← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors
Mandiant disclosed a new investigation on a recently discovered infrastructure operated by the distribution threat cluster UNC2975. that leveraged malicious advertisements to trick users into visiting fake “unclaimed funds'' themed websites. In this UNC2975 campaign, the malicious websites delivered PAPERDROP and PAPERTEAR downloader malware that eventually led to DANABOT and DARKGATE backdoor malware.
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
paperdrop
DanaBot
papertear
DarkGate
Indicators of Compromise (33)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | positivereview.cloud | — | 2023-12-15 | |
| domain | claimunclaimed.org | — | 2023-12-15 | |
| domain | capitalfinders.org | — | 2023-12-15 | |
| hostname | www.treasurydept.org | — | 2023-12-15 | |
| hostname | plano.soulcarelife.org | — | 2023-12-15 | |
| domain | whatup.cloud | — | 2023-12-15 | |
| domain | lewru.top | — | 2023-12-15 | |
| hostname | www.myunclaimedcash.org | — | 2023-12-15 | |
| hostname | www.claimprocessing.org | — | 2023-12-15 | |
| hostname | arlington.barracudas.sbs | — | 2023-12-15 | |
| domain | dreamteamup.shop | — | 2023-12-15 | |
| domain | treasurydept.org | — | 2023-12-15 | |
| hostname | durham.soulcarelife.org | — | 2023-12-15 | |
| domain | freelookup.org | — | 2023-12-15 | |
| domain | infocatalog.pics | — | 2023-12-15 | |
| hostname | mesa.halibut.sbs | — | 2023-12-15 | |
| domain | bikeontop.shop | — | 2023-12-15 | |
| hostname | pittsburgh.soulcarelife.org | — | 2023-12-15 | |
| domain | lugbara.top | — | 2023-12-15 | |
| domain | gfind.org | — | 2023-12-15 | |
| domain | wscript.shell | — | 2023-12-15 | |
| domain | thebesttime.buzz | — | 2023-12-15 | |
| domain | pe.is | — | 2023-12-15 | |
| hostname | www.assetfinder.org | — | 2023-12-15 | |
| domain | adodb.stream | — | 2023-12-15 | |
| FileHash-MD5 | 650b0b12b21e9664d5c771d78738cf9f | — | 2023-12-15 | |
| FileHash-MD5 | 862a42a91b5734062d47c37fdd80c633 | — | 2023-12-15 | |
| FileHash-MD5 | 9120c82b0920b9db39894107b5494ccd | — | 2023-12-15 | |
| FileHash-MD5 | 7544f5bb88ad481f720a9d9f94d95b30 | — | 2023-12-15 | |
| FileHash-MD5 | 2c16eafd0023ea5cb8e9537da442047e | — | 2023-12-15 | |
| FileHash-MD5 | 9f9c5a1269667171e1ac328f7f7f6cb3 | — | 2023-12-15 | |
| FileHash-SHA256 | 446c6c43616c6c28227573657233322e646c6c222c20226c726573756c74222c | — | 2023-12-15 | |
| FileHash-SHA256 | cf013183c0024b75d28b420403c28bd08bc28bc82b4dd48b5ddc3b8ba4000000 | — | 2023-12-15 |