![Redsn0w 9.15 b3](https://loka.nahovitsyn.com/125.jpg)
![photominer worm photominer worm](https://news-cdn.softpedia.com/images/news2/photominer-worm-spreads-via-vulnerable-ftp-servers-mines-for-crypto-currency-505212-4.png)
Of note, the callbacks were to PHP scripts that included /dad5/ in the URLs. The malware establishes persistence and sends HTTP requests to the command and control domain mailsinfonet. Upon execution, KASPERAGENT drops the payload and a decoy document that displays Arabic names and ID numbers.
Photominer worm download#
The threat actors used shortened URLs in spear phishing messages and fake news websites to direct targets to download KASPERAGENT. It is called KASPERAGENT based on PDB strings identified in the malware such as “ c:UsersUSADocumentsVisual Studio 2008ProjectsNew folder (2)kasperReleasekasper.pdb.” The malware was discovered by Palo Alto Networks Unit 42 and ClearSky Cyber Security, and publicized in April 2017 in the Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA blog. KASPERAGENT is Microsoft Windows malware used in efforts targeting users in the United States, Israel, Palestinian Territories, and Egypt since July 2015. Some of the indicators in the following post were published on AlienVault OTX on 6/13. Associated indicators and screenshots of the decoy documents are all available here in the ThreatConnect platform. In this blog post we will detail our analysis of the malware and associated indicators, look closely at the decoy files, and leverage available information to make an educated guess on the possible intended target. Although we do not know who is behind the campaign, the decoy documents’ content focuses on timely political issues in Gaza and the IP address hosting the campaign’s command and control node hosts several other domains with Gaza registrants.
![photominer worm photominer worm](https://www.guardicore.com/wp-content/uploads/2016/06/drawing-e1465891322649.png)
The samples date from April – May 2017, coinciding with the run up to the May 2017 Palestinian Authority elections. ThreatConnect has identified a KASPERAGENT malware campaign leveraging decoy Palestinian Authority documents. KASPERAGENT Malware Campaign resurfaces in the run up to May Palestinian Authority Elections
![Redsn0w 9.15 b3](https://loka.nahovitsyn.com/125.jpg)