Under Attack? Call (844) END.DDoS

New Storm Valentine’s Day Campaign

While we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)

  • raw IP addresses in the spam lures
  • the filename is now “valentine.exe”, using a redirect and a clickable link
  • much more simple HTML websites
  • subjects include “Blind Love”, “Just You” and other warm fuzzy subjects
  • rapidly changing MD5 hashes
  • poor AV detection

Dropped files, the peerlist (an INI file) and a driver … here’s the filename scheme this time:

C:WINDOWSsystem32diperto.ini
C:WINDOWSsystem32diperto7701-7a5c.sys

It will use this to create and start a service:

Create Service - Name: (diperto7701-7a5c) Display Name: (diperto7701-7a5c) File Name: (C:WINDOWSsystem32diperto7701-7a5c.sys) Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (diperto7701-7a5c) Display Name: () File Name: () Control: () Start Type: ()

And all the same good old Stormy stuff. Poor AV detection (via VirusTotal), but humans can spot this a mile away.