the C2 server. The victim ID is obtained from the file Uwn.txt under the Nsget directory, which is regenerated if the file does not exist. It is noteworthy that the AES key and IV used by the plugin manager to decrypt the content of Uwn.txt are the same as those used by the downloader component, while a different set of AES key and IV is used to encrypt the victim ID when sending the beacon message. The URL for sending the beacon message is:
https://repidyard.buzz/Romexicarto/terokanama
If a response message is received from the C2 server, the next step is executed; otherwise, it sleeps for 30 seconds and proceeds to the next iteration.
The response message is separated by "|" and each part represents a specific operation for a plugin component (including the plugin manager itself). A captured response message is shown below:
CKyLongD.dll>287744>0>Kystub>0|SSrtuioUpd.dll>270848>7>Stbingo>0|FoThreeDut.dll>363520>0>StNgtop>0|RRRvso.dll>164872>0>wavervs>0|WingMndre.dll>343040>40>StConectert|
The format is similar to Donot's previous attack activity [2], but this time the response message is not saved as a disk file but is processed directly in memory. Each part separated by "|" is parsed and distributed to the function sub_1000FCA0 for further processing. The specific information in each part is separated by ">" and the meanings of the first four elements are as follows:
| - | - | - |
|---|---|---|
| Number | Meaning | Description |
| 1 | Component name | |
| 2 | Component size | Verified when downloading the corresponding component |
| 3 | Command code | Specific operation for the component |
| 4 | Export function | The exported function called when running the component |
The downloaded plugin components are saved in the directory "C:\Users[user]\AppData\Local\Nsget\Updates". The URLs for subsequent components are as follows:
https://repidyard.buzz/xoexapolicreate/ertyprmekabiops
The command code is converted from a string to an integer using stoi and then dispatched.
| - | - | - |
|---|---|---|
| Command code | Function | Description |
| 0 | Disable | DLLChange a variable value related to the plugin, wait for its running state to change, and then unload the plugin DLL. |
| 7 | Start | Check whether the corresponding plugin exists under the Updates directory. If not, download it from the C2 server, load the plugin DLL, and call the specified export function. |
| -5 (0xFFFFFFFB) | Delete | First perform the plugin disable operation, and then delete the DLL file from the Updates directory. |
| -3 (0xFFFFFFFD) | Update | First perform the plugin delete operation, and then perform the plugin start operation (the plugin will be downloaded from the C2 server during start-up because it does not exist). |
| 41 (0x29) | Update the plugin manager | Save the new plugin manager to the Updates directory, release alex.bat, update through setting scheduled tasks, and set the loop exit flag. |
| Others | None |
When updating the plugin manager, the released alex.bat is also under the Updates directory, and its content is as follows. This bat script copies the new plugin manager to the parentl directory of Updates, i.e. Nsget, deletes the original file, and deletes the scheduled task named "Windows".
Copy C:\Users\[user]\AppData\Local\Nsget\Updates\[插件名称] C:\Users\[user]\AppData\Local\Nsget
del "C:\Users\[user]\AppData\Local\Nsget\Updates\[插件名称]"
schtasks /delete /tn Windows /f
Next, set up a scheduled task named "Windows" to execute the released alex.bat.
Then set up another scheduled task named "WindowsMainHawk" to execute the export function StConectert of the new plugin manager.
After the old plugin manager exits the while loop, just like the downloader DLL, it will perform a self-deletion operation. Function sub_1000A960 calls CreateProcessA to execute the following formatted string command.
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
(3) Plugin
We captured a plugin named SSrtuioUpd.dll from WingMndre.dll, with the following basic information.
| - | - |
|---|---|
| File name | SSrtuioUpd.dll |
| MD5 | 20c581284cccadd8b6193c2e1c84a900 |
| File type | pe32 dll |
| File size | 270848 bytes |
| Compilation time | 2023-01-23 14:04:33 UTC |
The function of this plugin is taking screenshot and uploading, and the main logic is implemented in function sub_10006D10, with the main code as follows.
Taking screenshot is accomplished by simulating the press of the printscreen key. The captured screen image is saved in the created directory "C:\Users[user]\AppData\Local\Nsget\srt", named with a generated GUID. The screen capture data is first saved directly to the disk with the jpg extension, and then encrypted to obtain a file with the same name but with upr extension. The original jpg file is then deleted.
Then the upr file data in the srt directory is transmitted back to the C2 server, with the following URL for transmission:
https://salcomp.buzz/Terolekaremos/romeosata
Lightweight Plugin Downloader
During the sample association process, we discovered a simpler plugin downloader DLL component, which is implanted by macro documents and shellcode. The sample information is as follows.
| - | - | - |
|---|---|---|
| MD5 | File type | Compilation time |
| 5e464d04b35a83d28c4e26c06eec28f5 | pe32 dll | 2022-11-22 13:39:46 UTC |
| 9946df6c429b83009535dca8d1a5d321 | pe64 dll | 2022-11-22 13:43:00 UTC |
The functions of the above two samples are consistent, so we will use the 32-bit version as an example to illustrate. The export function Rfvgyrty copies the sample itself to the created directory "C:\Users[user]\AppData\Local\Logo" with the name difg02rf.dll. A scheduled task is created to call another exported function of the copied DLL, rgbrgbbgr.
The other exported function rgbrgbbgr will sequentially check whether the three plugins Kyingert.dll, tr2201dcv.dll, and SSrtfgad.dll exist in the plugin storage directory "C:\ProgramData\Winstom\Dnt". If they do not exist, they will be downloaded from the C2 server, and then the St function of the plugin DLL is called to start the plugin. The URL to obtain the plugins is as follows:
https://grapehister.buzz/DoPstRgh512nexcvv.php
The functions of the three plugins are as follows:
| - | - |
|---|---|
| Name | Function |
| Kyingert.dll | Record keystroke and upload |
| tr2201dcv.dll | Collect information about files with specific extensions in the Desktop, Documents, Downloads directories of the current user and send them back, including .doc, .xls, .ppt, .pdf, .rtf, etc. |
| SSrtfgad.dll | Take screenshot and upload |
The URLs for the three plugins to return information are the same, as follows:
https://orangeholister.buzz/kolexretriya78ertdcxmega895200.php
Process of EXE Component Attack
Donot also uses the EXE component as a downloader to obtain the follow-up components in the attack activity. The information of related samples that have recently appeared is as follows.
| - | - | - |
|---|---|---|
| MD5 | File name | VT upload time |
| 171c011571f94ea2f5c928bdf5d560dc | OUTSTANDING PAYMENTS.xls | 2023-01-19 11:30:41 UTC |
| 79cff3bc3cbe51e1b3fecd131b949930 | New SOPs Consular Services.xls | 2023-02-10 09:26:12 UTC |
| dcac3a03c0c58b90cd4cbcc814d12847 | Visit Details.xls | 2023-02-24 09:26:00 UTC |
VBA
The VBA code in Macro Document 1 (MD5: 171c011571f94ea2f5c928bdf5d560dc) is heavily annotated. After organizing the code, it can be seen that the sample first releases pkhfg.bat, which is used to create three scheduled tasks to prepare for the execution of subsequent components.
Then, it calls the gtru_fdtr function to release the dfer.cab file.
Next, it releases the tbreah.bat file, which is responsible for extracting the downloader component dfer.exe from the dfer.cab file. This bat file is executed through the "fghru" scheduled task created above and deletes the task after execution.
The VBA code in Macro Documents 2 and 3 is similar. Therefore, Macro Document 2 (MD5: 79cff3bc3cbe51e1b3fecd131b949930) is used as an example to illustrate. Unlike the sample mentioned above, the execution timing of the macro code has changed from "Open" to "BeforeClose."
Scheduled tasks are created directly by calling the Schedule.Service interface, and no longer by releasing bat files.
After releasing the compressed file djkd.zip, it is directly decompressed the zip file in the code, and the decompressed file is renamed to the name mnvc.exe set in the scheduled task earlier. It is speculated that the attacker is trying to evade anti-virus software's scanning of the decompressed file by changing the file extension in this way.
EXE Downloader
The code of the three EXE components released by the macro documents is basically the same, with simple functionality. Their role is to download two subsequent components from C2 and control the order of downloading components through a global variable with an initial value of 1. The bat file corresponds to the file path set by the VBA code above for setting up scheduled tasks. The main code is shown below.
The information about the EXE components involved in the above macro documents is organized as follows.
| - | - |
|---|---|
| Macro file MD5 | 171c011571f94ea2f5c928bdf5d560dc |
| Downloader MD5 | a84d7a5b8831d7494ee20b939e37e56f |
| Download URL 1 | https://blogs.firelive.pics/pooireoairoeeae/yuytetyur3544uyraif (Save file as C:\\Users\\Public\\Music\\aco) |
| Download URL 2 | https://blogs.firelive.pics/yureyuryquyey/dskjrhekjjkdhjrae (Save file as C:\\Users\\Public\\Music\\aco.bat) |
| - | - |
|---|---|
| Macro file MD5 | 79cff3bc3cbe51e1b3fecd131b949930 |
| Downloader MD5 | 3b730afd4ed953a9031a3facf111a64e |
| Download URL 1 | https://records.libutires.info/loproiaoroaspdrjro/reoriaweoprdpoi (Save file as C:\\Users\\Public\\Videos\\nota) |
| Download URL 2 | https://records.libutires.info/yryerewuaoirjljrq/bcalkrhwejkarje (Save file as C:\\Users\\Public\\Videos\\nota.bat) |
| - | - |
|---|---|
| Macro file MD5 | dcac3a03c0c58b90cd4cbcc814d12847 |
| Downloader MD5 | cf646416025a84c5ef25b99dc999da9d |
| Download URL 1 | https://forum.winidowtech.info/jkdegqgegcqegog/hfogrcgegdhpgdgeq (Save file as C:\\Users\\Public\\Videos\\nota) |
| Download URL 2 | https://forum.winidowtech.info/jilmvldfhqohcqhog/ntbahoghbhcghqo (Save file as C:\\Users\\Public\\Videos\\nota.bat) |
Unfortunately, we did not obtain the subsequent attack samples of the above attack. The EXE component attack activity is consistent with the Donot activity disclosed by other security vendors [3]. Since last year Donot implanted malware using the method of releasing compressed packages through macro documents and has been using EXE components in this implantation process since at least September 2022.
String Encryption
Donot frequently uses various encryption methods to encrypt critical strings in PE-based attack components. In addition to simple addition or subtraction of fixed numerical values and single 01 transformations, we found that DLL components that have recently appeared often use double 01 transformations and custom multi-layer encryption to hide critical strings. Besides, attackers use two encryption methods to process different strings sometimes.
01 Transformation
In this type of encryption method, the ASCII code of the string is converted into binary and exists in the sample in the form of a 01 string. If this conversion is only performed once, it is a single 01 transformation. In the Donot sample that appeared at the end of 2022, double 01 transformations began to appear. The 01 string obtained after one round of transformation is transformed in the same way again, which means that each character of the original string needs to be represented by a 01 string with a length of 64 characters.
Customized Multi-layer Encryption
In samples that use this type of encryption method, when restoring the original string, the decrypted data is decoded in base64 and decrypted in AES. Then, the decrypted data is processed in the following order: (1) subtracting 1 byte by byte, (2) swapping the positions of every two adjacent bytes, and (3) reversing the string.
Summary
Overall, the attack techniques of the Donot group are relatively fixed, and a commonly used tactics in their attack chain is linking sequential components with scheduled tasks. However, the group is also expanding its attack process, with more diverse methods of implanting malicious components and using various types of components.
Although there have been no reports of related attacks affecting domestic users, QiAnXin's RedDrip Team would like to remind all users not to open links of unknown origin shared on social media, click on unknown email attachments, run unknown files with exaggerated titles, or install apps from non-official sources. It is also important to regularly back up important files and update software patches.
If there is a need to install an app of unknown origin, it can be first analyzed through QiAnXin Threat Intelligence Center's deep analysis platform (https://sandbox.ti.qianxin.com/sandbox/page). Currently, the deep analysis platform supports the analysis of various file formats, including those for Windows and Android platforms.
Currently, all QiAnXin products based on threat intelligence data from QiAnXin Threat Intelligence Center, including TIP, Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, have supported precise detection of such attacks.
IOCs
MD5
(Macro files)
06adbb4ba31a52cc5c9258bf6d99812c
d98e2d7c8e91a9d8e87abe744f6d43f9
c839d8a01c97407526b3407022823c8a
1c4fb7c41e7928bfb74784d910522771
e1d235c95a7c06b1203048972cf179fa
6de75b200652eefa4a6a3bb84da7f798
0ec8911f9764ea7b254ea19cd171535e
171c011571f94ea2f5c928bdf5d560dc
79cff3bc3cbe51e1b3fecd131b949930
dcac3a03c0c58b90cd4cbcc814d12847
(DLL)
e46cd1c4b32355cad39b41ef3b66b659
c231254ced08ca556bf35e587469628f
5557b32672ee9ad6be20395d447a3e52
3feb4de4375dcc3ffb4144e2fc61dd94
4c0dadc4b6938dcc9ca8951d34cb2a09
d30631ba67a28a6e4ab0c4e9584e26c2
2abc60fa1e042612e723360ccd8220c6
3c6ad03f0ab284350d8b0d3d4cf22196
07a3c19bc67c5f44c888ce75d4147ecf
d7e123fe7fb8a5f56ec9d89f7787340d
20c581284cccadd8b6193c2e1c84a900
5e464d04b35a83d28c4e26c06eec28f5
9946df6c429b83009535dca8d1a5d321
ee24afbe471b5e63b06a759fa0eba0cc
7750cac1cab5e6fd9e5cadecbc3c51f6
0844b582c202dca08083d04d10bdf36e
(SFX)
4eaa63dd65fc699260306c743b46303b
(EXE)
a84d7a5b8831d7494ee20b939e37e56f
3b730afd4ed953a9031a3facf111a64e
cf646416025a84c5ef25b99dc999da9d
C2
one.localsurfer.buzz
orangevisitorss.buzz
morphylogz.buzz
crezdlack.buzz
crushter.info
monitoriing.buzz
m.seasurfer.buzz
bloggerboy.buzz
sky.ydnmovers.buzz
itygreyhound.buzz
balancelogs.buzz
mayosasa.buzz
goldliney.buzz
briefdeal.buzz
repidyard.buzz
salcomp.buzz
grapehister.buzz
orangeholister.buzz
blogs.firelive.pics
records.libutires.info
forum.winidowtech.info
URL
hxxp://one.localsurfer.buzz/jl60UwJBkaWEkCSS/MU3gLGSnHhfDHRnwhlILSB27KZaK2doaq8s9V5M2RIgpeaD8[.ico|.png|.mp3|.mp4]
hxxp://orangevisitorss.buzz/QcM8y7FsH12BUbxY/XNJxFhZdMSJzq1tRyF47ZXLIdqNGRqiHQQHL6DJIjl2IoxUA[.ico|.png|.mp3|.mp4]
hxxp://morphylogz.buzz/Ik3EIidq3fc2GGig/aFwrDmHIiBWh62kZPVb4bmV0waydPv0WtgqM0QTte5iAFzF0[.ico|.png|.mp3|.mp4]
hxxp://crezdlack.buzz/icsJOzJVtdTcGPB3/PT0w3akYLzLtd5AGs3PVEjMKJ1aO5xtfGvWbFmc4ubgXBvJO[.ico|.png|.mp3|.mp4]
hxxp://crushter.info/m4k1doWVqrvvbjsc/AOg9AQ2SVeHsiL61tkS53q02NnMToZuOb8s5yUe8jEcBxAs0[.ico|.png|.mp3|.mp4]
hxxp://monitoriing.buzz/3fHYKahOXhkVV3Uj/dqyWpAfXBcyQkTkzoamk25hn3cbTbeuhImfJO08uTOFCkhIa[.ico|.png|.mp3|.mp4]
hxxp://m.seasurfer.buzz/33lhGEeiVe57s8gY/nmEVLghL0B5dMtBiZMAgeIVniuP4bVFETWfsZqQ2jZ1bMJYd[.ico|.png|.mp3|.mp4]
hxxps://bloggerboy.buzz/zapterserty512wer/plekobakarester
hxxps://bloggerboy.buzz/zapterserty512wer/xcvderioneytr
hxxps://sky.ydnmovers.buzz/Kolpt523ytcserstrew/torel
hxxps://sky.ydnmovers.buzz/Kolpt523ytcserstrew/meoko/P/sa
hxxps://itygreyhound.buzz/Kolpt523ytcserstrew/torel
hxxps://itygreyhound.buzz/Kolpt523ytcserstrew/meoko/P/sa
hxxps://balancelogs.buzz/Kolpt523ytcserstrew/torel
hxxps://balancelogs.buzz/Kolpt523ytcserstrew/meoko/P/sa
hxxps://mayosasa.buzz/Testoresisty/kolimekatares
hxxps://mayosasa.buzz/Testoresisty/bekolopexar
hxxps://goldliney.buzz/Lomiapekaso/texadikkomanapel
hxxps://goldliney.buzz/Lomiapekaso/ertopikana
hxxps://briefdeal.buzz/Treolekomana/recopereta
hxxps://briefdeal.buzz/Likorecasta/mikachar
hxxps://repidyard.buzz/Romexicarto/terokanama
hxxps://repidyard.buzz/xoexapolicreate/ertyprmekabiops
hxxps://salcomp.buzz/Terolekaremos/romeosata
hxxps://grapehister.buzz/DoPstRgh512nexcvv.php
hxxps://orangeholister.buzz/kolexretriya78ertdcxmega895200.php
hxxps://blogs.firelive.pics/pooireoairoeeae/yuytetyur3544uyraif
hxxps://blogs.firelive.pics/yureyuryquyey/dskjrhekjjkdhjrae
hxxps://records.libutires.info/loproiaoroaspdrjro/reoriaweoprdpoi
hxxps://records.libutires.info/yryerewuaoirjljrq/bcalkrhwejkarje
hxxps://forum.winidowtech.info/jkdegqgegcqegog/hfogrcgegdhpgdgeq
hxxps://forum.winidowtech.info/jilmvldfhqohcqhog/ntbahoghbhcghqo
Reference Links
[1] https://twitter.com/RedDrip7/status/1619267505650036738
[2] https://ti.qianxin.com/blog/articles/Donot-uses-Google-Drive-to-distribute-malware/
[3] https://mp.weixin.qq.com/s/rslBGQgTL_jZD73AJqI05Q