DMOSK
DMOSK is a malware that seems to target companies in Italy. DMOSK was analyzed by Italian malware researchers, and it was determined that DMOSK's primary targets seem to be located in Europe, especially in Italy. PC security researchers know the companies that were infected by DMOSK and the law enforcement is currently working on tracking down the criminals responsible for DMOSK. One aspect of DMOSK that is worrying is that there are reasons to believe that DMOSK attacks will increase in the future substantially, making it important for computer users to take steps to protect their machines with a reliable security program and take other precautionary methods.
Table of Contents
How DMOSK is Distributed
The initial stage of the DMOSK attack seems to include a link to an online drive. This link will include a script that downloads a ZIP file with a damaged JavaScript file from a remote server. There are many ways in which this content kind can be delivered to the victim, the most common usually being the use of corrupted advertising or email tactics. Once the corrupted script is downloaded, an additional file, an SCR file, is downloaded and installed. This leads to a new link in the infection chain, which may include a connection to a compromised URL to download additional content onto the victim's computer. These infection types processes, which contain multiple steps are not uncommon and seem to be a way for criminals to make it more difficult for PC security researchers to trace what is going on. The final stage of the DMOSK attack is carried out on the affected device's memory directly.
The DMOSK Uses a Very Common Way to Attack Computers
It seems that the final stage of DMOSK involves collecting the victims' email and login credentials. This data is collected from the affected computer's Web browser and network communications and sent to a Command and Control server on the Dark Web. The DMOSK attack seems to only target specific geographical region, and the main portion of the attack targets computers located in Italy. DMOSK also seems to be specific about avoiding certain computer security providers and institutions. There are nearly seven thousand email addresses that may have been compromised by the DMOSK attack since there is evidence that the victims clicked on the link that launches the initial stage of the DMOSK attack. The bulk of DMOSK attacks occurred in the first week of June 2018. This is why companies in Italy, which are the primary target of the DMOSK attack, should take precautions to ensure that their data and devices are safe from the DMOSK attacks.
The following URLs have been associated with different portions of the DMOSK attack:
URLs associated with the initial stages of the attack:
https:// drive[.carlsongracieanaheim[.com/doc.php
https:// drive[.carlsongracieanaheim[.com/doc1.php
https:// drive[.carlsongracieanaheim[.com/x/gate.php
https:// drive[.carlsongracieanaheim[.com/1/gate.php
Command and Control servers on the TOR network:
https:// 4fsq3wnmms6xqybt[.onion/wpapi
https:// em2eddryi6ptkcnh[.onion/wpapi
https:// nap7zb4gtnzwmxsv[.onion/wpapi
https:// t7yz3cihrrzalznq[.onion/wpapi
Command and Control servers:
https:// loop.evama.[at/wpapi
https:// torafy[.cn/wpapi
https:// u55.evama[.at/wpapi
https:// yraco[.cn/wpapi
https:// inc.robatop.[at/wpapi
https:// poi.robatop.[at/wpapi
https:// arh.mobipot.[at/wpapi
https:// bbb.mobipot.[at/wpapi
https:// takhak.[at/wpapi
https:// kerions.[at/wpapi
https:// j11.evama[.at/wpapi
https:// clocktop[.at/wpapi
https:// harent.[cn/wpapi
How to Prevent a DMOSK Attack
If your computer or network has been affected by DMOSK, it is necessary to use a strong security program that is fully up-to-date to remove all traces of DMOSK from the targeted computer. Since the main purpose of DMOSK seems to be to collect email login credentials, PC security researchers advise computer users that suspect that they were affected by DMOSK to take steps to check that their email accounts have not been compromised or used to send suspicious emails or other possibly unsafe content. Computer users should reset their email preferences, change their passwords and login information.
