{ "id": "2107c822-1f3f-482a-a8f5-cc0f3192e788", "created_at": "2026-04-06T01:30:13.081589Z", "updated_at": "2026-04-10T13:11:52.055794Z", "deleted_at": null, "sha1_hash": "efb6d9697e94e2542556e2bc67b687d8b94e8333", "title": "How to expose a potential cybercriminal due to misconfigurations – CYBER GEEKS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1051425, "plain_text": "How to expose a potential cybercriminal due to misconfigurations –\r\nCYBER GEEKS\r\nPublished: 2022-06-30 · Archived: 2026-04-06 01:14:05 UTC\r\nSummary\r\nWe’ve investigated a new phishing campaign spreading malicious documents that exploit the CVE-2017-0199 and CVE-2017-11882 vulnerabilities.\r\nThe purpose of this campaign is to deploy the Lokibot stealer on the infected machines. In our investigation we found\r\nmisconfigurations on the malicious domains that allowed us to identify a hostname which was a name server for two\r\nscam domains registered in Brazil.\r\nWe believe that the owner of these domains might be involved in the malicious campaign.\r\nTechnical analysis\r\nWe begin the analysis with a document that impersonates the Romanian ANAF (National Agency for Fiscal\r\nAdministration) called “Factura fiscala ANAF270622.xlsx” (SHA256:\r\n098335ca421ca8501fd243714fd02457ebbaa40dd6f91cf1ab61a58c415a27a0). The document was downloaded from\r\nhttps://app.any.run/tasks/e5624c90-9c9c-4f35-a80a-3beed6370c35/.\r\nThe malicious document is a xlsx file that contains a blurred image which seems to be an invoice, as highlighted below:\r\nhttps://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/\r\nPage 1 of 6\n\nFigure 1\r\nThe file is an encrypted Excel document with a common password (“VelvetSweatshop”), as shown below:\r\nFigure 2\r\nFigure 3\r\nUsing oledump it`s possible to determine that there is an embedded OLE object in the document:\r\nhttps://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/\r\nPage 2 of 6\n\nFigure 4\r\nThe document tries to exploit a vulnerability found in Microsoft Office and WordPad, that is described in CVE-2017-\r\n0199 . If successful, the malware would download a file found at http[:]//itssotiny.com/fYYbO (returns 404 at this time).\r\nHowever, according to VirusTotal, the link redirected to http[:]//192.3.239.42/document/77.doc (still active). Figure 5\r\nreveals that there are two documents hosted in the same location:\r\nhttps://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/\r\nPage 3 of 6\n\nFigure 5\r\nThe 77.doc file is an obfuscated RTF file, which exploits the another Microsoft Office vulnerability, CVE-2017-11882 :\r\nFigure 6\r\nThe rtfdump.py script is utilized to list groups and the structure of the RTF file:\r\nFigure 7\r\nThe Microsoft Equation Editor process that can be identified in the sandbox analysis is a strong indicator that the\r\nvulnerability is indeed CVE-2017-11882, which is a vulnerability in Microsoft Equation Editor\r\n(https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/17-year-old-ms-office-flaw-cve-2017-\r\n11882-actively-exploited-in-the-wild).\r\nThe final stage consists of downloading the Lokibot stealer from http[:]//192.3.239.42/77/vbc.exe\r\n(https://www.virustotal.com/gui/file/d243ac3d475a2e3dad62640525d3b4f102bb8140cc844363d61e95ea5fc4f8fb/detection).\r\nDue to the attacker’s mistake, phpinfo.php can be accessed by anybody and reveals crucial information about the\r\npotential attacker. As we can see in figure 8, the hostname is “WIN-2NF07F1AQLT” and it runs on a Windows Server\r\n2016 machine:\r\nhttps://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/\r\nPage 4 of 6\n\nFigure 8\r\nWe have expended the attacker’s infrastructure via OSINT. The following files/IP addresses could be identified:\r\nhttp[:]//192.3.239.42/receipt/88.doc\r\nhttp[:]//192.3.239.42/receipt/99.doc\r\nhttp[:]//192.227.129.26/document/receipt.doc\r\nhttp[:]//192.3.239.42/office/100.doc\r\nhttp[:]//192.3.239.42/office/110.doc\r\n192.227.168.194, 107.175.218.40, 104.168.32.21, 104.168.32.14\r\nAs we can see in figure 9, the hostname is the same for a different domain:\r\nFigure 9\r\nWe have identified another hostname for an older campaign – “WIN-3JS0MA784YQ”:\r\nhttps://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/\r\nPage 5 of 6\n\nFigure 10\r\nWe’ve performed an OSINT investigation and found that the “WIN-2NF07F1AQLT” hostname appears as a name server\r\nfor two domains registered in Brazil: Webcamer.com[.]br and Citydesconto.com[.]br. According to\r\nwebsite.informer.com, these 2 domains were registered by an individual “Noe Yvert Etoua Evina” with the\r\nnoeyvert@gmail.com email address:\r\nFigure 11\r\nThese two domains seem to be scam domains. An individual with the same name appears in multiple judicial processes\r\non jusbrasil.com.br.\r\nIndicators of Compromise\r\nSHA256: 098335ca421ca8501fd243714fd02457ebbaa40dd6f91cf1ab61a58c415a27a0\r\nSHA256: d243ac3d475a2e3dad62640525d3b4f102bb8140cc844363d61e95ea5fc4f8fb\r\nIP addresses:\r\n192.3.239.42\r\n192.227.129.26\r\n192.227.168.194\r\n107.175.218.40\r\n104.168.32.21\r\n104.168.32.14\r\n103.207.39.127\r\nSource: https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/\r\nhttps://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cybergeeks.tech/how-to-expose-a-potential-cybercriminal-due-to-misconfigurations/" ], "report_names": [ "how-to-expose-a-potential-cybercriminal-due-to-misconfigurations" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439013, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efb6d9697e94e2542556e2bc67b687d8b94e8333.pdf", "text": "https://archive.orkl.eu/efb6d9697e94e2542556e2bc67b687d8b94e8333.txt", "img": "https://archive.orkl.eu/efb6d9697e94e2542556e2bc67b687d8b94e8333.jpg" } }