One Article Review
| Source |  CISCO Talos |
|---|---|
| Identifiant | 6625062 |
| Date de publication | 2022-08-30 08:00:09 (vue: 2022-08-30 13:06:08) |
| Titre | ModernLoader delivers multiple stealers, cryptominers and RATs |
| Texte |  By Vanja SvajcerCisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. The actors use PowerShell, .NET assemblies, and HTA and VBS files to spread across a targeted network, eventually dropping other pieces of malware, such as the SystemBC trojan and DCRAT, to enable various stages of their operations. The attackers' use of a variety of off-the-shelf tools makes it difficult to attribute this activity to a specific adversary.The final payload appears to be ModernLoader, which acts as a remote access trojan (RAT) by collecting system information and deploying various modules. In the earlier campaigns from March, we also observed the attackers delivering the cryptocurrency mining malware XMRig. The March campaigns appeared to be targeting Eastern European users, as the constructor utility we analyzed had predefined script templates written in Bulgarian, Polish, Hungarian and Russian.The actors are attempting to compromise vulnerable web applications to serve malware and deliver threats via files masquerading as fake Amazon gift cards. Technical detailsInitial findingsIn June 2022, Cisco Talos identified an unusual command line execution in our telemetry. The decoded base64 command is below: Initial finding: A command executed on the system.The 31.41.244[.]231 IP is a Russian IP and hosts several other URLs with similar naming conventions. Autostart commandFollowing the discovery of the initial command, we identified two other command lines. They are a result of an autorun registered executable and the execution of a scheduled task. |
| Envoyé | Oui |
| Condensat | $500 µtorrent //31 //go 09db213df3dbd950a8bc75246be72f5b572b00dbd3a5bba45c7074443d0928a7 0=loader 0=redline 0=windowsanalyticsconfiguration 0xnax 142c333bef9eab4ce9d324e177572423c845ee399c01b4b78cfff730b4cb79b4 192 1c58274fbbeaf7178a478aea5e27b52d5ead7c66e24371a4089568fa6908818c 1ddbf6cb9e4c92e93118d8f2ca98922195cf683926777b2c160f5d05d52f3fd5 2013 2019 2022 204 21e72be7f818e2afd4d53ee8f16c7e4a4718a95dd75b90d83fa26181e426f578 231 231/0x 231/0x/ 231/0x/loader 231/0xmine/go 231/0xmine/regasm 231/0xmine/temp 231/0xnana/file/nana 231/0xnana/no 231/0xsocks/go 231/avava/gate 231/avava/waw/appdata/go 231/avava/waw/documents/go 2311/avava/waw/appdata/go 2311/avava/waw/documents/go 235 235:45692 244 27bb9ee41bc7745854e3f3687955f1a6df3bbd74a7d1050a68fe0d0e6087b4b3 2c631588c491aa32c20f6a99201ba82982a31b1c763054562d59cd1a5a1ea14b 3232126860f3729dda59f9db6476773997b4bcfb08e2e4b32b5214c30507d775 3333 39cb3ed9d64849789471d05f94b7b62a 3f2f84147c55e5fc42261ace15ad55239d0bcba31a9acd20b99c999efbb9d392 3f5856a9ec23f6daf20fe9e42e56da1b8dcb0de66b6628a92b554d6e17c02fc3 40d68523748f6eaf765970a40458faccbe84ef5dff7acbdaf29ac5a69d7cae6f 435aa8b19125d795ada322aa8e30f3dd9afa03a4ac1350177c920426d1b17a47 4440 44ds8fbc3hwqccwqotgrnduwnmdixpqpg7ylh5h2rzsmqrxcrxesjqvh8lrpngsyqvxckeek3umz7t2wzfagovf15uckbxg 4621924ff1b05ad7c15bc4b5dad68f7c8c3eceaf7824444b149264eff79d4b9a 4a6ef2379195140aa31d339329ca06bd28589fa13fd88cfcf9d76cb2d4ab99c1 500 53b09a7c8bf41ed9015b8e3a98fb8b8581e82d17c1ead0bd0293f2e3e9996519 5750d8d557fdcb6afb2d8cb52993fb07ac84a63aab0afc44efe30ffe08d48c2f 60437 60440orbital 71/offer/offer 71/spm/spam 71there 7e73bc53cd4e540e1d492e6fd8ff630354cd8a78134e99bc0b252eccb559c97a 838170edffbca1cadef3b7039330376c1aad914883103834c25e9bb92d9bfad1 852857c66ee72f264c26d69c1f4092e99c2ed1fdcfef875f982fb75ed620ccc0 881235fca4aeeb88950b952c0d9ce1a7d9a4eb838ce7d79447a26d2f45b1eaa5 8848 96cd98d42b896f6c92fd97b435d727497102ca91ce6e95252251a28e0c3fb9f8 9704fa1a8242643f66572e7ee68e4e7d7bec9e7054319b8551fed4b3b0ccdd45 9b347b48026f205733abbc24c502dfff5428341e10c6944687cdbfe70770f5f3 :// a249c275b0ad384ae1906d2ec169f77abce9d712ab8470eb5fe7040a71948026 ability about above accepts access accesses accessible accessing account achieve across active activedirectory activities activity actor actors acts actual adaptive add added adding addition additional address addresses:62 admin advanced advantage adversary advertised advertisment aes affected akin all alleged allocated allocates allow allows along already also alternative although amazon amount amp amsi amsiscanbuffer analysis analysts analytics analyzed analyzing and62 anomalous another anti antimalware any api appdata appear appeared appears appliance appliances applicable application applications approach appropriate apps architecture archive archivesthis are are:sihost64 argument around artadd artifact asian assemblies assembly assembly: assigned associated attack attacker attackers attacks attempt attempting attempts attribute attributes authentication author authorization authorized auto automatically autorun autorunnn autorunthe autostart auxiliary available avatar b71c43bf7af23ed6a12bdb7ce96a4755b8a7f285b8aa802484e8b2dfa191f14e back base64 based basic bat batch beachy because been before behind being below below:initial benefits between binaries bit bitness bittorrent block blocks bot both brave browser builder builds bulgarian but bypass bypassdefender bypassing byte c103c7686739669f3cfc123de34bdadb803c4ec8727cf12cd7cdc56be4bf60e1 call called calling calls campaign campaigns campaignsduring can card cards case center chain change changing channels characters checks checksum choose chose chosen circumvent cisco cl/0k#=googlewindowsanalyticsconfiguration class clear click client closely clss clues cmd cmstp code coin collecting collects com coming command command: commandfollowing commands comments common communicate communicates communicating community complex components compromise compromised compromiseindicators compromising computers computersystemproduct configuration configure configured confirm confuse |
| Tags | Malware Tool Threat |
| Stories | Yahoo |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.