Pages

Monday, October 28, 2024

2024-10-23 WarmCookie/BadSpace - APT TA866 - Samples

 2024-10-23 TALOS Threat Spotlight: WarmCookie/BadSpace


Summary: WarmCookie, also known as BadSpace, is a sophisticated malware family that emerged in April 2024, primarily distributed through malspam and malvertising. This malware provides long-term access to compromised environments and facilitates the deployment of additional payloads, such as CSharp-Streamer-RAT and Cobalt Strike. Its infection chains and functionality highlight notable development links to Resident backdoor, indicating possible shared authorship by TA866.

WarmCookie’s infection chain initiates through email lures—typically invoice-related and job agency themes—that direct victims to malicious JavaScript-hosting servers. The obfuscated JavaScript downloader, often delivered as a compressed ZIP, triggers a PowerShell command that uses Bitsadmin to download and execute the WarmCookie DLL, embedding itself in the system with persistence.

Persistence: WarmCookie leverages Task Scheduler to achieve persistence, creating scheduled tasks under %ALLUSERSPROFILE% or %ALLDATA%, and re-executing itself after a 60-second delay. The latest version modifies the typical command-line syntax from /p to /u for execution parameters.

Command-and-Control (C2) Adaptation: TA866 previously used unique, detectable C2 user-agent strings (e.g., Mozilla/4.0 (compatible; MSIE 6.0…)), which have since been updated to blend with standard strings like Mozilla/5.0… Firefox/115.0.

Self-Updating Mechanism: An initial implementation of a self-update command allows WarmCookie to receive updates dynamically from its C2 server, although this feature appears incomplete.

C2 Command Updates

The latest WarmCookie samples feature new C2 commands:

Command 0x8: Receives a DLL from C2, assigns it a temporary filename, and executes it.

Command 0xA: Similar to Command 0x8 but adds hardcoded parameters, allowing self-updating.

at No comments:

2024-10-25 HeptaX - Unauthorized RDP Connections. Nalicious LNK. > Powershell > Bat files Samples




2024-10-25 Cyble: 
HeptaX: Unauthorized RDP Connections for Cyberespionage Operations

Summary:

  • The attack starts with a malicious LNK file delivered within a ZIP file, likely distributed through phishing emails, and seems to target the healthcare industry.
  • Upon execution, the LNK file initiates a PowerShell command that downloads multiple scripts and batch files from a remote server to establish persistence and control over the victim’s system.


    • The LNK file, once opened, triggers PowerShell commands that download additional payloads from hxxp://157.173.104[.]153.
    • These scripts enable the attacker to create a new user account with administrative privileges and alter RDP settings, reducing authentication requirements for easier unauthorized access.
    • A persistent shortcut (LNK) file is created in the Windows Startup folder to maintain access.
    • The primary PowerShell script communicates with the C2 server, constructing URLs with a unique identifier (UID) for the compromised machine to fetch commands or additional payloads.
    • If UAC is detected as weak or disabled, the attack proceeds with further stages that lower the system's security configurations.
    • A secondary payload, "ChromePass," is introduced, targeting Chromium-based browsers to harvest stored credentials, escalating the risk of compromised accounts.
    • Scripts configure the system to facilitate remote desktop access, enabling actions such as data exfiltration, monitoring, and installation of further malware.
    • Subsequent batch files (e.g., k1.bat, scheduler-once.bat) execute commands that hide traces, remove logs, and schedule tasks disguised as system operations to maintain persistence and evade detection.
    • The final stages involve the execution of a PowerShell script that performs reconnaissance, collects extensive system data, and sends it encoded to the C2 server.


Download
at No comments:

Thursday, October 10, 2024

2024-10-03 Amnesia Stealer Samples

2024-10-03 Threatmon: Amnesia Stealer 


Amnesia Stealer, a customizable open-source malware, was identified by ThreatMon on September 17, 2024.
Functions as Malware-as-a-Service (MaaS), making it easily accessible for cybercriminals.
Uses Discord and Telegram for Command & Control (C2) operations.
Capable of stealing sensitive data like browser passwords, Discord tokens, cryptocurrency wallets, and Wi-Fi credentials.
Features keylogging, clipboard hijacking, and can bypass Windows Defender.
Can inject additional malware like trojans, cryptocurrency miners, and droppers.
Available in three versions: Free, VIP, and an Android variant (in development).
Android version can steal call logs, SMS, and WhatsApp session files.  -- Key findings by Threatmon.


--------

Download
at No comments: