Full Report
This is a weekly threat intelligence report review from RST Cloud. This week, we analysed 53 threat intelligence reports and compiled a summary of each, along with the pertinent metadata extracted from them. You can find below a short summary of 10 reports, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.Title: Crypters And Tools. Part 2: Different Paws — Same TangleLink: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/crypters-and-tools-part-2-different-paws-same-tangleSummary: The analysis of cyber threat groups TA558, Blind Eagle, and Aggah reveals their unique operational tactics and toolsets, particularly their use of a crypter known as Crypters And Tools, which has led to some confusion regarding their association. While Aggah is known for aggressive phishing campaigns and malware deployment, including RevengeRAT and Agent Tesla, TA558 displays distinct naming conventions and attack strategies that differentiate it from Aggah, despite occasional overlaps. Key actors linked to these groups, including bukky101 and ABBAS, have engaged in substantial phishing activities targeting various industries, highlighting the importance of precise attribution in understanding these groups' evolving tactics within the cybercriminal ecosystem.Threats: remcos_rat asyncrat quasar_rat njrat sbit_rat limerat agent_tesla xworm_rat loki_bot formbook revenge_rat avemaria_rat nanocore_rat rhadamanthys azorult swaetrat screenconnect_tool darktrack_rat meta_stealer meduza lumma_stealer ta558_group 3losh aggaa_campaign blindeagle_group sticky_werewolf_group uac-0050_group phantomcontrol_campaign roma225_campaign meme_4chan_campaign bukky101_actor deadpoolstart2025s_actor abbas_actor syscore_actor negrocock_actor kareemhacker_actor headmaster ande_loader steganography_technique manatools_tool mana_tool 0bj3ctivity_stealer rtf_template_inject_technique hirricate_actorIndicators of compromise:-------------------------ip: 149[.]56[.]200[.]165, 179[.]15[.]149[.]222, 191[.]88[.]255[.]30, 181[.]134[.]151[.]81, 181[.]131[.]216[.]73, 181[.]52[.]105[.]166, 192[.]210[.]150[.]33, 107[.]172[.]148[.]248, 104[.]168[.]7[.]36, 149[.]28[.]237[.]172, 172[.]234[.]217[.]133, 62[.]60[.]226[.]64, 192[.]154[.]226[.]47, 198[.]50[.]177[.]251, 37[.]49[.]228[.]234, 185[.]38[.]142[.]224, 181[.]71[.]217[.]114, 179[.]14[.]11[.]213, 191[.]93[.]113[.]10, 152[.]201[.]184[.]91domain: minhacasaminhavidacdt[.]blogspot[.]com, internetexplorer200[.]blogspot[.]com, cdtmaster[.]com[.]br, systenfailued[.]ddns[.]com[.]br, systen32[.]ddns[.]net, office365update[.]duckdns[.]org, cdtoriginal[.]ddns[.]net, mondayyyyvbsgreeceee[.]duckdns[.]org, wednesdayyyyyyfile[.]duckdns[.]org, fridayyyyvert[.]3utilities[.]com, masterman1[.]serveirc[.]com, masterman2[.]serverc[.]com, mastermana3[.]serveirc[.]com, mastermana4[.]serveirc[.]com, mastermana5[.]servirc[.]com, warzonecdt[.]duckdns[.]org, ccnewcdt[.]duckdns[.]org, backuphotelall[.]blogspot[.]com, hotelbackuppowaug[.]blogspot[.]com, manablack[.]duckdns[.]org, cpamay2024[.]duckdns[.]org, cpanewminemay24[.]duckdns[.]org, detail-booking[.]com[.]br, boydjackson[.]org, nitrosoftwares[.]com, thursdayyyyyyfileeeev[.]duckdns[.]orgurl: http://104[.]168[.]7[.]38/xampp/knct/nicefeelingwithbestgoodthinksfor[.]txt, http://104[.]168[.]7[.]38/xampp/knct/Lightgreatloversonhereforlovingpeoplesalot[.]hta, http://216[.]9[.]224[.]185/33/eco/goodthingsforbestfeaturesgivenmegoodthingsforbest_______________goodthingsforbestfeaturesgivenme_____________goodthingsforbestfeaturesgivenme[.]doc, https://bitbucket[.]org/!api/2[.]0/snippets/nikkerkhan/5qkMXX/c193c8cd66ad1405f4a0ebc7293d71d0f287eb98/files/all[.]txt, https://backuphotelall[.]blogspot[.]com/atom[.]xml, https://otherbusinesssep23[.]blogspot[.]com/atom[.]xml, https://backupalllogsmay23[.]blogspot[.]com/atom[.]xml, https://hotelbackuppowaug[.]blogspot[.]com/atom[.]xml, https://otherbizzunus[.]blogspot[.]com/atom[.]xml, http://91[.]92[.]254[.]29/Users_API/ABBAS/file_odpxh4oq[.]2bf[.]txtn, http://192[.]3[.]216[.]148/uh[.]ee[.]uh[.]ee[.]uhuheee[.]doc, http://192[.]3[.]216[.]148/datingloverstartingAgain[.]vbs, http://51[.]81[.]235[.]253/66166/hd/hd[.]d[.]d[.]d[.]dddd[.]doC, http://51[.]81[.]235[.]253/66166/catcallingfemalecattogiveflowersgreat[.]gif, http://94[.]156[.]65[.]247/Users_API/negrocock/file_mq5uppna[.]ldt[.]txt, http://198[.]46[.]178[.]144/morningfiledatinglover[.]vbs, http://198[.]46[.]178[.]144/eveningfiledatinglover[.]vbs, http://91[.]92[.]254[.]14/Users_API/Just1ne/file_1hsfgryb[.]he3[.]txt, http://91[.]92[.]254[.]14/Users_API/gavrels/file_ycm2xqby[.]heg[.]txty, https://91[.]92[.]254[.]29/Users_API/Ws/file_wuey5ekz[.]pcq[.]txt, http://94[.]156[.]65[.]247/Users_API/HURRICANE/file_lfhsdrdp[.]5db[.]txthash: - md5=11117203c6f2c96f6b78fd19bc27e49c, - md5=c90688783f910b2b4165e2263012e19b, - sha256=5a8794fa12ff401f9f7212e497d5d877010f493e3bb028abd54cb12f60fc550f, - sha256=5fe3f4e4ab026fbcd0b595c7b35eb3b3997cae0fc8b92728b0bd556a3ec3c092, - sha256=937fcba2f15c795a209032a36a921fe9f53ea7a47e7295573cd1c0ebb8d9d241, - sha256=3a7d034a793a0f03dc9930446aebf326320140584eeb171909962ec7123f9e5eemail: jkbest22@gmail[.]comTitle: New Rust Botnet “RustoBot” is Routed via RoutersLink: https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routersSummary: FortiGuard Labs has discovered a new botnet named "RustoBot," which specifically targets TOTOLINK devices and is notable for being developed in Rust. The botnet exploits vulnerabilities in the cstecgi.cgi script, particularly command injection flaws associated with setUpgradeFW (CVE-2022-26210) and pingCheck (CVE-2022-26187). It also exhibits a coordinated exploitation pattern across affected DrayTek devices in various countries. "RustoBot" can target multiple architectures but primarily focuses on mpsl architecture in TOTOLINK devices, utilizing downloader scripts for distribution, and retrieves system API function offsets for malicious activities. Its primary functions include resolving a command-and-control server's domain for launching distributed denial-of-service attacks using multiple protocols while masking its traffic through DNS-over-HTTPS.Threats: rustobot udpflood_techniqueIndicators of compromise:-------------------------ip: 5[.]255[.]125[.]150domain: dvrhelper[.]anondns[.]net, techsupport[.]anondns[.]net, rustbot[.]anondns[.]net, miraisucks[.]anondns[.]neturl: http://66[.]63[.]187[.]69/mpsl, http://66[.]63[.]187[.]69/w[.]sh, http://66[.]63[.]187[.]69/wget[.]sh, http://66[.]63[.]187[.]69/t, http://66[.]63[.]187[.]69/tftp[.]sh, http://66[.]63[.]187[.]69/arm5, http://66[.]63[.]187[.]69/arm6, http://66[.]63[.]187[.]69/arm7, http://66[.]63[.]187[.]69/mips, http://66[.]63[.]187[.]69/x86hash: - sha256=76a487a46cfeb94eb5a6290ceffabb923c35befe71a1a3b7b7d67341a40bc454, - sha256=75d031e8faaf3aa0e9cafd5ef0fd7de1a2a80aaa245a9e92bae6433a17f48385, - sha256=fbdd5cba193a5e097cd12694efe14a15eb0fc059623f82da6c0bf99cbcfa22f8, - sha256=0dde88e9e5a0670e19c3b3e864de1b6319aaf92989739602e55b494b09873fbe, - sha256=15c9d7a63fa419305d7f2710b63f71cc38178973c0ccf6d437ce8b6feeca4ee1, - sha256=427399864232c6c099f183704b23bff241c7e0de642e9eec66cc56890e8a6304, - sha256=4f0ba25183ecb79a0721037a0ff9452fa8c19448f82943deca01b36555f2cc99, - sha256=c0abb19b3a72bd2785e8b567e82300423da672a463eefdeda6dd60872ff0e072, - sha256=dae8dae748be54ba0d5785ab27b1fdf42b7e66c48ab19177d4981bcc032cfb1c, - sha256=9f098920613bd0390d6485936256a67ae310b633124cfbf503936904e69a81bf, - sha256=e547306d6dee4b5b2b6ce3e989b9713a5c21ebe3fefa0f5c1a1ea37cec37e20f, - sha256=b910e77ee686d7d6769fab8cb8f9b17a4609c4e164bb4ed80d9717d9ddad364f, - sha256=44a526f20c592fd95b4f7d61974c6f87701e33776b68a5d0b44ccd2fa3f48c5d, - sha256=efb0153047b08aa1876e1e4e97a082f6cb05af75479e1e9069b77d98473a11f4, - sha256=9a9b5bdeb1f23736ceffba623c8950d627a791a0b40c4d44ae2f80e02a43955d, - sha256=5dc90cbb0f69f283ccf52a2a79b3dfe94ee8b3474cf6474cfcbe9f66f245a55d, - sha256=b68e2d852ad157fc01da34e11aa24a5ab30845b706d7827b8119a3e648ce2cf1, - sha256=9e660ce74e1bdb0a75293758200b03efd5f807e7896665addb684e0ffb53afd2, - sha256=ec9e77f1185f644462305184cf8afcf5d12c7eb524a2d3f4090a658a198c20ce, - sha256=114b460012412411363c9a3ab0246e48a584ce86fc6c0b7855495ec531dd05a1, - sha256=1697fd5230f7f09a7b43fee1a1693013ed98beeb7a182cd3f0393d93dd1b7576email:Title: Sock(et) Puppet: How RansomHub Affiliates Pull the StringsLink: https://www.esentire.com/blog/socket-puppet-how-ransomhub-affiliates-pull-the-stringsSummary: In early March 2025, a cyberattack utilizing SocGholish malware, also known as FakeUpdates, was discovered, targeting victims through a compromised WordPress site that prompted an update for Microsoft Edge. Upon downloading the malicious file, the malware executed a series of reconnaissance activities to collect system information, including domain names and user credentials, which were sent to a command and control server. The malware eventually deployed a Python-based backdoor associated with the RansomHub ransomware group, designed for further exploitation and lateral movement within affected systems, demonstrating a complex attack approach that combined social engineering with advanced functionalities for system infiltration.Threats: ransomhub socgholish_loader lolbin_techniqueIndicators of compromise:-------------------------ip: 38[.]146[.]28[.]93, 92[.]118[.]112[.]208, 173[.]44[.]141[.]226, 45[.]82[.]85[.]50, 92[.]118[.]112[.]143, 38[.]180[.]195[.]187, 185[.]219[.]220[.]175, 193[.]203[.]49[.]90, 88[.]119[.]175[.]65, 104[.]238[.]61[.]144, 38[.]180[.]81[.]153, 185[.]33[.]86[.]15, 185[.]174[.]101[.]69, 162[.]252[.]173[.]12, 185[.]174[.]101[.]240domain: butterflywonderland[.]com, exclusive[.]nobogoods[.]comurl: https://exclusive[.]nobogoods[.]com/updateStatus, https://exclusive[.]nobogoods[.]com/profileLayouthash: - sha256=2686a616aa9caf1e6ecf38b1787d709fb5c2f02e8c9af237dec8d367ebcad62c, - sha256=fd20d62cd81de423bbf8a91df82b39f0368ee3eaebf191803559ad6e4ac0e4e7, - sha256=0f0db5079a9fbd760bb24ee979e2e808b2dc089c17033310838474a53a267f04email:Title: Operation SyncHole: Lazarus APT goes back to the wellLink: https://securelist.com/operation-synchole-watering-hole-attacks-by-lazarus/116326/Summary: The Lazarus group has launched a targeted attack campaign named "Operation SyncHole" against multiple sectors in South Korea, exploiting vulnerabilities in locally-developed software since November 2024. The attack employs a combination of watering hole tactics and exploits, including the use of the ThreatNeedle backdoor disguised under legitimate processes, impacting at least six organizations in the IT, finance, telecommunications, and semiconductor industries. Notably, the attackers utilized various malware strains, such as SIGNBT and COPPERHEDGE, which leverage encryption for secure communications and are adaptable to evade detection, reflecting a sophisticated understanding of the local software landscape and existing vulnerabilities within South Korea's cyber infrastructure.Threats: operation_synchole_campaign lazarus_group watering_hole_technique threatneedle agamemnon wagent signbt copperhedge andariel_group lpeclient goldgoblin_campaign credential_dumping_technique volgmer dream_job_campaign mistpen cookieplus supply_chain_technique bookcodes_campaign cometer zenpakIndicators of compromise:-------------------------ip: domain: www[.]smartmanagerex[.]com, smartmanagerex[.]comurl: https://thek-portal[.]com/eng/career/index[.]asp, https://builsf[.]com/inc/left[.]php, https://www[.]rsdf[.]kr/wp-content/uploads/2024/01/index[.]php, http://www[.]shcpump[.]com/admin/form/skin/formBasic/style[.]php, https://htns[.]com/eng/skin/member/basic/skin[.]php, https://kadsm[.]org/skin/board/basic/write_comment_skin[.]php, http://bluekostec[.]com/eng/community/write[.]asp, http://dream[.]bluit[.]gethompy[.]com/mobile/skin/board/gallery/index[.]skin[.]phphash: - md5=f1bcb4c5aa35220757d09fc5feea193b, - md5=dc0e17879d66ea9409cdf679bfea388c, - md5=2d47ef0089010d9b699cd1bbbc66f10aemail:Title: Contagious Interview (DPRK) Launches a New Campaign Creating Three Front Companies to Deliver a Trio of Malware: BeaverTail, InvisibleFerret, and OtterCookieLink: https://www.silentpush.com/blog/contagious-interview-front-companies/Summary: Researchers from Silent Push have uncovered that three cryptocurrency consulting companies—BlockNovas LLC, Angeloper Agency, and SoftGlide LLC—are actually fronts for the North Korean APT group, Contagious Interview, part of the Lazarus group. This operation employs advanced social engineering tactics to target job seekers in the cryptocurrency field, using "interview malware lures" to distribute various malware strains including BeaverTail, InvisibleFerret, and OtterCookie through job offer scams and AI-generated fake profiles. The malware is designed to enable remote access and information theft, specifically targeting cryptocurrency assets; it operates across multiple platforms and utilizes a command and control domain, lianxinxiao.com, as part of its infrastructure, which includes obfuscation techniques to evade detection and maintain control post-infection.Threats: contagious_interview_campaign beavertail invisibleferret ottercookie blocknovas_campaign famous_chollima_group lazarus_group residential_proxy_technique atlas_lion_group frostyferret clickfix_technique powershell_shell_tool anydesk_toolIndicators of compromise:-------------------------ip: 37[.]211[.]126[.]117, 167[.]88[.]39[.]141, 136[.]143[.]190[.]199, 86[.]104[.]74[.]169, 37[.]221[.]126[.]117, 155[.]94[.]255[.]2, 174[.]128[.]251[.]99, 194[.]33[.]45[.]162, 198[.]255[.]45[.]131, 199[.]115[.]99[.]34, 204[.]188[.]233[.]66, 208[.]115[.]228[.]234, 209[.]127[.]117[.]234, 23[.]106[.]161[.]1, 23[.]106[.]169[.]120, 38[.]170[.]181[.]10, 38[.]32[.]68[.]195, 45[.]86[.]208[.]162, 66[.]118[.]255[.]35, 70[.]32[.]3[.]15, 70[.]39[.]103[.]3, 70[.]39[.]70[.]194, 77[.]247[.]126[.]189, 91[.]239[.]130[.]102, 95[.]164[.]33[.]66domain: blocknovas[.]com, angeloper[.]com, softglide[.]co, lianxinxiao[.]com, cryptojobslist[.]com, cryptotask[.]org, getonbrd[.]com, freelancer[.]com, intch[.]org, jobatus[.]pt, thirdwork[.]xyz, main_empoqo[.]py, mail[.]blocknovas[.]com, bookings[.]blocknovas[.]com, gitlab[.]blocknovas[.]com, chat[.]blocknovas[.]com, apply[.]blocknovas[.]com, angeloperonline[.]online, mail[.]blocknovas[.]com:4200, phemex[.]com, oasispromarkets[.]com, godex[.]io, nobleblocks[.]com, futureexchange[.]io, flip[.]gg, arabiancamels[.]io, nftkeepers[.]io, kaisa[.]io, smartwhales[.]ai, hunt-crypto[.]com, oliveandchain[.]com, henrykdiamonds[.]com, yourbijouxbox[.]com, allpurposecreams[.]com, gitlab[.]blocknova[.]com, easydriver[.]cloud, apply-blocknovas[.]site, apply-blockvas[.]site, lianxinxioa[.]com, camdriversupport[.]com, api[.]drive-release[.]cloud, api[.]camdriversupport[.]com, lianxinxiao[.]com:5000, mail[.]blocknova[.]com, wonthegame[.]site, xn--12c5eglc5bd7i[.]site, insomnianwin[.]site, lasvegas[.]site, server[.]attisscmo[.]com, attisscmo[.]com, kryptoneer[.]com, suillama[.]com, bigrocks918[.]com, mehmetdemir[.]angeloper[.]com, calendly[.]com, angerloperonline[.]online, crypto[.]jobs, teachme[.]to, drive-release[.]cloudurl: https://www[.]virustotal[.]com/gui/domain/lianxinxiao[.]com/relations, https://www[.]bizapedia[.]com/nm/blocknovas-llc[.]html, https://medium[.]com/blocknovas, https://web[.]archive[.]org/web/20250404212159/https://www[.]blocknovas[.]com/about-us, https://dev[.]to/topninja/i-hacked-web3-wallet-15e4, https://gitlab[.]blocknovas[.]com/super/nyx1[.]2upgrade-test-public, https://easydriver[.]cloud/nvidia-nx[.]update/$- l, https://easydriver[.]cloud/nvidia-mac[.]update/$- l, https://easydriver[.]cloud/nvidia-rc[.]update/$- l, https://api[.]camdriversupport[.]com/nvidiawin[.]update, https://easydriver[.]cloud/nvidiawin[.]update, https://github[.]com/bigrocks918, https://github[.]com/xorostar/blocknovas-llc-currency-converter-task, https://github[.]com/mirzamudassir/blocknovas-nyx-public, https://github[.]com/search?q=path%3Abackend%2Fservices%2F+content%3Aeval%28decodeURIComponent%28%27&type=code, https://www[.]preemptive[.]com/online-javascript-obfuscator, https://github[.]com/Collaborate3562/ncipher-backend/blob/main/backend/config/key[.]js, https://github[.]com/Asrtothunder01/bitcoin/blob/main/backend/services/PaymentServices[.]js, https://attisscmo[.]com/static/js/main[.]3d770319[.]js, https://web[.]archive[.]org/web/20241217214532/http://www[.]kryptoneer[.]com, https://linkedin[.]com/in/mehmet-demir-godev, https://www[.]linkedin[.]com/company/angeloper-agency, https://github[.]com/bigrocks918/hugo_portf_meh/commit/11b80699fbecea8df32df74b2dcd8046bda669bc, https://github[.]com/bigrocks918/hugo_portf_meh/commit/be2ad1272fd48889f6bad1ef93c326ab3cde11d8, https://github[.]com/bigrocks918/softglide-landing/commits/main, https://github[.]com/search?q=user%3Abigrocks918, https://dev[.]to/mehmetdemir, https://huggingface[.]co/state-spaces/mamba-2[.]8b/discussions/5, https://huggingface[.]co/bigrocks918, https://www[.]guru[.]com/freelancers/mehet-demir-full-stack-developer, https://www[.]guru[.]com/freelancers/mehet-demir-full-stack-developer/reviews, https://www[.]guru[.]com/pro/employerhistory[.]aspx?compid=1379332, https://github[.]com/hades255?tab=overview&from=2025-01-01&to=2025-01-31, https://www[.]linkedin[.]com/posts/gabriel-lima-b0668a2b2_im-happy-to-share-this-instanavigation-project-activity-7295888089867018243-iDXT, https://github[.]com/hades255, https://github[.]com/orgs/Blocknovas/followers, https://github[.]com/orgs/SoftGlide-LLC/followers, https://github[.]com/lopezluis00, https://github[.]com/thegoodearth918, https://github[.]com/thegoodearth918/create-aviation/js/bigrocks[.]js, https://crypto[.]jobs/companies/blocknovas-llc-1, https://iam-gabriel[.]vercel[.]apphash: email: contact@blocknovas[.]com, kisikbo5[.]werer@gmail[.]com, ramon[.]tech@blocknovas[.]com, designedcuratedamy58@gmail[.]com, daisukeoikitsugu@gmail[.]com, rockstar96954@gmail[.]com, hundredup2023@gmail[.]com, phoenixfire471@gmail[.]com, awesomium430@gmail[.]com, master2819@gmail[.]com, rodriguezjamesdaniel0807@gmail[.]com, satoshiyama14@gmail[.]com, richardkdavis45@gmail[.]com, thedron101@gmail[.]com, fairdev610@gmail[.]com, trevorgreer9312@gmail[.]com, bigrocks89@outlook[.]com, tsumin[.]work@gmail[.]com, gabriel[.]dev9725@gmail[.]comTitle: HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX LineageLink: https://www.cyfirma.com/research/hannibal-stealer-a-rebranded-threat-born-from-sharp-and-tx-lineage/Summary: Hannibal Stealer is an advanced information-stealing malware variant, rebranded from earlier models like Sharp and TX, that operates on the .NET Framework and specifically targets Chromium- and Gecko-based browsers to extract sensitive data while bypassing certain security measures. Discovered through its marketing on platforms like BreachForums, it captures a wide array of credentials from cryptocurrency wallets, FTP clients, and various applications, along with features such as system profiling and clipboard hijacking. The malware employs geofencing tactics to avoid detection in specific regions and includes a structured command and control panel for streamlined management and exfiltration of stolen data, reflecting a sophisticated operational framework within the evolving cyber threat landscape.Threats: hannibal_stealer process_injection_technique dll_sideloading_technique credential_dumping_technique credential_harvesting_technique sharp_stealerIndicators of compromise:-------------------------ip: domain: www[.]hannibal[.]devurl: http://45[.]61[.]151[.]60/login, http://45[.]61[.]141[.]160:8001/loginhash: - sha256=f69330c83662ef3dd691f730cc05d9c4439666ef363531417901a86e7c4d31c8, md5=d18961f7777d329e17cfb824926d9e12, - sha256=251d313029b900f1060b5aef7914cc258f937b7b4de9aa6c83b1d6c02b36863eemail:Title: Triada strikes backLink: https://securelist.com/triada-trojan-modules-analysis/116380/Summary: The Triada Trojan has evolved significantly, utilizing advanced techniques to maintain persistent control over Android devices by embedding malicious code into firmware through vulnerabilities in older systems. It employs a multi-stage loader in system apps to compromise critical processes, allowing it to inject its components undetected into newly launched applications and modifying their functionalities to conduct various malicious activities such as intercepting messages, stealing login credentials, and altering cryptocurrency transactions. Discovered through Kaspersky's telemetry, the Trojan is distributed via counterfeit devices and has spread widely across several countries, leading to substantial financial gains for attackers, with over $264,000 reportedly accrued through these exploits.Threats: triada_trojan dwphon xhook_tool vo1d supply_chain_techniqueIndicators of compromise:-------------------------ip: 8[.]218[.]194[.]192, 120[.]79[.]89[.]98domain: g[.]sxim[.]me, 68u91[.]66foh90o[.]com, w0g25[.]66foh90o[.]com, is5jg[.]3zweuj[.]com, xjl5a[.]unkdj[.]xyz, lvqtcqd[.]pngkcal[.]com, xcbm4[.]0pk05[.]com, lptkw[.]s4xx6[.]com, ad1x7[.]mea5ms[.]com, v58pq[.]mpvflv[.]com, bincdi[.]birxpk[.]com, 773i8h[.]k6zix6[.]com, ya27fw[.]k6zix6[.]com, mp2y3[.]sm20j[.]xyz, ompe2[.]7u6h8[.]xyz, app-file[.]b-cdn[.]neturl: https://raw[.]githubusercontent[.]com/adrdotocet/ott/main/api[.]json, https://raw[.]githubusercontent[.]com/adrdotocet2/ott/main/api[.]json, https://app-file[.]b-cdn[.]net/poctest/pc2215202501061400[.]zip, http://ompe2[.]7u6h8[.]xyz/tgzip/44a08dc22b45b9418ed427fd24c192c6[.]zip, https://mp2y3[.]sm20j[.]xyz/tgzip/44a08dc22b45b9418ed427fd24c192c6[.]zip, http://ompe2[.]7u6h8[.]xyz/tgzip/tgnetuser/online/37fd87f46e95f431b1977d8c5741d2d5[.]zip, https://mp2y3[.]sm20j[.]xyz/tgzip/tgnetuser/online/37fd87f46e95f431b1977d8c5741d2d5[.]zip, https://stas[.]a691[.]comhash: - md5=b8a745bdc0e083ffc88a524c7f465140, - md5=fce117a9d7c8c73e5f56bda7437bdb28, - md5=8f0e5f86046faed1d06bca7d3e48c0b8, - md5=3f887477091e67c6aaca15bce622f485, - md5=98ece45e75f93c5089411972f9655b97, - md5=d5bc1298e436424086cb52508fb104b1, - md5=dc731e55a552caed84d04627e96906d5, - md5=1d582e2517905b853ec9ebfe77759d15, - md5=b87706f7fcb21f3a4dfdd2865b2fa733, - md5=993eb2f8bf8b5c01b30e3044c3bc10a3, - md5=b187551675a234c3584db4aab2cc83a9, - md5=554f0de0bddf30589482315fe336ea72, - md5=195e0f334beb34c471352179d422c42f, - md5=2ac5414f627f8df2e902fc34a73faf44, - md5=3dc21967e6fab9518275960933c90d04, - md5=a4f16015204db28f5654bb64775d75ad, - md5=04e485833e53aceb259198d1fcba7eaf, - md5=952cc6accc50b75a08bb429fb838bff7, - md5=308e35fb48d98d9e466e4dfd1ba6ee73, - md5=f468a29f836d2bba7a2b1a638c5bebf0, - md5=72cbbc58776ddc44abaa557325440bfb, - md5=fb937b1b15fd56c9d8e5bb6b90e0e24a, - md5=2ac4d8e1077dce6f4d2ba9875b987ca7, - md5=7b8905af721158731d24d0d06e6cb27e, - md5=9dd92503bd21d12ff0f2b9740fb6e529, - md5=89c3475be8dba92f4ee7de0d981603c1, - md5=01dff60fbf8cdf98980150eb15617e41, - md5=18fef4b6e229fc01c8b9921bb0353bb0, - md5=21be50a028a505b1d23955abfd2bdb3e, - md5=43adb868af3812b8f0c47e38fb93746a, - md5=511443977de2d07c3ee0cee3edae8dc8, - md5=716f0896b22c2fdcb0e3ee56b7c5212f, - md5=83dbc4b95f9ae8a83811163b301fe8c7, - md5=a7127978fac175c9a14cd8d894192f78, - md5=a9a106b9df360ec9d28f5dfaf4b1f0b5, - md5=c30c309e175905ffcbd17adb55009240, - md5=c4efe3733710d251cb041a916a46bc44, - md5=e9029811df1dd8acacfe69450b033804, - md5=e961cb0c7d317ace2ff6159efe30276a, - md5=11aa55cd3556afa80412e512acfbd01d, - md5=2e98c16d949022e42956aaa9af908187email:Title: Earth Kurma APT Campaign Targets Southeast Asian Government, Telecom SectorsLink: https://www.trendmicro.com/en_us/research/25/d/earth-kurma-apt-campaign.htmlSummary: The APT group Earth Kurma has been actively conducting cyberespionage targeting government and telecommunications sectors in Southeast Asia since November 2020, specifically focusing on the Philippines, Vietnam, Thailand, and Malaysia. This group utilizes sophisticated tactics, including custom malware and rootkits, to facilitate data exfiltration and maintain unauthorized access to internal networks. Key tools associated with Earth Kurma include TESDAT, which serves as a loader for execution of payloads, SIMPOBOXSPY for data exfiltration through cloud services, and rootkits like KRNRAT and MORIYA for persistence and traffic interception. They employ advanced techniques for lateral movement within networks and utilize keyloggers for credential theft, indicating a high level of adaptability and evolution in their cyber operations, despite exhibiting similarities to other threat groups.Threats: earth_kurma_group simpoboxspy_tool krnrat moriya tunnelsnake_campaign toddycat_group nbtscan_tool ladon_tool frpc_tool wmihacker_tool kmlog_tool dunloader cobalt_strike lolbin_technique downtown odriz_toolIndicators of compromise:-------------------------ip: 103[.]238[.]214[.]88, 149[.]28[.]147[.]63, 166[.]88[.]194[.]53, 185[.]239[.]225[.]106, 38[.]147[.]191[.]103, 38[.]60[.]199[.]225, 45[.]77[.]250[.]21domain: www[.]dfsg3gfsga[.]space, www[.]igtsadlb2ra[.]pw, www[.]ihyvcs5t[.]pw, www[.]vidsec[.]ccurl: hash: - sha256=004adec667373bdf6146e05b9a1c6e0c63941afd38e30c2461eaecb707352466, - sha256=0a50587785bf821d224885cbfc65c5fd251b3e43cda90c3f49435bb3323d2a8b, - sha256=10898b74b612b1e95826521c5ccf36f7a238f5d181993c3c78c2098fcfdc1f3f, - sha256=131bacdddd51f0d5d869b63912606719cd8f7a8f5b5f4237cbdb5c2e22e2cba2, - sha256=1ab42121bb45028a17a3438b65a3634adb7d673a4e1291efeabf227a4e016cfb, - sha256=1c350d09c1cd545d54c38cd03aba3fd4eb0e8d97a3ba6c3744cc33ed92cb9a48, - sha256=1e48967e24d4ae2ac2697ef09c0f2702285825831bd516cb3be8859496fd296f, - sha256=1f3f384e29eab247ec99d97dfe6a4b67110888e4ad313b75fa9d0beceef87e93, - sha256=1f5f6cc1cbf578412ea5279dbdb432eda251309695513a74de66063ab02789f1, - sha256=2c9b8e4852181d51ff72dc6dec78bef014db8af83d30c05c3e9c5eb060278730, - sha256=2e87615142170a7510e26f94790bfb81df4d499a9f530d0bd8fe0fb1575b17f8, - sha256=34366323262346e10d8780bad9d30c6d4d747e4ec543243be76f33b7c028ea36, - sha256=37a397a2482b37d19d58588c0a897a08111b74d122c21542f1bf852ae83e1db0, - sha256=383aa73fe72caf268ce0874ebbcd13fc4c9e1e5c6200cdd66862de7257942cea, - sha256=398234b692a80a424939e98a2d96a705ce3fd9d61950420b5f2af45890abc48e, - sha256=4198b4ec5bb0c72112e9cf835686c33b9a97037acfb7727e494046a73106e938, - sha256=45e1138f2b8e822cbd4573cb53104b402ae26dcddb42c70534cf024a8bc6db66, - sha256=49ab6e2b5e378c74d196aecac4e84c969c800051167c1e33d204531fabd17990, - sha256=4ae186ee19d0d3e246dc37ac722a27d5297d2577de59b8583c97897480290bc1, - sha256=54e14b7742801970c578fad2ec2a193334ca8a17b60ee18dd6ec0fbfc8ce900b, - sha256=612a5fcb7620deef45a021140b6c06ab9c0473dce5b7e4a54960e330a00c90f3, - sha256=6190b13df521306bfa7ee973b864ba304ee0971865a66afbe0b4661c986099f4, - sha256=66edb72f6f7c8cad23c6659a81fa023f57c1a86c7d7b7022f1453b177f2b3670, - sha256=6bbbb227d679ea00f0663c2e261d5649417d08285f9acc1fd80e806ddea08403, - sha256=6ef3a27fdca386fe093c12146cd854d9ae6b42ca637950ca46bfd364ceab5b53, - sha256=73afc6af6fdfcaf9832aa2975489271bad7c8ea58679f1a2ddd8f60b44cc4a13, - sha256=75cc8474abb1d9a06cd8086fede98958653d013fb7ff89bbc32458b022a8fc94, - sha256=823a0862d10f41524362ba8e8976ddfd4524c74075bd7f3beffa794afb54f196, - sha256=8414136128f73fa7e29032df7b8115bc89832c57e2602d81de1e520cc2d7958d, - sha256=85e78a1b0a78e5d921c89241aaadd505d66dc4df29ca7d8a81098f42487ba350, - sha256=876c822f333e812041af24ae80935a830ca5016f9aaf2e8319ebb6cab1f9d7d0, - sha256=8c703148567cb66fe27bc07d18de58aa36aa84a49f1ce7545e9ec56378857d3d, - sha256=8ca1ffbd3cd22b9bead766ebd2a0f7b2d195b03d533bacf0cb8e1b1887af5636, - sha256=8e6583cca6dd4a78bdc0387c7f30334ab038e5c77848f708fe578e60dd8d9e00, - sha256=96b407856889c920a49f921d925118a130b904e99f9fe43a87342c680ffb9f27, - sha256=a359a06fbc6b5cf5adf7f53c35145b28f3c8a70f6998631090021825aea08e22, - sha256=aa925a5a8a7d5b36a66431f4968bd1003d1bbb6cb3ff6d03d9e3e0143c48382b, - sha256=aef3407310de48e13575c3d98b660ab7ddafb7efe3f4909682907ac286062392, - sha256=b26e8e0be066ee0b86f8fb2b0a703717ebbf34c8a33ef9a6f8f164ad012f1746, - sha256=c0326a0cd6137514ee14b6ac3be7461e8cf6c6adec74d087fd30cb06b91ecda2, - sha256=c6f73268eba553c7991f876a166440f5b4d519dea6b13bc90583fde1e89e81ed, - sha256=d3d2355b1ffb3f6f4ba493000e135dfd1b28156672e17f0b34dfc90cc3add352, - sha256=e143c15eaa0b3faccc93ce3693960323dbaa683ac9ce30382e876690278dfefa, - sha256=ec9220cf8208a3105022b47861d4e200672846ef484c1ea481c5cfd617cb18dc, - sha256=f3916c414db0f660d488c9d3aaa8355f3eb036ca27a9c606fe7e5e1a9bd42b38, - sha256=f52d9355b9efb6a1fcb32b890c5c373274df21ce38050d49416f469be95dc783, - sha256=f9892636093266a01ed6f0486c00189d2eeb532a3086660490f4efeb6d026487email:Title: SideCopy APT organization uses open source remote control to attack — sample analysis recordLink: https://www.ctfiot.com/242917.htmlSummary: The report details a sophisticated cyber attack that begins with a malicious email containing a link to download a zip archive. This archive includes a LNK file that misidentifies itself as a PDF, leading to the execution of a remote malicious HTA script that orchestrates two payloads, with the second activated only if the first fails to execute, a tactic designed to evade detection. The initial payload, "suport.exe," is saved to a specific directory and executed through a PowerShell script that incorporates decryption mechanisms, utilizing both the Caesar cipher and AES encryption for payload management. Ultimately, the final Trojan, "DevApp.exe," communicates with a command and control server and exhibits code similarities to an open-source project, indicating potential repurposing by the attackers. This complexity and layered approach reflect evolving tactics among threat actors, complicating detection and enhancing operational effectiveness.Threats: sidecopy_campaign xenoratIndicators of compromise:-------------------------ip: 79[.]141[.]161[.]58:1256domain: modspaceinterior[.]comurl: https://modspaceinterior[.]com/wp-content/upgrade/01hash: - md5=7637cbfa99110fe8e1074e7aad66710e, - md5=32a44a8f7b722b078b647e82cb9e85cfemail:Title: MS-SQL server target attack case installing Ammyy AdminLink: https://asec.ahnlab.com/ko/87590/Summary: Recent attacks on MS-SQL servers have showcased the exploitation of remote control tools like Anydesk and Ammyy Admin, functioning similarly to backdoors and Remote Access Trojans (RATs). These vulnerabilities stem from inadequately secured servers, allowing attackers to scan and compromise them by installing malicious code that leverages weak authentication credentials. Specific methods observed include the use of GOTOHTTP for initial access and leveraging tools like Ammyy Admin (notably version V3.10) to gain system control through the "Settings3.bin" configuration file, which contains critical information for remote access. Attackers have also utilized PetitPotato to manipulate the Remote Desktop Protocol (RDP) service, adding new user accounts, and frequently utilize brute force and dictionary attack methods against poorly configured accounts.Threats: ammyyadmin_tool anydesk_tool todesk_tool teamviewer_tool gotohttp_tool netstat_tool petitpotato_tool ammyyrat porttranc_toolIndicators of compromise:-------------------------ip: domain: url: http://110[.]45[.]186[.]8/aa_v3_protected[.]exe, http://110[.]45[.]186[.]8/mscorsvw[.]log, http://1[.]220[.]228[.]82/mscorsvw1[.]log, http://1[.]220[.]228[.]82/settings3[.]bin, http://110[.]45[.]186[.]8/p[.]log, http://1[.]220[.]228[.]82/aa_v3_protected[.]exe, http://1[.]220[.]228[.]82/c[.]exe, http://1[.]220[.]228[.]82/mscorsvw[.]log, http://1[.]220[.]228[.]82/p[.]loghash: - md5=1c9c3b4a2753ecab833621701e1b492c, - md5=55f4a1393e2edafea92d7ebab09c92d6, - md5=753f5e2fc5bdbc9b2175913d3b883580, - md5=b3b9eb83af47770dbb8e86f95afe9634email:This article was generated with the assistance of an artificial intelligence language model, ChatGPT.
Analysis Summary
This summary compiles information regarding malware, tools, and TTPs mentioned in the provided threat intelligence report review snippets, focusing on the most detailed sections.
# Tool/Technique: Ammyy Admin (V3.10) / AnyDesk / TeamViewer / ToDesk (Conceptual Usage)
## Overview
Remote control tools like Ammyy Admin, AnyDesk, TeamViewer, and ToDesk are being utilized by threat actors against compromised MS-SQL servers, effectively serving as backdoors or Remote Access Trojans (RATs) to maintain persistent control. Ammyy Admin V3.10 was specifically noted in recent attacks.
## Technical Details
- Type: Tool (Abused for Malicious Access)
- Platform: Windows (Inferred from MS-SQL server context)
- Capabilities: Remote desktop control, system access, configuration file manipulation.
- First Seen: Not specified, but V3.10 noted in recent attacks.
## MITRE ATT&CK Mapping
Since the tools themselves are legitimate Remote Access Software, the mapping focuses on their abuse for persistence and remote access:
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol
- T1078 - Valid Accounts
- T1078.003 - Local Accounts (Often used after brute force)
- T1547 - Boot or Logon Autostart Execution
- (Potential mapping if persistence mechanisms are established via these tools)
## Functionality
### Core Capabilities
- Establishing remote desktop connections to compromised MS-SQL servers.
- Gaining system control by leveraging pre-existing vulnerabilities or weak credentials.
### Advanced Features
- Ammyy Admin (V3.10) uses the **"Settings3.bin"** configuration file to store critical remote access information, suggesting actors might modify or leverage this file.
- Usage implies command and control (C2) functionality through the legitimate application's established channels.
## Indicators of Compromise
- File Hashes:
- MD5: `1c9c3b4a2753ecab833621701e1b492c` (Ammyy Admin executable likely)
- MD5: `55f4a1393e2edafea92d7ebab09c92d6`
- MD5: `753f5e2fc5bdbc9b2175913d3b883580`
- MD5: `b3b9eb83af47770dbb8e86f95afe9634`
- File Names: `aa_v3_protected.exe`, `settings3.bin`, `mscorsvw.log`, `c.exe`
- Registry Keys: Not explicitly listed.
- Network Indicators:
- HTTP: `http://110[.]45[.]186[.]8/aa_v3_protected[.]exe`
- HTTP: `http://1[.]220[.]228[.]82/settings3[.]bin`
- HTTP: `http://1[.]220[.]228[.]82/aa_v3_protected[.]exe`
- Behavioral Indicators: Use of brute force/dictionary attacks against RDP/SQL authentication; exploitation of unsecured MS-SQL servers.
## Associated Threat Actors
Actors targeting MS-SQL servers (specific groups not explicitly named in this section, but the behavior is tied to actors performing widespread scanning and compromise).
## Detection Methods
- Signature-based detection: Hash matching on the listed IoCs.
- Behavioral detection: Detection of initial brute-force activity against database or RDP services; detection of GOTOHTTP usage; monitoring for the deployment/execution of legitimate remote access tools resulting from initial compromise.
- YARA rules: Not specified.
## Mitigation Strategies
- Implement strong, complex, and unique credentials for all SQL accounts.
- Restrict network access (firewalling) to administrative ports (e.g., MSSQL 1433, RDP 3389) only to trusted internal or VPN addresses.
- Employ multi-factor authentication (MFA) where possible, even for internal services.
- Regularly audit configuration files for RMM tools (like Ammyy Admin's `Settings3.bin`) for unauthorized changes.
- Use vulnerability scanning to identify poorly secured accessible servers.
## Related Tools/Techniques
Anydesk, ToDesk, TeamViewer, PetitPotato (used alongside for privilege escalation/RDP modification).
***
# Tool/Technique: Crypters And Tools (General Usage by specific APTs/Groups)
## Overview
The term "Crypters And Tools" appears to refer to a specific tool or the general practice of using crypters employed by threat groups like **TA558**, **Blind Eagle**, and **Aggah**, leading to confusion in attribution due to shared, or superficially similar, use of obfuscation techniques.
## Technical Details
- Type: Tool/Technique (Crypter/Obfuscator)
- Platform: Unknown (Used to package Malware, likely Windows executables)
- Capabilities: Obfuscating malicious payloads to evade static detection.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing
## Functionality
### Core Capabilities
- Evading security solutions through payload obfuscation.
### Advanced Features
- Used by multiple distinct threat groups (TA558, Blind Eagle, Aggah), suggesting either off-the-shelf use or highly shared infrastructure/methods.
## Indicators of Compromise
*No direct IoCs listed for the generic "Crypters And Tools" malware itself in this context; IoCs relate to the groups using the associated malware.*
## Associated Threat Actors
- TA558
- Blind Eagle (blindeagle\_group)
- Aggah (aggaa\_campaign)
- Associated Actors: bukky101\_actor, ABBAS (abbas\_actor)
## Detection Methods
- Behavioral detection focused on sandbox analysis to defeat the crypter and observe dropped payloads (RevengeRAT, Agent Tesla).
- Signature-based detection on known malware families delivered by these groups.
## Mitigation Strategies
- Employing advanced endpoint protection capable of dynamic/behavioral analysis.
- Strict application whitelisting policies.
## Related Tools/Techniques
Malware families deployed: RevengeRAT, Agent Tesla.
***
# Malware Families & Tools Summary (Associated with TA558, Blind Eagle, Aggah)
The reports mention a wide array of Malware Families and Tools associated with these threat groups:
| Type | Name | Notes |
| :--- | :--- | :--- |
| RATs/Stealers | remcos\_rat, asyncrat, quasar\_rat, njrat, sbit\_rat, limerat, revenge\_rat, avemaria\_rat, nanocore\_rat, darktrack\_rat, meta\_stealer, lumma\_stealer | Numerous Remote Access Trojans and Information Stealers utilizing phishing campaigns. |
| Stealers | agent\_tesla, azorult, formbook, meduza, 0bj3ctivity\_stealer | Information/credential harvesting malware. |
| Backdoor/Loader | xworm\_rat, loki\_bot, sweatrat, ande\_loader | Malware used for initial access or maintaining persistent access. |
| Utilities/Tools | screenconnect\_tool, manatools\_tool, mana\_tool | Legitimate software potentially abused for remote access/management. |
**Associated Network IoCs (General Phishing/C2):**
- **IPs:** `149[.]56[.]200[.]165`, `179[.]15[.]149[.]222`, `191[.]88[.]255[.]30`, `181[.]134[.]151[.]81`, `107[.]172[.]148[.]248` (and others listed in the original IoC block)
- **Domains:** `minhacasaminhavidacdt[.]blogspot[.]com`, `cdtmaster[.]com[.]br`, `systenfailued[.]ddns[.]com[.]br`, `office365update[.]duckdns[.]org` (and others listed)
- **URLs (Example Payloads):** `http://104[.]168[.]7[.]38/xampp/knct/nicefeelingwithbestgoodthinksfor[.]txt`, `http://216[.]9[.]224[.]185/33/eco/goodthingsforbestfeaturesgivenmegoodthingsforbest_____goodthingsforbestfeaturesgivenme_____goodthingsforbestfeaturesgivenme[.doc]`
- **Techniques Mentioned:** `steganography_technique`, `rtf_template_inject_technique`