The analysis of a malicious email revealed a possible raising interest of the TA505 cybercrime gang in system integrator companies.
During a normal monitoring activity, one of the detection tools hits a suspicious email coming from the validtree.com domain. The domain was protected by a Panama company to hide its real registrant and this condition rang a warning bell on the suspected email so that it required a manual analysis in order to investigate its attachment. Digging into this malicious artifact opened up to a possible raising interest of the infamous TA505 in System Integrator Companies (companies in which have been found that threat).
During the past few weeks suspicious emails coming from the validtree.com domain was detected: they were addressing System Integration Companies. The domain validtree.com is registered through namecheap.com on 2017-12-07T15:55:27Z but recently renewed on 2019-10-16T05:35:18Z. The registrant is protected by a Panama company named WhoisGuard which hides the original registrant name. Currently the domain points to 220.127.116.11 which is an IP address assigned to LeaseWeb a VPS hosting provider located in Netherland, Europe. Attached to the email a suspicious word document was waiting to be opened from the victim.
Hash7ebd1d6fa8c21b0d0c015475ab8c7225f949c13a33d0a39b8c069072a4281392ThreatMacro DropperBrief DescriptionDocument DropperSsdeep384:nFZ5ZtDGGkLmTUrioRPATRn633Dmej0SnJzbmiVywP0jKk:n1oqwT2J633DVgiVy25By opening the word document the victim displays the following text (Image1). The document tempts the victim in enabling the macro functionality in order to re-encode the document with readable charsets by translating the current encoding charset to the local readable one.