Full Report
Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge, a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office. "One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a
Analysis Summary
# Tool/Technique: ClipBanker (Clipper Malware)
## Overview
ClipBanker is a type of malware primarily focused on stealing cryptocurrency by monitoring the clipboard for cryptocurrency wallet addresses and replacing them with the attacker's address.
## Technical Details
- Type: Malware family
- Platform: Windows (inferred from execution context)
- Capabilities: Clipboard monitoring, cryptocurrency theft, unauthorized execution, C2 communication.
- First Seen: Not specified, but actively reported in the context of September 2024 campaigns.
## MITRE ATT&CK Mapping
This malware is part of a broader infection chain, but its core function maps primarily to:
- **TA0011 - Collection**
- T1115 - Clipboard Data
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (via netcat/encrypted connection)
## Functionality
### Core Capabilities
- Deploying malicious payloads (miner and clipper).
- Establishing encrypted C2 communication using a dropped `netcat` executable (`ShellExperienceHost.exe`).
### Advanced Features
- Functioning as part of a multi-stage infection chain initiated via social engineering (fake software distribution).
- Operating alongside a cryptocurrency miner.
## Indicators of Compromise
- File Hashes: N/A (No specific hashes provided in the text)
- File Names: Payloads are dropped via an MSI installer that unpacks content from `installer.zip`, which contains a RAR archive holding the final payloads.
- Registry Keys: N/A
- Network Indicators: Encrypted connection established via `netcat.exe` to a remote server.
- Behavioral Indicators: Replacing recognized cryptocurrency wallet strings in the system clipboard.
## Associated Threat Actors
The specific actors are not named, but they are utilizing SourceForge as a distribution platform targeting Russian-speaking users searching for cracked software.
## Detection Methods
- Signature-based detection: Signatures for the specific ClipBanker binary.
- Behavioral detection: Detection of clipboard monitoring activity targeting wallet formats, and unauthorized execution of PowerShell scripts downloaded from external sources (GitHub).
- YARA rules: Potentially rule development focusing on the dropper components (`confvk` batch file, PowerShell scripts).
## Mitigation Strategies
- Strict enforcement of application whitelisting.
- User education regarding downloading software from unofficial sources, especially from software repositories like SourceForge that can host malicious activity.
- Monitoring for unusual outbound network connections initiated by downloaded files (e.g., executables using netcat or unexpected PowerShell execution).
## Related Tools/Techniques
- Associated with a cryptocurrency miner payload deployed in the same campaign.
***
# Tool/Technique: TookPS (Malware Downloader)
## Overview
TookPS is a malware downloader used by threat actors to establish remote access to infected hosts, often being distributed via fraudulent websites impersonating legitimate AI chatbots (like DeepSeek).
## Technical Details
- Type: Malware Downloader
- Platform: Windows (inferred)
- Capabilities: Downloading and executing subsequent stage PowerShell scripts, granting remote access via SSH, dropping TeviRat.
- First Seen: Mentioned in the context of recent activity (post-September 2024).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (via PowerShell execution)
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0011 - Collection**
- T1041 - Exfiltration Over C2 Channel (via SSH access)
## Functionality
### Core Capabilities
- Distributing via malvertising and deceptive websites.
- Downloading and executing PowerShell scripts post-infection.
- Establishing SSH remote access for persistence and control.
- Deploying the TeviRat Trojan.
### Advanced Features
- Infection chain involves redirecting users through sponsored Google search results to fraudulent sites.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Connecting to hosts via SSH protocol.
- Behavioral Indicators: Execution of PowerShell scripts downloaded from external sources following initial compromise.
## Associated Threat Actors
Threat actors using fraudulent sites impersonating DeepSeek AI, distributing via malvertising.
## Detection Methods
- Detection of connections using the SSH protocol originating from unexpected processes.
- Behavioral monitoring for known PowerShell download cradles or remote execution patterns associated with TookPS scripts.
- Network filtering for known fraudulent domains used in distribution (e.g., deepseek-ai-soft\[.\]com - defanged).
## Mitigation Strategies
- Implementing strong ad-blocking and filtering for sponsored search results when seeking specialized software.
- Utilizing EDR solutions capable of monitoring SSH connection initiation attempts.
- Restricting PowerShell usage where possible.
## Related Tools/Techniques
- TeviRat (Trojan dropped by TookPS).
***
# Tool/Technique: TeviRat (Trojans)
## Overview
TeviRat is a Trojan delivered by the TookPS downloader, designed to provide threat actors with backdoor functionality and remote access to the infected system.
## Technical Details
- Type: Trojan/Backdoor
- Platform: Windows (inferred)
- Capabilities: Remote Access, system control.
- First Seen: Mentioned in recent analysis alongside TookPS.
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell (indirectly, via TookPS staging)
- **TA0010 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (likely for C2)
## Functionality
### Core Capabilities
- Establishing persistent remote access.
### Advanced Features
- N/A (Details are scarce, primarily defined by its role as the final payload of the TookPS chain).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Likely communicates via standard C2 protocols following establishment.
- Behavioral Indicators: Presence of the TeviRat binary on the system post-TookPS execution.
## Associated Threat Actors
Threat actors distributing TookPS via malvertising campaigns.
## Detection Methods
- Signature-based detection for the TeviRat executable.
- Monitoring for anomalous remote access sessions being initiated.
## Mitigation Strategies
- Patching and updating underlying operating systems and applications to prevent initial infection vectors.
- Monitoring for unauthorized remote access protocols.
## Related Tools/Techniques
- TookPS (Delivers TeviRat).
***
# Tool/Technique: ThunderShell (SMOKEDHAM)
## Overview
ThunderShell, also known as SMOKEDHAM, is a publicly available, PowerShell-based Remote Access Tool (RAT) primarily designed for red teaming and penetration testing, though it is frequently misused by threat actors.
## Technical Details
- Type: Post-Exploitation Framework / RAT
- Platform: Windows (PowerShell execution)
- Capabilities: Establishing a C2 environment, executing arbitrary commands via a PowerShell agent.
- First Seen: Publicly available, but noted in recent compromise involving RVTools malvertising.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
## Functionality
### Core Capabilities
- Providing a command-and-control (C2) environment for operators.
- Executing remote commands via a PowerShell agent on compromised hosts.
### Advanced Features
- Leveraged through DLL sideloading techniques in related campaigns (though the text focuses on its use via adulterated RVTools).
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Communication with an attacker-controlled C2 server via web protocols.
- Behavioral Indicators: Execution of a PowerShell agent designed for C2 interaction.
## Associated Threat Actors
Threat actors leveraging malvertising (specifically targeting RVTools users) to deploy this framework.
## Detection Methods
- Detecting PowerShell scripts executing commands via encoded flags or from suspicious locations.
- Network monitoring for connections to known ThunderShell C2 infrastructure.
## Mitigation Strategies
- Restricting non-essential PowerShell execution policies.
- Deploying application control solutions that prevent execution of known penetration testing tools in unauthorized contexts.
## Related Tools/Techniques
- Used in conjunction with the exploitation of legitimate tools like RVTools via malvertising.
***
# Technique: DLL Sideloading Used for TeamViewer Tampering
## Overview
A specific technique observed where attackers modify the behavior of legitimate remote access software (TeamViewer) by placing a malicious library in the same directory, causing the legitimate application to load the rogue DLL instead of the intended one, thereby hiding remote access mechanisms.
## Technical Details
- Type: Technique
- Platform: Windows
- Capabilities: Hiding covert remote access, hijacking legitimate application functionality.
- First Seen: N/A
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1574.001 - DLL Search Order Hijacking
- **TA0010 - Command and Control**
- T1090 - Proxy (The compromised TeamViewer acts as a proxy for C2)
## Functionality
### Core Capabilities
- Modifying the default behavior and settings of TeamViewer.
- Establishing covert remote access for attackers.
### Advanced Features
- Hiding the malicious presence and remote control activity from the legitimate user interface of TeamViewer.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Presence of a malicious DLL alongside the legitimate TeamViewer executable files.
- Registry Keys: Modifications to TeamViewer settings to maintain persistence or covert communication.
- Network Indicators: Outbound traffic associated with the modified TeamViewer process connecting to attacker-controlled infrastructure.
- Behavioral Indicators: TeamViewer executable loading an unrecognized or signed malicious DLL from its installation directory.
## Associated Threat Actors
Threat actors aiming to gain complete access by blending malicious code with trusted software.
## Detection Methods
- File integrity monitoring (FIM) on critical application directories (e.g., TeamViewer installation paths).
- Analyzing loaded modules for known malicious DLLs or unsigned libraries loading into signed executables.
## Mitigation Strategies
- Using digitally signed and verified versions of remote access software.
- Implementing strong execution policies to prevent loading of libraries from non-standard paths.
## Related Tools/Techniques
- TeamViewer (Legitimate software being hijacked).