Full Report
Clustering and IoC update
Analysis Summary
# Tool/Technique: Amadey Loader, Smoke Loader, Redline, Lumma, MarsStealer, Stealc (Used with 1337team Limited Infrastructure)
## Overview
This summary details infrastructure overlaps identified during an investigation into infostealer incidents, revealing connections between the Amadey and Smoke loaders and several prominent infostealer malware families (Redline, Lumma, MarsStealer, Stealc) utilizing infrastructure hosted primarily within AS51381 (1337team Limited), as well as clusters in Korea and Mexico.
## Technical Details
- Type: Malware Families & Infrastructure Clustering
- Platform: Unknown/Implied Windows (Common target for infostealers)
- Capabilities: Distribution and Command and Control (C2) for various infostealers.
- First Seen: Not explicitly stated, but the analysis updates recent infrastructure trends (Jan 2025 context).
## MITRE ATT&CK Mapping
The analysis primarily focuses on the infrastructure supporting malware execution and persistence rather than specific endpoint techniques, but related TTPs include:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- **TA0002 - Execution** (Via usage of loaders like Amadey/Smoke)
- T1204 - User Execution (Likely initial vector for infostealers)
## Functionality
### Core Capabilities
- **Infrastructure Hosting:** Use of Autonomous System AS51381 (1337team Limited) for deploying C2 and distribution points for multiple malware families.
- **Malware Association:** Confirmed association of infrastructure with the Amadey Loader, Smoke Loader, Redline Stealer, Lumma Stealer, MarsStealer, and Stealc.
- **Clustering:** Investigation identified related infrastructure groupings based on IP pivot points, leading to specific geographic clusters (Korean Cluster, Mexico Cluster).
### Advanced Features
- **Pivoting via File Hashes:** Successful use of a specific malicious file hash (`00173630900838da2ccce0ae7fb54f7d8b3138434f63d056c636e0aec4f8e37b` for file `cajubae`) to pivot across different ASNs.
- **Service Correlation:** Use of common services (SSH/Port 22 and HTTP/Port 80) running on compromised hosts within a specific ASN to define hunting queries.
- **Fast Flux Indication:** Mention of the domain `niksplus[.]ru` resolving across many IPs, suggesting fast flux activity, enabling infrastructure resilience.
## Indicators of Compromise
*Note: Indicators are listed as presented in the article. Network indicators are defanged.*
- File Hashes: SHA256: `00173630900838da2ccce0ae7fb54f7d8b3138434f63d056c636e0aec4f8e37b` (associated with file "cajubae")
- File Names: "cajubae"
- Registry Keys: N/A
- Network Indicators:
- Initial Pivot IP: `185.215.113[.]16`
- Domain: `niksplus[.]ru`
- **Korean Cluster IPs:** `220.125.3[.]190`, `123.212.43[.]225`, `119.204.11[.]2`, `58.151.148[.]90`, `218.152.239[.]116`, `125.7.253[.]10`, `211.202.224[.]10`, `175.119.10[.]231`, `119.194.160[.]37`, `211.171.233[.]129`, `211.181.24[.]133`, `211.171.233[.]126`, `218.152.239[.]123`, `123.140.161[.]243`, `210.180.252[.]110`, `211.181.24[.]132`, `211.168.53[.]110`, `211.119.84[.]111`, `210.182.29[.]70`, `210.108.43[.]192`, `211.104.254[.]139`, `211.59.14[.]90`, `211.119.84[.]112`
- **Mexico Cluster IPs:** See full list in the article context (too extensive for standardized display).
- Associated ASNs: AS51381 (1337team Limited), Korean AS3786, Korean AS4766.
- Behavioral Indicators: Hosts running SSH and HTTP services used for malware infrastructure hosting. Recent DNS resolutions on newly identified malicious domains.
## Associated Threat Actors
The analysis does not explicitly name a single Threat Actor group but implies that an actor (or actors) associated with various infostealers is managing infrastructure across AS51381, and potentially actors geographically focused in Korea and Mexico based on clustering.
## Detection Methods
- **Signature-based detection:** Not detailed, but file hashes could be used.
- **Behavioral detection:** Identifying hosts running SSH (Port 22) and HTTP (Port 80) associated with AS51381, or hosts communicating with the listed IP ranges/domains.
- **YARA rules:** Not available in the context provided.
- **Infrastructure Monitoring:** Utilizing ASN data (AS51381) and certificate fingerprints (via Validin) for mapping clusters.
## Mitigation Strategies
- **Network Segmentation/Filtering:** Blocking direct K/A traffic to external IP ranges identified in the Korean and Mexico clusters if no legitimate business need exists.
- **ASN Monitoring:** Increased monitoring or blocking of outbound/inbound traffic associated with AS51381, AS3786, and AS4766 if anomalous behavior is detected.
- **Domain Filtering:** Blocking or scrutinizing traffic related to `niksplus[.]ru` due to suspected fast flux usage.
- **Endpoint Hardening:** Implementing controls against the known infostealers (Redline, Lumma, etc.) which rely on user execution vectors.
## Related Tools/Techniques
- Amadey Loader
- Smoke Loader
- Redline Stealer
- Lumma Stealer
- MarsStealer
- Stealc
- Fast Flux (via domain `niksplus[.]ru`)