Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 49 threat intelligence reports and compiled a concise summary of each report, along with the relevant metadata that was gathered. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Sneaky 2FA: exposing a new AiTM Phishing-as-a-ServiceLink: https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-serviceSummary: In December 2024, a new Adversary-in-the-Middle phishing kit called "Sneaky 2FA" targeting Microsoft 365 accounts was identified during threat hunting activities, with evidence of its existence dating back to October 2024. The kit, offered as Phishing-as-a-Service by the cybercrime group "Sneaky Log," included advanced evasion techniques such as autograbb functionality, anti-debugger mechanisms, and IP filtering, making it particularly adept at bypassing detection. The analysis revealed the kit’s operational structure, including a Telegram bot used for distribution and support, and identified multiple domains associated with its phishing campaigns, showcasing the ongoing sophistication of cyber threats in the realm of phishing and Business Email Compromise.Threats: sneaky_2fa_tool aitm_technique sneaky_log wikikit_tool tycoon_2fa dadsec_tool bec_technique mamba_2fa_tool evilginx_tool greatness_toolIndicators of compromise:-------------------------ip: 185[.]125[.]100[.]81, 101[.]99[.]92[.]124domain: sneakylog[.]store, w3ll[.]store, africanagrirnarket[.]com, alliedhealthcaresolution[.]com, allorganicitems[.]com, allorginichomes[.]xyz, apppowerappsportals[.]top, baptihealth[.]com, bhlergroup[.]com, claytoncontsruction[.]net, desirenetwork[.]in, docuinshare[.]top, dolh6growth[.]online, drop-project[.]top, emailsay[.]com, emea-nec[.]com, erhakalip[.]com, files42[.]com, florenceorganics[.]us, glamorouslengths[.]su, greyscaleal[.]com, guardiansresearch[.]org, hsrcxeeae[.]mypi[.]co, intertrustsgroup[.]com, lovencareurology[.]in, matcocomponent[.]com, may-april[.]com, metin2odisey[.]com, ms-consulting-dom[.]fr, o7t5dgbx-staging[.]dreamwp[.]com, oempcworlds[.]org, ohconnects[.]org, ol[.]advanceplastics-ke[.]com, omnirayoprah[.]cfd, organichoicehome[.]com, outsourcel[.]com[.]au, portalpowerfiles[.]top, portalpowerstorages[.]top, profitminers[.]in, reintergestna[.]org, reliant-rehabs[.]com, rockandrevenue[.]com, rurrasqueamos[.]click, stillmanconsulting[.]net, storageorder[.]sbs, sysarchirnc[.]com, thumenectrics[.]es, tvsyndciate[.]com, urbanumbrella[.]org, usfightingsystems[.]com, webitww[.]com, welcomehomeproject[.]org, windstreaim[.]com, wwgle[.]com, yushengusa[.]com, docsafybeifur2mabbggrihscauthenticnotes[.]online, historischeverenigingmarum[.]online, loginoffice365commonauth00000365user1153196333[.]empreendendocomgrafica[.]com, loginoffice365commonauth00000365user6867620079[.]empreendendocomgrafica[.]com, allorganichome[.]com, auxin[.]co[.]in, aweitapp[.]com, carpetcleaningmanitoba[.]ca, cnphys[.]com, coysem[.]com, drgoelsdmd[.]com, eto1908[.]org, forcainvicta[.]com[.]br, funnelflex[.]co, globalservicesqtr[.]com, iziloyer[.]com, kagumigroup[.]id, leanstartupatelier[.]co, meliorahospital[.]com, mscserv[.]com, mysilverfox[.]com[.]my, nashnights[.]com, pipaltree[.]ngo, powa[.]co[.]zw, printserve[.]co[.]ke, senangwasap[.]com, snatched-beautybar[.]com, sukrajclasses[.]com, thewoodlandretreat[.]in, unalkardesler[.]net, vlsbali[.]com, wordtex[.]com, www[.]fabribat[.]com, www[.]northernaid[.]org, yaharaho[.]com, yogatrapezepoint[.]com, yugaljeeautomotive[.]com, glamorouslengths[.]ruurl: https://mysilverfox[.]com[.]my/00/#victim@example[.]com, https://highnationservices[.]com/n/#victim@example[.]com, https://kagumigroup[.]id/wp-content/plugins/well/auth/j9P8KGpfDZyoHplo5XdnHOw79OCkDYo2l7TQcrrnclSz2XGLzmtCghFJwIWR1AaW33Rk36Z0ymZc6DIgMy4EFqTsiiqAKEBIN5jiTbYAUk1BfG4uoVhetLa2XWebUSShQOFq7L8Mpx1vf4Pum0xBVx/verify, https://mysilverfox[.]com[.]my/00/7N0tV3XAh1yp4NFo9X6YsH3cOam6DYJhmMEXRky24mzGUuTE2RpwIIlI4olBypVCEYqiKFPDTAsRvKrS8bgiKBOZiPOUnxoCSHveA0zk5hcdjQ1UltSxdw7rdgZoo7HDWorfj9CzN8gc0q5PQ19nZe/index, https://highnationservices[.]com/n/uswDOVS70y9sjyPwtLieCJdZiEUGhokxRUvY7JApYlFo35Sb9o66AvhK8oNrHPTgj9aaJDHItTWDnPOo3t4mz8Tfhf7GBem0YE1cqx8O13VoKuWIbN4knGg6fRrvMIZXRQ2xgdEFzj2mVBzwSbpe5c/validate, https://outlook[.]office365[.]com/Encryption/ErrorPage[.]aspx?src=0&code=10&be=DM8PR09MB6088&fe=1, https://sneakylog[.]store/api/key, http://185[.]125[.]100[.]81/api/key, https://b[.]leadbi[.]com/l/44e234ab-9118-47ed-a1a1-ca66f913c271[.]html?next=https://highnationservices[.]com/n/#victim@example[.]comhash: - sha256=5d91563b6acd54468ae282083cf9ee3d2c9b2daa45a8de9cb661c2195b9f6cbf, - sha256=8c4e78b1bc0a0923fccc0cd2d7ca06023b6ab15af079e6b19d7d5d2fddc5488demail:Title: Lazarus APT: Techniques for Hunting Contagious InterviewLink: https://www.validin.com/blog/inoculating_contagious_interview_with_validinSummary: The Lazarus APT, a North Korean threat actor group, has launched a campaign named "Contagious Interview," targeting job seekers through social engineering tactics. This campaign, which became known in December 2024 thanks to security researcher @tayvano_, involves enticing individuals with fake job offers and deceiving them into executing malicious code during online interviews under the pretense of enabling camera access. Utilizing platforms like LinkedIn and Telegram, victims are manipulated into installing backdoor malware.Threats: lazarus_group contagious_interview_campaign clickfix_technique bluenoroff_group andariel_group kimsuky_group beavertail invisibleferret civetq lumma_stealerIndicators of compromise:-------------------------ip: 23[.]254[.]244[.]74, 23[.]254[.]244[.]73domain: willointerview[.]com, www[.]vid[.]willoassess[.]com, web[.]videoscreening[.]org, videoscreening[.]org, app[.]videoscreening[.]org, www[.]intervu-talent[.]pro, www[.]talentassesspro[.]com, www[.]app[.]videoforrecruitment[.]com, videoforrecruitment[.]com, app[.]videoforrecruitment[.]com, blockchain-assess[.]com, www[.]app[.]willotalents[.]org, willotalents[.]org, app[.]willotalents[.]org, app[.]willocandidate[.]com, webmail[.]complexassess[.]com, webdisk[.]complexassess[.]com, cpcontacts[.]complexassess[.]com, cpcalendars[.]complexassess[.]com, cpanel[.]complexassess[.]com, complexassess[.]com, autodiscover[.]complexassess[.]com, robinhood[.]vinterview[.]org, www[.]app[.]vinterview[.]org, app[.]vinterview[.]org, app[.]willotalentes[.]com, www[.]api[.]wtalents[.]us, api[.]wtalents[.]us, cpanel[.]wtalents[.]us, willoassessment[.]com, www[.]gemini-willoassessment[.]com[.]willoassessment[.]com, gemini-willoassessment[.]com[.]willoassessment[.]com, hiring[.]willoassessment[.]com, www[.]consensys[.]willoassessment[.]com, geminiskill[.]willoassessment[.]com, www[.]hiring[.]willoassessment[.]com, api[.]willoassessment[.]com, gemini[.]willoassessment[.]com, consensys[.]willoassessment[.]com, www[.]gemini[.]willoassessment[.]com, www[.]app[.]willotalent[.]xyz, app[.]willotalent[.]xyz, www[.]api[.]nvidia-release[.]us, api[.]nvidia-release[.]us, www[.]willorecruit[.]com, cpcontacts[.]willorecruit[.]com, cpcalendars[.]willorecruit[.]com, www[.]app[.]willorecruit[.]com, app[.]willorecruit[.]com, webmail[.]willorecruit[.]com, mail[.]willorecruit[.]com, cpanel[.]willorecruit[.]com, webdisk[.]willorecruit[.]com, willorecruit[.]com, www[.]willotalentes[.]com, www[.]app[.]willotalentes[.]com, willotalentes[.]com, willocandidates[.]com, www[.]fundcandidates[.]com, app[.]willohiring[.]com, www[.]willocandidate[.]com, www[.]app[.]willocandidate[.]com, willocandidate[.]com, www[.]api[.]nvidia-release[.]org, www[.]willotalent[.]us, www[.]app[.]willotalent[.]us, app[.]willotalent[.]us, willotalent[.]us, www[.]willotalent[.]pro, www[.]app[.]willotalent[.]pro, app[.]willotalent[.]pro, willotalent[.]pro, www[.]willointerview[.]com, www[.]willoassess[.]com, www[.]talent[.]willoassess[.]com, www[.]tal[.]willoassess[.]com, www[.]gemini[.]willoassess[.]com, gemini[.]willoassess[.]com, willoassess[.]com, www[.]willohiring[.]com, www[.]app[.]willohiring[.]com, www[.]gemini[.]willohiring[.]com, gemini[.]willohiring[.]com, www[.]meta[.]willohiring[.]com, meta[.]willohiring[.]com, willohiring[.]com, www[.]willohiringtalent[.]org, www[.]app[.]willohiringtalent[.]org, app[.]willohiringtalent[.]org, www[.]gemini[.]willohiringtalent[.]org, gemini[.]willohiringtalent[.]org, willohiringtalent[.]org, www[.]willoassess[.]org, www[.]willo-interview[.]us, www[.]talent[.]willo-interview[.]us, talent[.]willo-interview[.]us, www[.]app[.]willo-interview[.]us, app[.]willo-interview[.]us, willo-interview[.]us, www[.]intro-crypto-assess[.]com, cpcontacts[.]intro-crypto-assess[.]com, cpcalendars[.]intro-crypto-assess[.]com, webmail[.]intro-crypto-assess[.]com, mail[.]intro-crypto-assess[.]com, cpanel[.]intro-crypto-assess[.]com, webdisk[.]intro-crypto-assess[.]com, intro-crypto-assess[.]com, www[.]blockchain-assess[.]com, d20zx0lguyxj2p[.]cloudfront[.]net, d1yzmjg018adwf[.]cloudfront[.]net, d12rlkj8v5mwse[.]cloudfront[.]net, d3o9p0hkd7eul5[.]cloudfront[.]net, wilio-talent[.]net, willoassess[.]net, www[.]wtalents[.]us, www[.]app[.]wtalents[.]us, app[.]wtalents[.]us, mail[.]wtalents[.]us, wtalents[.]us, www[.]willomexcvip[.]us, www[.]app[.]willomexcvip[.]us, app[.]willomexcvip[.]us, mail[.]willomexcvip[.]us, www[.]werhiring[.]willomexcvip[.]us, werhiring[.]willomexcvip[.]us, willomexcvip[.]us, www[.]hiringtalent[.]pro, app[.]hiringtalent[.]pro, final[.]hiringtalent[.]pro, hiringtalent[.]pro, intervu-talent[.]pro, www[.]talentcompetency[.]com, talentcompetency[.]com, www[.]app[.]willoassessment[.]com, app[.]willoassessment[.]com, www[.]geminiskill[.]willoassessment[.]com, www[.]api[.]willoassessment[.]com, www[.]wilo-talent[.]com, app[.]wilo-talent[.]com, wilo-talent[.]com, www[.]complexassess[.]com, mail[.]complexassess[.]com, www[.]app[.]willoassess[.]com, app[.]willoassess[.]com, vid[.]willoassess[.]com, www[.]robinhood[.]intro-crypto-assess[.]com, www[.]vid[.]intro-crypto-assess[.]com, vid[.]intro-crypto-assess[.]com, www[.]app[.]blockchain-assess[.]com, app[.]blockchain-assess[.]com, www[.]vid[.]blockchain-assess[.]com, vid[.]blockchain-assess[.]com, fundcandidates[.]com, www[.]app[.]blockchain-checkup[.]com, app[.]blockchain-checkup[.]com, talentassesspro[.]com, www[.]willo-video[.]com, willo-video[.]com, www[.]robinhood[.]vinterview[.]org, vinterview[.]org, www[.]hiringinterview[.]org, www[.]app[.]hiringinterview[.]org, app[.]hiringinterview[.]org, hiringinterview[.]org, www[.]interviewnest[.]org, www[.]app[.]interviewnest[.]org, app[.]interviewnest[.]org, interviewnest[.]org, willoassess[.]org, www[.]app[.]videoscreening[.]org, www[.]web[.]videoscreening[.]org, willovideorec[.]com, api[.]nvidia-release[.]orgurl: https://www[.]vid[.]willoassess[.]com/video-questions/create/531fbaedf67046d6904478f15d3e7142hash: - md5=531fbaedf67046d6904478f15d3e7142email:Title: MintsLoader: StealC and BOINC DeliveryLink: https://www.esentire.com/blog/mintsloader-stealc-and-boinc-deliverySummary: In early January 2025, a campaign utilizing MintsLoader was identified, targeting organizations in the Electricity, Oil & Gas sectors in the U.S. and Europe. MintsLoader, a PowerShell-based malware loader, is disseminated through spam emails featuring links to Kongtuke/ClickFix pages or JScript files. This malicious campaign deploys second stage payloads like Stealc, an information stealer that targets sensitive data from various applications and utilizes advanced evasion techniques such as XOR encryption and hardware ID generation to avoid detection and static analysis. The campaign's complex infection process and its ability to maintain stealth pose significant risks to the targeted organizations' data confidentiality and integrity.Threats: mintsloader stealc boinc_tool warmcookie clickfix_technique amsi_bypass_technique plymouth_actor arkei_stealerIndicators of compromise:-------------------------ip: 145[.]223[.]100[.]233, 67[.]217[.]228[.]118, 45[.]61[.]136[.]138, 62[.]204[.]41[.]177domain: temp[.]sh, exploit[.]in, mubuzb3vvv[.]top, nfuvueibzi4[.]top, mnudybh4unh[.]top, nuvye89bjz4[.]top, mbuz73hb7z3[.]top, tubnzy3uvz[.]top, nubxz4ubhxz9i[.]top, poeiughybzu222[.]top, poubnxu3jubz[.]top, lgbibzuehbz[.]top, ohunhebzhbu3[.]top, sdubvlbbuz3vzzz[.]top, bnbuzu49ibz4[.]top, shd9inbjz4[.]top, ngub8zb38ib[.]top, gkn33hxueub[.]top, mnvuz3gvy3[.]top, jhubzgv3[.]top, hkinuxb3bz[.]top, adkfnnbmakcgael[.]top, hhgiflifcbmdjmh[.]top, blclmjamegjaffd[.]top, iblaehgffmflamn[.]top, bfhdkgmmhdbikgj[.]top, jjdgdeffjimfgne[.]top, canjjclmlnicbga[.]top, jejmbadfmeenlnk[.]top, diebinjmajbkhhg[.]top, kmaealcfcalhcac[.]top, dckhgjimeghemhl[.]top, lggknhaffleahbh[.]top, ekbnfghmhcaldid[.]top, lalclenfjhkinbn[.]top, feheecfmkmhfiij[.]top, midhkalfmddcece[.]top, fnnkcnemajnnaja[.]top, mdinjlkfcajkjck[.]top, ghecbjcmdfghfkg[.]top, nlafhhiffkceadc[.]top, gbkiafbmhbmbkkl[.]top, afglgehgjgjmgdh[.]top, hjbamcnnkmfjbld[.]top, anldfaggmdbglen[.]top, idhglmmnaimdhlj[.]top, bidjdlegcnincee[.]top, immmjjkndeekmma[.]top, ccibchdgfjbhhfk[.]top, jgeeifjnhbledmg[.]top, ckahaebgighbngc[.]top, afnfdijahijefmh[.]top, kcehmenjdibnmni[.]top, kdemjgebjimkanl[.]top, gajaechkfhfghal[.]top, cmacnnkfbhlcncm[.]top, rosettahome[.]top, xaides[.]com, usbkits[.]comurl: https://t1jm05fdu6748emu5oon8nix1uk2ogyn[.]lovesnextmeeting[.]com/Uswl5JAnXI, http://mubuzb3vvv[.]top/1[.]php?s=527, http://62[.]204[.]41[.]177/edd20096ecef326d[.]phphash: - sha256=138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa, - sha256=91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3, - sha256=b8804a7ef09a9c1e8ede3a86a087b754b42f5b37c6de1e82c86f38d01c297ee2email:Title: Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relationsLink: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relationsSummary: The text outlines a cyber espionage campaign by the intrusion set UAC-0063, which targets Central Asia, particularly Kazakhstan, and is believed to be linked to Russian interests in the region. Discovered by CERT-UA in April 2023, UAC-0063 utilizes weaponized Office documents to collect strategic intelligence affecting diplomatic and economic relationships in Central Asia, Ukraine, and Eastern Europe. The campaign employs malicious macros and backdoor malware, including HATVIBE and CHERRYSPY, and is characterized by its focus on various sectors such as government, NGOs, and academia, with a goal of maintaining Russian influence as Kazakhstan strengthens ties with Western powers.Threats: double_tap_campaign fancy_bear_group ghostwriter_group spear-phishing_technique hatvibe cherryspy zebrocy lolbin_techniqueIndicators of compromise:-------------------------ip: 38[.]180[.]207[.]137, 38[.]180[.]206[.]61domain: background-services[.]net, lookup[.]ink, download-resourses[.]infourl: hash: - md5=35fee95e38e47d80b470ee1069dd5c9c, - sha256=06e4084e2d043f216c0bc7931781ce3e1cea4eca1b6092c0e34b01a89e2a6dea, - sha256=3b87dc25a11b6268019d5eae49a6b93271dfdc262f2607cfefa35d196f724997, - sha256=47092548660d5200ea368aacbfe03435c88b6674b0975bb87a124736052bd7c3, - sha256=6edf3d03bd38c800d5d1e297d59c2496968202358f4be47e1f07e57a52485e0c, - sha256=c61e9326421d05d62cafd6c04041ab1a8f57c0a21d424b9ca04b6a1fc275af19, - sha256=e3a0be8852d77771dc3f44f3e9a051e7fe56547b569aad5a178ae44ef31713b9, - sha256=e440bad60823642e8976528bd450364ce2542d15a69778ff20996eb107158b8d, - sha256=efc99e6f3cdd10313c52a8ad099424e3f39ab85b75375b8db82717d61c7f0118, - sha256=fd78051817b5e2375c92d14588f9a4ba1adc92cc1564e55e6150ae350ed6c889, - sha256=332d9db35daa83c5ad226b9bf50e992713bc6a69c9ecd52a1223b81e992bc725, - sha256=0fa7e3ffb8a9ca246cc1f1e3f6118ced7a7b785de510d777b316dfcefdddb0be, - sha256=e8c0f309df515733ad8233b409d6b64d005f88bf1d549567365c2b21a90cf05c, - sha256=51ca8b4aa5744148ed049a529b2676eb95229aedc213b874c0c78ff82c7de559, - md5=a502b51d44a3e2e59218618ab7a30971, - md5=6f5a9ce100dd650dedbc3e68f74c3b97, - md5=e3f6d079d99eeb54566fc37fa24ff6f7, - md5=78db9584ff4f7cd8f006eb6c12cac575email:Title: Botnets Never Die: An Analysis of the Large Scale Botnet AIRASHILink: https://blog.xlab.qianxin.com/large-scale-botnet-airashiSummary: In August 2024, the cyber-attacker group known as AISURU launched a multi-wave attack targeting gamers on Steam and Perfect World servers across 13 regions, utilizing a botnet that demonstrated significant resilience. After a brief pause in September, AISURU resumed activities in October with the release of AIRASHI, showcasing new advancements, including exploitation of a 0DAY vulnerability in Cambium Networks' cnPilot, robust command and control (CNC) infrastructure with nearly 60 resolution IPs, and the capacity for DDoS attacks ranging from 1 to 3Tbps. AIRASHI employs multiple sophisticated techniques for propagation and communication, leveraging NDAY vulnerabilities, TELNET weak passwords, and advanced encryption methods.Threats: airashi aisuru kitty_socks5_tool fodcha meow_group go_proxisdk_toolIndicators of compromise:-------------------------ip: 190[.]123[.]46[.]21, 190[.]123[.]46[.]55, 95[.]214[.]52[.]167, 162[.]220[.]163[.]14domain: xlabresearch[.]ru, xlabsecurity[.]ru, foxthreatnointel[.]africa, dvrhelpers[.]su, ipcamlover[.]ruurl: hash: - sha1=3c33aa8d1b962ec6a107897d80d34a5d0b99899e, - sha1=0339415f8f3e2b1eb6b24ed08c3a311210893a6e, - sha1=95c8073cc4d8b80ceddb8384977ddc7bbcb30d8c, - sha1=12fda6d480166d8e98294745de1cfdcf52dbfa41, - sha1=08b30f5ffa490e15fb3735d69545c67392ea24e9, - sha1=c8b8bd5384eff0fe3a3a0af82c378f620b7dc625email:Title: From Royal to BlackSuit. How a Ransomware Rebrand Reshaped ThemLink: https://redsense.com/publications/royal-blacksuit-how-ransomware-rebrand-reshaped-themSummary: BlackSuit, a notable Russian-speaking ransomware group previously operating under the names Conti-2 and Quantum, has undergone significant changes leading up to May 2023, marked by a rebranding from Royal to BlackSuit amidst internal conflicts. Discovered by cybersecurity research firm RedSense, the group's transformation included the adoption of both novel and off-the-shelf malware tools, as well as a new Command and Control (C2) framework. BlackSuit's operations, distinguished by a shift to encryption-centric strategies from their prior focus on data exfiltration, revealed their intent to recreate a sophisticated cyber threat infrastructure similar to the Emotet-TrickBot-Ryuk killchain, utilizing advanced technologies for system compromise and data theft tactics.Threats: blacksuit_ransomware aresloader lumma_stealer royal_ransomware ryuk conti quantum_locker blackcat lockbit mount_locker dagon_locker akira_ransomware emotet anubis bazarbackdoor supply_chain_technique proxynotshell_vuln clop blackseo_technique trickbot qakbot cobalt_strike gazavat zeon luna_moth_group blackbasta karakurt_group revil trick3 phantom_dev_group heavens_gate_technique redline_stealer zenpak sefnit artemis waledac mimikatz_tool netscan_tool pchunter_tool steal-it_campaign rubeus_tool minodo carbanak_group nemesisproject gmer_tool powertool_toolIndicators of compromise:-------------------------ip: 79[.]132[.]129[.]137, 88[.]119[.]175[.]124, 79[.]141[.]162[.]131, 85[.]239[.]54[.]214domain: fuckallav[.]ruurl: hash: - md5=8f9760226b17030371fad2539a98ce7a, - md5=955ecf3cd5b8562dd610b2daac413e99, - md5=bd61059259bf5208509d15726ce5dfab, - md5=300bd29c8639ebe794d2dd449d49fdca, - md5=3069012ec13cf5043829dfdcc52be0c2, - md5=bf843074cb5e61ca955ba3c30019c24b, - md5=82d0eddf99ab5f8dea209d756ba13c4a, - md5=2cc79806701f1a6e877c29b93f06f1bb, - md5=171d8bdb16f062f3a84310b37622a4d3, - md5=1e819c99570a76695cdbd66b8e49d432, - md5=75f3b2d0dac980275b94b1dbbf080d52, - md5=be0e1b863340b5d3f980b614a7118b11, - md5=f40646272ff1f8f5e8d7021276d78841, - md5=5f8bea9e93432e5eaf7df2ccf7c7a7ac, - md5=6798ff540f3d077c3cda2f5a4a8559f7, - md5=b2fcaffce69d5a32de53db54ed5c3a7cemail: jekkymacros@xmpp[.]jp, shahaburin@yandex[.]ru, 7555@yopmail[.]com, frencisbetorv@hotmail[.]com, germanbuss@proton[.]meTitle: F.A.C.C.T. has discovered new attacks by pro-Ukrainian cyber spies Sticky WerewolfLink: https://habr.com/ru/companies/f_a_c_c_t/news/873762Summary: The APT group Sticky Werewolf, identified as a pro-Ukrainian cyber espionage entity, attempted to target Russian research and production enterprises using phishing emails that falsely claimed to be from the Russian Ministry of Industry and Trade. These emails contained malicious attachments designed to deploy the Ozone RAT remote access trojan upon execution. The sophistication of the phishing attempts was evident in their crafting, which involved fake documents and the clever use of pretexts related to the defense industry. Their activities have previously included attacks on various sectors in Russia and neighboring countries, showcasing an ongoing pattern of targeted espionage efforts against the military-industrial complex.Threats: sticky_werewolf_group darktrack_rat glorysprout ozone meta_stealer redline_stealerIndicators of compromise:-------------------------ip: 45[.]155[.]249[.]126, 84[.]22[.]195[.]72domain: url: https://bitbucket[.]org/ghjkkkkkkkk/tdrdreest/downloads/img[.]jpg?537612, https://raw[.]githubusercontent[.]com/gmedusa135/nano/refs/heads/main/new_img123[.]jpghash: - sha1=969977a682bac07eb1f9196041077d3c332b2b37, - sha1=0919987e12e51e55824959323ed23a9d3387fbad, - sha1=74f6f78bd8f1cc30e911350b60fe9b4eaf69e21c, - sha1=4c92e612f006838f10b50a9aa102c4430f9b8495, - sha1=d558d8501286b0b322a06a2e2f21fc6c03d45316, - sha1=861118c8a32157349c1d3dc76e774c027c05433cemail:Title: PEAKLIGHT: Illuminating the Shadows. TRAC Labs AnalysisLink: https://medium.com/trac-labs/peaklight-illuminating-the-shadows-02a1bb44885cSummary: PEAKLIGHT is a complex PowerShell-based downloader identified by Mandiant that installs malware-as-a-service infostealers through the exploitation of a Microsoft Shortcut File (LNK). The initial attack vector connects to a content delivery network (CDN) hosting a JavaScript dropper that launches a PowerShell script, with linked payloads including LummaC2, HijackLoader, and CryptBot, also known as the Emmenhtal loader. Mandiant's analysis highlights the use of legitimate tools like PowerShell and AutoIt for obfuscation, memory-only execution, and bypassing security measures, showcasing how attackers can disguise their operations and successfully deploy malicious payloads. The campaign also involves an AutoIt executable and various obfuscated scripts, resulting in the delivery of significant threats such as DarkGate.Threats: emmenhtal lumma_stealer hijackloader cryptbot_stealer hideandseek darkgateIndicators of compromise:-------------------------ip: domain: docu-sign[.]infourl: http://download[.]wsconnect[.]org/Downloads/Instruction_1928_W9COI[.]pdf[.]lnk, http://download[.]wsconnect[.]org/Downloads/Agreement%20for%20YouTube%20cooperation[.]pdf[.]lnk, https://docu-sign[.]info/api/uz/0912545164/update[.]bin, https://docu-sign[.]info/api/uz/0912545164/config[.]bin, https://ctu[.]timeless-tales[.]shop/api/uz/0912545164/CharcoalWharf[.]json, https://docu-sign[.]info/api/uz/0912545164, https://pdb[.]timeless-tales[.]shop/api/reg/update[.]bin, https://pdb[.]timeless-tales[.]shop/api/reg/config[.]binhash: - md5=7079727a644c6f56584d515146686245, - sha256=8220a9b7b5a2ca3188278ea2e576df9b96d2d23ddfddc2fd5260851dcff9218a, - sha256=8ea35c2bfdf4cad1197abadd19f4f0e09579afcfdb32abc7e71bb5818c6d3ba6, - sha256=6a4ccd0f0bf4985af98f5e40da68cff98881c45b2f32dc03619f78bf43418575, - sha256=c18219bff85d2db88626e0f3b45a55558e5adbabea84f8a8132313338fea2383, - sha256=76cf24666515ee68ffa0a4756884e42783af499d6ba01c1aaa5d352900af349a, - sha256=164bccacc811b573c359f001fc433ca7e08cae806422a33981aa446f502d28e8, - sha256=480667dd13f7ac103847dd7f19c61e4b676210568fa0dfc3a4f354e688618cae, - md5=ef1e6fc41fc225dc1fcddb2d46e7908f, - md5=c5997a14e872d97d48e1d4ea8b66910f, - md5=c90cd850078a3688894afc507e6b9ce8, - md5=25e7cee7a15413a5171636165e0e0473, - md5=34347638bdf37ee21b971dfe2d9f69a9, - md5=68b5c374fab2ba56faa7e4e7f7524753, - md5=00cf9fd36c2868c46213b30cbc0aec64, - md5=3ad01b6c99c252f92d17473e8988ee2c, - md5=762d0bf4de8d11d709c56029eb902274, - md5=afcfa278d35726531039ed7311ffb41c, - md5=0d607a2750534d9f766109bda6b1f64f, - md5=6256a054d02e57e9f09211dae0e0429e, - md5=a3cf7c78d143162733c64741467b5b90, - md5=f9bdd8a74c2aa0240891a88c3568e913, - md5=7ac24d827758131eb0a58b32e01ad4e6, - md5=1928fc6a52da76bc8fa4e4aa3bf5dd27, - md5=569b906fe8dbb14621c2252b4571d627, - md5=fe2880259f82e5da4a7cc7bb0d9e983f, - md5=08a0a6e7f4a639f48ff1a44e3fb71467, - md5=9f9f82c147b71f7d9bb2a16eac345f62, - md5=087dd017a8261d6c06f3401db80e0c33, - md5=c86bc7bcabe91e27c43fe08b8e23d816, - md5=9ac418c2925b4026c3e2a18734f9923b, - md5=78ba98ea23ee5075a0ff2974bedf9925, - md5=768acf01fb1307b85111624f1081558b, - md5=2b4fda1a5ba8b1f32a629fa2eaf3b4a4, - md5=ae4dbbe945aeacfa5bb920e8d85cd0cb, - md5=624101f6b4285e2425c8851c2350d787, - md5=100803ba06906668a3d67de120d96a8c, - md5=f16fd1b2fbbf2388361cfcde055aa9e5, - md5=cdbf2db8c078c2964d02c7518e3bed81, - md5=c7457eb8cd1165d1e3392c79eaf9dd9d, - md5=a0544a9da1f3cc3f51cb227005ce984e, - md5=40a2e2f1f905c2917bf236ed8c7de180, - md5=6512f4488986f503a7e8fbb190de5d35, - md5=2263edd629a11dd0c4f2d53c93c7f1d5, - md5=4b29635ecb4afdf5b7bde98aef117f5d, - md5=6f31310e10aa5facb395d7d86405233f, - md5=1c9724d7b7ef354f4ccc0ceeb178374a, - md5=b874532b90be5bd56eca4b28951f2f76, - md5=856d2403156f94f3d2b411d83675facf, - md5=e9c39ccd214cc4e72d93569bfee1aaf3, - md5=90de1044962e092ea916ae08649227ba, - md5=d53df33a543f82f01cd65a969c026f0c, - md5=165394413aa5c037bb2527eb50117083, - md5=a6aa04067a00840bd40f5cbbd551800d, - md5=73c7642674cc373755aecb1633199af8, - md5=d645880d73ca07c8213f1889eee11e6b, - md5=466ad64f877888f59d8741fa7062cbe8, - md5=76542aff65c99957776d45d81337163cemail:Title: IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024.Link: https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.htmlSummary: Since the end of 2024, large-scale DDoS attacks have been steadily monitored, primarily targeting companies in Japan and globally, and driven by an IoT botnet comprised of malware variants from Mirai and Bashlite. This botnet exploits vulnerabilities and weak credentials in IoT devices, predominantly infecting wireless routers and IP cameras, with attack vectors varying by target geography and industry sector. A global threat intelligence effort identified 348 infected devices, mainly located in India and South Africa, which enabled the botnet to execute multiple DDoS attack methods via commands from its command-and-control servers, leading to significant operational disruption across various industries.Threats: mirai bashlite synflood_technique tcpsynflood_technique tcpackflood_technique ackflood_technique udpflood_techniqueIndicators of compromise:-------------------------ip: 92[.]249[.]48[.]205, 156[.]253[.]250[.]201, 194[.]50[.]16[.]15domain: url: hash: - sha256=be2d34d170e8fc4956464f36c36c93dbeaa2957c0ed4139e1d06a5693c3f8b25, - sha256=63e91c3ddf7c808008b2bdef26d56b110b6b4b0b23c6e470045564864c44143e, - sha256=405491255ff73ddfb1dd2a1859347dd00a3ce05bc681693fc7cd95fc11717a5a, - sha256=620636c1b8ecdde20b33a572bc79b2f2b9a212e063bf17a61e9e294adc5eb857, - sha256=0cffa89872b6fda2dd813bde128763c77280e663a8f73b3c1c5fb76bc7355cd1, - sha256=d1585e0acc839200b095c76833d0c85fdc95df3894a18662b508f734075b5297, - sha256=371204521df08047c17cc2934c50c0ffec48b4cde93dd19a4495dcfc671a3060, - sha256=548d1c8de71f5444228e2c1f031c540b0e08781e332f46a5d21e564180c81b6d, - sha256=32bc52b263c6d40077eeaf4e2c105c91fdfb3eb859b1d11470b5a2087a39bcee, - sha256=1bba9d9ca796b61828ff9866f0c7a8326e5d34eda6bd20d790fab846091e5d07, - sha256=aebe831a4ab5dee97209ecc80a3a9728dae38dd8eb0cdc744bf26ff51baa6998email:Title: Gootloader inside outLink: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-outSummary: The Gootloader malware family employs advanced SEO-driven tactics to infect users via compromised WordPress sites by manipulating Google search results to present malicious content. Discovered through the efforts of security researchers and the insights of SEO expert Marv Ahlstrom, Gootloader utilizes code running on infected servers to orchestrate a complex multi-stage infection process, including dynamically generated fake message boards that entice victims to download malware. Initial attacks exploit vulnerabilities in plugins like Hello Dolly, enabling backdoor installations and stealthy operations, while ongoing analyses have revealed its methods of restricting visitor access and evading detection through continuous updates and obfuscation techniques.Threats: gootkit seo_poisoning_techniqueIndicators of compromise:-------------------------ip: 5[.]8[.]18[.]7, 5[.]8[.]18[.]159, 91[.]215[.]85[.]52domain: my-game[.]bizurl: http://5[.]8[.]18[.]7/filezzz[.]phphash: - sha256=03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016, - sha256=1fcc418bdd7d2d40e7f70b9d636735ab760e1044bb76f8c2232bd189e2fd8be7, - sha256=258cb1d60a000e8e0bb6dc751b3dc14152628d9dd96454a3137d124a132a4e69, - sha256=5d50a7cf15561f35ed54a2e442c3dfdac1d660dc18375f7e4105f50eec443f27, - sha256=7bcffa722687055359c600e7a9abf5d57c9758dccf65b288ba2e6f174b43ac57, - sha256=af50c735173326b2af2e2d2b4717590e813c67a65ba664104880dc5d6a58a029, - sha256=89672c08916dd38d9d4b7f5bbf7f39f919adcaebc7f8bb1ed053cb701005499aemail:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Tool/Technique: Sneaky 2FA
## Overview
Sneaky 2FA is a newly identified Adversary-in-the-Middle (AiTM) Phishing-as-a-Service kit specifically designed to compromise Microsoft 365 accounts. It features advanced evasion techniques to bypass security measures.
## Technical Details
- Type: Tool (Phishing Kit/Framework)
- Platform: Web-based (targeting user credentials and MFA tokens)
- Capabilities: Adversary-in-the-Middle (AiTM) proxying, credential harvesting, Two-Factor Authentication (2FA) interception, autograbbing, anti-debugging, and IP filtering.
- First Seen: Evidence dating back to October 2024; identified in December 2024.
## MITRE ATT&CK Mapping
(Note: Since this is a phishing kit primarily facilitating initial compromise, the core techniques involve social engineering and credential access.)
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Less likely, but possible delivery vector)
- T1566.002 - Spearphishing Link (Primary vector via the kit URL)
- **TA0007 - Credential Access**
- T1555 - Credentials from Password Stores (If tokens are stored post-compromise)
## Functionality
### Core Capabilities
- Adversary-in-the-Middle (AiTM) functionality to proxy legitimate login sessions, allowing the capture of both usernames/passwords and subsequent Multi-Factor Authentication (MFA) codes or tokens in real-time.
- Phishing-as-a-Service model offered by the group "Sneaky Log."
### Advanced Features
- **Autograbbing Functionality:** Likely automated collection of session cookies, tokens, or captured credentials once a victim successfully logs in.
- **Anti-Debugging Mechanisms:** Techniques employed to detect and foil automated analysis by security researchers or sandboxes.
- **IP Filtering:** Capability to restrict access to the phishing pages or tailor campaigns based on the source IP address, likely to avoid detection engines or specific geographic areas.
## Indicators of Compromise
- File Hashes:
- SHA256: `5d91563b6acd54468ae282083cf9daa45a8de9cb661c2195b9f6cbf`
- SHA256: `8c4e78b1bc0a0923fccc0cd2d7ca06023b6ab15af079e6b19d7d5d2fddc5488d`
- File Names: [Not explicitly detailed in context]
- Registry Keys: [Not explicitly detailed in context]
- Network Indicators:
- Domains: `sneakylog[.]store`, `w3ll[.]store`, `africanagriculturalmarket[.]com`
- IPs: `185[.]125[.]100[.]81`, `101[.]99[.]92[.]124`
- Behavioral Indicators: Real-time forwarding of authentication requests and MFA prompts to the attacker-controlled infrastructure.
## Associated Threat Actors
- Sneaky Log (The cybercrime group offering the service)
## Detection Methods
- Signature-based detection: File hashes listed above can immediately detect the presence of the kit files.
- Behavioral detection: Monitoring web server logs for requests being proxied to known AiTM URLs, or for suspicious session cookie relay activity bypassing standard authentication flows.
- YARA rules: Could be developed based on unique strings or code structure within the kit files, particularly looking for functions related to anti-debugging or proxy forwarding logic.
## Mitigation Strategies
- **Prevention measures:** Implement robust phishing training for users, emphasizing scrutiny of URLs related to Microsoft 365 login pages.
- **Hardening recommendations:** Enforce phishing-resistant MFA methods (e.g., FIDO2/WebAuthn security keys) that are immune to AiTM token theft. Configure strict network egress filtering and use security headers to limit cross-site requests on internal applications.
## Related Tools/Techniques
- AiTM Phishing Kits (e.g., EvilProxy, Modlishka, Muraena)