21 julio, 2021

2CMV21-00203-01 CSIRT alerta ante campañas de phishing con malware y comparte IoC para monitoreo y bloqueo

Resumen

El Equipo de Respuesta ante Incidentes de Seguridad Informática (CSIRT de Gobierno) comparte una serie de Indicadores de Compromiso (IoC) obtenidos del análisis realizado a múltiples campañas de phishing con archivos adjuntos que contienen malware, los que están circulando en el ciberespacio nacional y representan un riesgo para los sistemas informáticos, así como para los usuarios en general.

El CSIRT de Gobierno recomienda a los administradores y usuarios bloquear los hash publicados en este informe, y mantener un permanente monitoreo sobre el resto de los Indicadores de Compromiso.

Observación

Solicitamos tener en consideración las señales de compromiso en su conjunto.

IoC hash

Hash SHA-256 de los archivos adjuntos en los correos electrónicos:

HASH Tipo Malware
1 85bf932b3b1d6dfdd4a88990127d3506f66dc1291fa219e899e45d5b7e301984 HTML/Fisher.295!tr
2 f2d084daef2879143ef4fbb13b95ceaa502a6a10ddbbb6f8f5aa240e7975493d HTML/Fisher.295!tr
3 07dd4ee1df8e68ee3db8f40d229a67f7c2bc6c84f7771811b874eaef52f52308 HTML/Fisher.295!tr
4 3ae1e49f9ed22a71e3cbe361ddf8069ea4bb0cd97f007f3ece0371bdcd8f3a8a HTML/Fisher.295!tr
5 54d72f13cbc428b63bf447f27d311d47dca8b3ea66db6ea40a97a3c1efe7b553 HTML/Fisher.295!tr
6 40973413af67edf20103934ded7d79f027b4c03ae1feef37cf4cce125a71836a HTML/Fisher.295!tr
7 046acc091e1295057af4873d1270eba61b09be7ad145827b1757f4042b753d81 HTML/Fisher.295!tr
8 8fb73c6a027c5e515ac227d7f069dfeff04c94073a83e81eb69253c8c75cf0d0 HTML/Fisher.295!tr
9 c01dedbc746a16a56712536bf571c32f93a2931a6fa107a6b59c01cf0dbf8546 HTML/Fisher.295!tr
10 40f6bb24a2a8429d407b46580685a3b7d0283c18d1315b1e0f3e44381c8794e5 HTML/Fisher.295!tr
11 0ddc217fad3c587462e43829f94a5aec4e4079ddf6ab088423129615accff04e HTML/Fisher.295!tr
12 e9f631f88fa84f86a467b734ca186a3f6c0a00c65c072a7b3d62501b53ca424d HTML/Fisher.295!tr
13 c76acd788320030e85aaa925870a770217352f34a86b9de625f00db6d14298ee HTML/Fisher.295!tr
14 17f87a0422c08443f627bfba6ebd143c0c62c0cf70431cecdd040f619946c57e HTML/Fisher.295!tr
15 0af2fe0136bea931e762112d811f9aabbdf733afa2f4aea816bfc66af2974ded HTML/Fisher.295!tr
16 305e0fb98c52c99b7e5541a0ef2ab832b047dd6281c8dfadd284a8004afabc16 HTML/Fisher.295!tr
17 027686cab112ebd16edb28f71379b69d310636d671b90b41a5dca7004b992b77 HTML/Fisher.295!tr
18 f847ea36df2d40d1700ef099b244afb05c960e11c44e22cfc12b44b22bf993df HTML/Fisher.295!tr
19 8fd8fb4df74fa886589a6e13e08769e70c0d576171369a767ba78a69b8b26634 HTML/Fisher.295!tr
20 111238fb60b05d919e550d0ab4e95e2dc2e8e75ecd233a7c73be9678aa396805 HTML/Fisher.295!tr
21 332eda8c68cec9356a1ed39e53cc79e8ac8467053628002b3c5d6a7fec1812f9 HTML/Fisher.295!tr
22 7a7c7295a28e8866f20255156cec71b1f32908924c1b39fe35b3eb93a39a23be HTML/Fisher.295!tr
23 10eb56cf79b33e82d8300cbe0b5e71072410028f14d0c7c721947b58bb8054a3 HTML/Fisher.295!tr
24 6c35a6510a269c3a8b44cb58ed84a23b421cc6eaa739ca0fdc8838c8d18240e9 HTML/Fisher.295!tr
25 2ebba28b582188214a3acf2860feae608e773a4a12e1ff0b761d4811d50c1bdd HTML/Fisher.295!tr
26 608681de369640df3ebceeb3401feb364b97909273c93af0424230e881e0cfb1 HTML/Fisher.295!tr
27 24ec6085094a95a0edba39ffb97dd51b875eed029bad9251889ba5af22d76d99 HTML/Fisher.295!tr
28 7ef68c356fd0a898a11f94dd46da3f24e82a4de30b08d49254d9ef15e8efa37b HTML/Fisher.295!tr
29 9a25bf4863a58000431b48d9e342e31cf2766a2de4ac38c2169773a4b89d1998 HTML/Fisher.295!tr
30 10ca4aa8fdbd2f71339c90a26fc148368ae7fa950aa52dce1dfa2fdadc76b133 HTML/Fisher.295!tr
31 e253c023459dce97c95ca9c63446633eafbca1dd83c762c5cb4c3d24986eba3f HTML/Fisher.295!tr
32 d0e193d278f6605cd4a032035216b7223e92ea3ac8bf3efa8ac17e5a5b001cbb HTML/Fisher.295!tr
33 fdfd6757c110bf486c550c212a4bf1aa9869235b9f5a690c29a70ae51112466c HTML/Fisher.295!tr
34 684756755a0fc568b7034d87ed9ecd32ea36e2eb8fc164f0c3cc52476968d717 HTML/Fisher.295!tr
35 dbbec7a08ef6286e974cb910f493e1255e8bb25d001762bef9aa3ecd18249cd1 HTML/Fisher.295!tr
36 f534c9ec6fcb77fe9dea3e354b2140dbb2227808294803228bf962799094ff84 HTML/Fisher.295!tr
37 c76483aecab8ee54042e55e37da2a93c900082c8235e40f5b480b000a15f9b60 HTML/Fisher.295!tr
38 8191a837bda3274522c8dc26a56d2fcdf1ed7973267d191606ea787253127ea1 HTML/Fisher.295!tr
39 2fcefd048932aaaa187e94eee172a866ae24328a936590713eabf1145c50befa HTML/Fisher.295!tr
40 95318a67672f8aeed29449cdb7b2ac8fc8376ad220a3dcfb0dbafca9c9b7106e HTML/Fisher.295!tr
41 baf481f753c8d140374c7fab2d4c8eff4b11041f152fc3c2dd02aab7427fe2e5 HTML/Fisher.295!tr
42 7d449af0446e44e8aaf70bb6a72e53997de835c29957ac1c81d9b493a65ce1b1 HTML/Fisher.295!tr
43 e7c3aa587409d80ff83af0e03783264464e261072660956dc0520a8d5d778e48 HTML/Fisher.295!tr
44 6ad401f8f4e3d398aa71edfb2f70ccf46b05264039487ce89e87a5c88261e137 HTML/Fisher.295!tr
45 35d68f509bf318ae37607c8ec3e6761b3ee8393b0a5d7c19e74c0fcd4c8ce099 HTML/Fisher.295!tr
46 5fe8e07025b43b9d033f39db2a7270e1d08818347b6fcd3116bb08e02d529552 HTML/Fisher.295!tr
47 49142234dad2247b501caaa3733bf35adc75e5c4d88eca66902135c624eeefcd HTML/Fisher.295!tr
48 2c39f0e9c19ed13e35cc2b8a45816b08809fb9b352fbb41fa7d5e71587b65d0b HTML/Fisher.295!tr
49 c2cdb4b408859f1071b0689321a90c11d18319e1c074a5dfc578fe766fdc0cb4 HTML/Fisher.295!tr
50 f9c5c7ecb93e07b2c3cf0d70ef954271b9c1638d49aeabdd8957442935614f29 HTML/Fisher.295!tr
51 ecd13939c43d1ab838198696196b5090c6128b2ad9f2ff96d2b85081e68ae697 HTML/Fisher.295!tr
52 3a49559073969cfff64fa093e2090a2e92fb5a345122d018260390a33fd6d6ad HTML/Fisher.295!tr
53 708a91b1746b7d240defefa2c5c3e46aec524d802089bac20558eb359f190d09 HTML/Fisher.295!tr
54 c0a2c9590ddec8b91a2d5f41016bf3bc49071b61a308605ea966b31c7acda1b5 HTML/Fisher.295!tr
55 401e27db43fb18ee0badd90ebfedff42bd721f0f82b78aeb427d0d6227f10dba HTML/Fisher.295!tr
56 0a7a628f83780df70e68d932a0de5f97ab34e9f622dc686b7e3386c86a1a0a51 HTML/Fisher.295!tr
57 8a03904b6fc1fbb8559a42bdd4df2fdc78c98d7e767cf0b0f7870c2ce7f9a6a0 HTML/Fisher.295!tr
58 faa617b50c35b31ecbdeb2904ef52138d3829f3cea06488cef4313a629d24d75 HTML/Fisher.295!tr
59 5fde1e91d2d79179e9349ed2e037af30cf808636bf446fbcf16a7ee8c17e8214 HTML/Fisher.295!tr
60 c6bf627c961f219ad2a2bdb2024bd6c498fcbad0d6252ad0d4719eaf4fc44995 HTML/Fisher.295!tr
61 41b8563391eeb3c26f39ab9484a694dc332ef95990e9f680721271ad513166c2 HTML/Fisher.295!tr
62 742d411e53be4a81a450648d104415a8441c78ccd6127a2902ba3c589f6ea953 HTML/Fisher.295!tr
63 4cfaa3d19bea873b693b3f939af328d4577c5234c8a9342d9c7cd96f70d7ab94 HTML/Fisher.295!tr
64 441f7c39078e978334d200e765e21626a792d7d9adeb283431daf0ba7dab1dfe HTML/Fisher.295!tr
65 264f08f041d0d6d265425189bfd853351bf5445bd72d4eda2383d475b857a4b3 HTML/Fisher.295!tr
66 0c7c9e7ad2e0b4abacfef83623316ad978a97a3db192e263a6976f30ac8286a8 HTML/Fisher.295!tr
67 577122608f35d15f6993191ef795bdf80ab3ffa6d2540f3bccf0bbeeaac7570d HTML/Fisher.295!tr
68 73d30b360b8f72a5e45e48d92b353d703db9e6caf2fea17ba940553f430ea1a1 HTML/Fisher.295!tr
69 fd7bb3f9d20db4a16d0c12e4c330d8bb6c23883c33fa13f0505ce2eab3f665cf HTML/Fisher.295!tr
70 8c1e5736331e9c875ea1ae532dcd58bd40eb80819ef2f3a2d5080bb723ed5f4c HTML/Fisher.295!tr
71 4bd248fe22ac9d611889b6e6c8a9d093832f69f17100db06b069c1e69bc1c271 HTML/Fisher.295!tr
72 f34221c5b56c76435638a0ce9354fce51b27f27eea773b3f6e7781770dd99767 HTML/Fisher.295!tr
73 034199c0abf2d787c9778a08591dda826ec9a887f4337b372b217d153133ddab HTML/Fisher.295!tr
74 8be0bfabd0131293651ec5acfde25ef78773dd3ba4eb898b4cc0cc836512e7d3 HTML/Fisher.295!tr
75 b79bcbe51e73fd483469b7b63e19d3a1971d6a9c05b77a7dc7b45dc068f77be5 HTML/Fisher.295!tr
76 498c6a657325b8306cdd5ca5b61edcdd2074dc69ac7c3d53eb4a5848a8a23cf3 HTML/Fisher.295!tr
77 8f7e3a87c2fe8ddbbf84b011f49e3a243b33637761c82eaeb3495bb1164908fe HTML/Fisher.295!tr
78 5ce36ce85184945d5f30a8d9081105723297c0650aa929e9e53801414bb68fea HTML/GenericKDZ.1174!tr
79 4eb8af783f0a5ee33275f4f875fe69408c61b5ca77df8a399c70d682afef06a2 HTML/GenericKDZ.1174!tr
80 90c8ae15aec66d5c11ad5cc0bfc0e80deec11b2a04f0ab2bff3182de5300fe2e HTML/GenericKDZ.1174!tr
81 3e187fbe81b364327180fc1ca695ad251c09f918b1a147d1ea28104bf6f4cbe9 HTML/Phish.397C!tr
82 08ebcff7243587fccd12c49ea2f2933be00bdc6546cc6c5fd0239aa4bf815342 HTML/Phish.BF41!tr
83 41e48d3cadcccaccc4ad6260384779b11d8c0bd63c18ee7ae12de6dafd53213d HTML/Phish.BF41!tr
84 692cb027c375a5309c7bd30e7cef0204c60eacfafd35889e59c530636f8ade70 Malicious_Behavior.SB
85 8b6152f4163a83ba3eef961d44115feb19e8f916c887af6b85fe9541c1f97fd7 Malicious_Behavior.SB
86 461a101eda112b3565d7f8ee961a2a066bc059333b7f85715872634cc1f081ac Malicious_Behavior.SB
87 bc25a7d43fc1da6677d62e5f9573b259f8b4ec6ab32f5aed8102d57948517bae Malicious_Behavior.SB
88 439b1755be21ad2c8eefd63531e8bbbacdc7b1c07057d83dd9066358b4402661 Malware_Generic.P0
89 9b34ded1cfa18860eed4e7f6fa5043db044fa0eb6a81eb911a408304b05aefa7 MSIL/Kryptik.ABRY!tr
90 afcba9ee59b8d6972e414ffd93556389ee378a4139453acf70be522e91a69c95 MSIL/Kryptik.DLO!tr
91 8e026969ac083cb90e1ece1b2a13353eb9facd2c5cfde7d73ae0c52bf828f88a W32/Malicious_Behavior.SBX
92 2b4219e8a06702279e71778d097bcd122766a44d07827c5834768ac9463c7b65 W32/Taskun!tr
93 f9930198476d841f38ec234cfbc8ea3796efb4bafd157fe6f51330cf940290b4 W32/Taskun.ABVW!tr

 

 

IoC nombre de archivo

 

Nombres de archivos con malware:

 

Archivo Malware
1 CMA-CGM Online Receipt.html
2 Quotation.html
3 Order30062021.HTML
4 MCP Nicosia Vessel Particulars.rar
5 OUR LADY’S DETAILS.rar
6 EVER GIVEN Pre Arrival form and Cargo Manifest.zip
7 FI-210798010003.r09
8 Zawawi.doc
9 Invoice # 406496.doc
10 BL invoice.doc
11 Invoice (20002003).doc
12 0987YHJBVTYU-PO.zip
13 40056763-order_ 8_07_2021.doc
14 Amended Order.doc
15 PO #30039482.doc
16 orden de compra# 310000668.gz
17 PO-158202101.zip
18 orden de compra# 310000668.lzh
19 Shipping Documents BL +CI.gz
20 299388384949111.LzH
21 Payment Advice Note from 08.07.2021 to 308720.zip
22 HSBC PAYMENT ADVICE.r00
23 MV SEAFARER.rar
24 Documentos de envio originales.zip
25 izvozni cenovnik 2021 BIH 15.7.2021.doc
26 Unit of Volume.doc
27 45543CN-8_21.exe
28 RFQ- 07-023 Quo7-877253.rar
29 Proforma Invoice 01 VIAZ 1820.zip
30 TRANSFER VOUCHER.zip
31 dhl BL 204103842 Docs.zip
32 aceptacionpermitrodeexclusion20210711_22431305 (2).pdf
33 descargos_a_sumario_N°1935_.docx
34 ESPECIFICACIONES TECNICAS SANITARIAS POSTA PEDREGOSO.doc
35 3-2494.pdf
36 cvm-91408814.pdf
37 CERTIFICADO AVALUO FISCAL.pdf
38 Citacion_Ordinaria_N°_42_julio _2021.pdf
39 Tabla Consejo Julio 2021.pdf
40 Acta_N°_41_del_23_de_Junio..pdf
41 INFORME AVANCE 3 MIGUEL CARTES.pdf
42 ACUSEDERECIBO_AQ001T0005481.pdf
43 182813-BoletaElectronica.pdf

IoC servidor SMTP

Direcciones IP de servidor SMTP. Se debe tener consideración que podrían aparecer direcciones de Servicios Cloud reconocidos, ya que este apartado informa desde donde salieron los correos electrónicos maliciosos.

IP Etiqueta de sistema autónomo
1 45.7.230.78 OPENCLOUDSpA
2 141.226.3.28 RIPENetworkCoordinationCentre
3 184.176.134.58 CoxCommunicationsInc.
4 162.245.182.137 ReedsburgUtilityCommission
5 181.58.189.228 TelmexColombiaS.A.
6 174.115.233.87 RogersCommunicationsCanadaInc.
7 166.157.4.235 ServiceProviderCorporation
8 54.160.161.235 AmazonTechnologiesInc.
9 190.4.213.174 TELEFONICAMOVILDECHILES.A.
10 120.158.130.252 TelstraCorporation
11 51.210.20.90 SystemLtdBDM
12 178.32.76.155 GrossAlan
13 136.144.41.79 RIPENetworkCoordinationCentre
14 136.144.41.208 RIPENetworkCoordinationCentre
15 37.0.11.104 ServerionBV
16 37.0.11.253 ServerionBV
17 2.56.59.91 ServerionBV
18 103.115.67.133 MIXTELECOMLLC
19 118.42.185.245 KoreaTelecom
20 103.24.0.199 HongKongRedToneTelecomunicationsLimited
21 77.76.155.50 INTERCITY
22 95.225.50.112 TelecomItaliaS.p.A.
23 80.35.82.110 ReddeserviciosIP
24 103.82.27.232 PhongThuymediajointstockcompany
25 103.139.44.229 TrungHieuServicesTradingInvestmentCompanyLimited
26 103.28.70.171 TransferredtotheARINregionon2016-06-20T22:38:28Z.
27 103.28.70.138 TransferredtotheARINregionon2016-06-20T22:38:28Z.
28 108.62.118.59 LeasewebUSA Inc.
29 68.42.145.159 ComcastCableCommunications LLC
30 138.197.147.173 DigitalOcean LLC
31 151.84.151.179 Wind Tre S.p.A.
32 43.129.181.214 Tencent Building, Kejizhongyi Avenue
33 217.155.205.10 Zen Internet Ltd
34 177.200.80.201 SOBRALNET SERVICOS E TELECOMUNICACOES LTDA – ME
35 87.240.208.54 POST Luxembourg
36 43.133.33.18 Tencent Building, Kejizhongyi Avenue
37 43.132.149.219 Tencent Building, Kejizhongyi Avenue
38 43.133.33.102 Tencent Building, Kejizhongyi Avenue
39 179.192.99.253 Telemar Norte Leste S.A.
40 51.195.227.148 OVH SAS

Recomendaciones          

  • No abrir correos ni mensajes de dudosa procedencia.
  • Desconfiar de los enlaces y archivos en los mensajes o correo.
  • Mantener actualizadas sus plataformas (Office, Windows, Adobe Acrobat, Oracle Java y otras).
  • Ser escépticos frente ofertas, promociones o premios increíbles que se ofrecen por internet.
  • Prestar atención en los detalles de los mensajes o redes sociales.
  • Evaluar el bloqueo preventivo de los indicadores de compromisos.
  • Mantener actualizadas todas las plataformas de tecnologías y de detección de amenazas.
  • Revisar los controles de seguridad de los antispam y sandboxing.
  • Realizar concientización permanente para los usuarios sobre este tipo de amenazas.
  • Visualizar los sitios web que se ingresen sean los oficiales.

El informe oficial publicado por el CSIRT del Gobierno de Chile está disponible en el siguiente enlace: 2CMV21-00203-01.

2CMV21-00203-01 CSIRT alerta ante campañas de phishing con malware y comparte IoC para monitoreo y bloqueo