2021-09-14 Griffon IOCs

THREAT IDENTIFICATION:  GRIFFON (aka Harpy)

SUBJECTS OBSERVED
Bill for mobile service
Bill for subscribing Premium
Obligations of vaccination companies
Premium subscription

SENDERS OBSERVED
forge@server.medecineconcours.com
fubaydullaev@host2.eskiz.uz
iqrabash@fastserver.aryhost.com
isuzups@cpanel.gemzo.net
jobs@cc1.okimotocorp.com
mikksoft@de.servnet.com.pk
mipsmedi@mip.mipsmedia1.com
naaspanama@server.kmservers.com
ngz@nashmir.qubit-software.com.my
qubitsoftwarecom@server.iconbag.my
standardcropcare@corporate.vip5.noc401.com
streichersquickp@vps17646.inmotionhosting.com
tmrss@codezinfotech.com
umgnet@server.mdmedicine.com
www@vmi543358.contaboserver.net

IMPERSONATED SENDERS
bill@t-mobile.com
bill@tinder.com
HealthResources&ServicesAdministration@gulab.pk
Tinder@jobs.okimotocorp.com
us-noreply@t-mobile.com
us.company-policy@hrsa.gov

GRIFFON ZIP FILE HASH
Employees list 09.2021.zip
802dc9f2905991dee611ab6afb098afd

Bill 09.13.2021.zip
89b76cb2372ab40df840c8f1a347ed7e

GRIFFON JAVASCRIPT FILE HASH PAYLOAD
current list of employees who were included to the vaccine schedule.txt.js
f1680aa55c88220bcf83e24d89628cc9

Tinder Bill #12340098709..13.2021  - To view successfully open on Windows.txt.js
f1680aa55c88220bcf83e24d89628cc9

GRIFFON C2
https://civilizationidium.com/

ADDITIONAL C2 URLS
https://civilizationidium.com/info/add?type=name
https://civilizationidium.com/info/delete?type=name
https://civilizationidium.com/new/hide?type=name
https://civilizationidium.com/new/new?type=name
https://civilizationidium.com/new/renew?type=name
https://civilizationidium.com/new/show?type=name

SUPPORTING EVIDENCE
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://www.virustotal.com/gui/file/4e6914d95dc81000b1eaa82fc3d2162dd681ff4521c6f79204d65a0884906ea8
https://www.virustotal.com/gui/file/caa7667bfdbcb04ceb9d81df93fe805dfe4ac8a04b9dd3eaab7b5f7c87c4fc9c