2024-11-04 CRON#TRAP (Emulated Linux Environments) Samples

 2024-11-04 Securonix: CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging

Attackers distribute a custom QEMU-emulated Linux environment via a malicious .lnk file within a phishing email. When executed, this file installs and initiates a QEMU instance to run a Tiny Core Linux backdoor, enabling covert persistence on the victim's machine.

The .lnk file activates PowerShell to extract and run QEMU, renamed as fontdiag.exe, from a large, concealed zip archive.

This QEMU instance connects to a C2 server, maintaining a hidden presence through an emulated environment undetectable by most antivirus tools.

The emulated environment includes "PivotBox" settings with command aliases for direct interaction with the host, and command logs reveal steps like SSH setup, payload execution, and persistence configurations.

Attackers use legitimate software (QEMU) renamed and executed from uncommon directories, alongside SSH keys and script modifications, ensuring reliable access and minimal detection.

crondx, a Chisel-based backdoor, establishes a secure C2 channel via websockets, enabling encrypted data exfiltration and further payload deployment.

2024-10-30 Lunar Spider's Latrodectus JS loader samples

2024-10-30 EclecticIQ: Inside Intelligence Center: LUNAR SPIDER Enabling Ransomware Attacks on Financial Sector with Brute Ratel C4 and Latrodectus

LUNAR SPIDER’s recent campaign used Latrodectus, a heavily obfuscated JavaScript loader, to deliver Brute Ratel C4 payloads targeting the financial sector. Key technical observations include:

Malvertising and SEO Poisoning: Victims searching tax-related content are redirected to download malicious JavaScript files like Document-16-32-50.js. These scripts retrieve an MSI installer, which deploys Brute Ratel C4 (BRc4) by disguising the payload as legitimate software (vierm_soft_x64.dll under rundll32 execution). This method exemplifies advanced evasion tactics to bypass detection.

Command and Control (C2) Infrastructure:

BRc4 communicates with multiple C2 domains, such as bazarunet[.]com and tiguanin[.]com, allowing remote access and command execution on compromised systems.

Persistent infrastructure overlaps include SSL certificates with issuer fields "AU," "Some-State," and "Internet Widgits Pty Ltd," frequently linked to LUNAR SPIDER’s IcedID operations. Additionally, ASN 395092 (SHOCK-1) consistently hosts both IcedID and Latrodectus campaigns, indicating a shared resource pool across malware families.

The BRc4 payload modifies the Windows registry, specifically adding an entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for persistence across reboots.