[email protected] +374 95 93 83 63
Research

Attack Writeup: Phishing & Malware Distribution via Fake Razer Sponsorship Offer

April 2, 2025

Date: December 18, 2024
Target: Narek Kirakosyan, Armenian journalist
Threat Level: High (Level 1)
Reported by: CyberHUB-AM

Summary:

On December 18, 2024, a sophisticated phishing attack targeted Narek Kirakosyan, a well-known Armenian journalist. The attackers impersonated Razer Inc., a reputable gaming hardware company, to distribute malware through a fake sponsorship offer.

Attack Details:

  • Phishing Email: The attackers sent an email from [email protected], a domain impersonating the legitimate razer.com domain. The email body contained a detailed sponsorship offer, including links to supposed collaboration examples and a media kit.
  • Malicious Links: The email included a shortened URL (https://bit.ly/RazerPromoKit) leading to a Dropbox-hosted malicious archive.
  • Malware: The archive contained two malicious files:
  • msimg32.dll (SHA256: 693cc086089277f083b680ed822d988c2ea80483bd40caff202adccaa736bce4)
  • Razer – Contract and payment terms for partners on YouTube URL version.exe (SHA256: 08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2)

Indicators of Compromise (IOCs):

  • Email Source: [email protected]
  • Email Destination: [email protected]
  • Fake Domain: razer-us.com (Registered on December 12, 2024)
  • Mail Server IP: 198.54.127.77
  • Hosting Server IP: 198.54.118.220
  • Malicious File Names:
  • msimg32.dll
  • Razer – Contract and payment terms for partners on YouTube URL version.exe
  • File Hashes:
  • msimg32.dll (MD5: 0d61f3fe33123d0fdc20a7db2c969c4f)
  • Razer – Contract and payment terms for partners on YouTube URL version.exe (MD5: 4864a55cff27f686023456a22371e790)
  • VirusTotal Analysis Links:
  • msimg32.dll
  • Razer – Contract and payment terms for partners on YouTube URL version.exe

Analysis:

The attackers leveraged social engineering techniques to craft a convincing phishing email, exploiting the journalist’s interest in potential sponsorship deals. The use of a fake domain closely resembling the legitimate Razer domain added credibility to the attack. The inclusion of malicious files disguised as legitimate documents aimed to compromise the target’s system upon download and execution.

Recommendations:

  • Email Security: Implement advanced email filtering and phishing detection mechanisms.
  • User Awareness: Conduct regular training sessions on recognizing phishing attempts and verifying the authenticity of emails.
  • Network Security: Monitor network traffic for suspicious activity and block access to known malicious domains and IP addresses.
  • Endpoint Protection: Ensure robust antivirus and anti-malware solutions are in place to detect and mitigate threats.