Cyber Threat Breakdown April 2023

April has come and gone, leaving behind a trail of attacks listed below.
To celebrate the spring, we are changing the format of this report and are now including the IOCs related to each attack, to facilitate prevention.

The Table of Contents below is clickable, so you can access the required entry fast without scrolling down for hours.

Table of Contents

Trigona Ransomware Attacks MSSQL Servers

Daggerfly Targets Telecommunications Company in Africa

Ragnar Locker

Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job

Additional IOCs for 3CS Breach

Aukill EDR Killer Malware Abuses Process Explorer Driver

Fake Chrome Updates Spread Malware

Qbot Using New Attack Vector in its Latest Phishing Emails

CrossLock Ransomware Emerges: New Golangbased Malware on the Horizon

Windows ZeroDay Vulnerability CVE202328252 Exploited by Nokoyawa Ransomware Group

Apt36 Expands Interest Within Indian Education Sector

Resurgence of the Mexals Cryptojacking Campaign

Money Message Ransomware Targets Windows and Linux Devices

Mantis Uses New Tooling in Attacks Against Palestinian Targets

Malicious ISO File Leads to Quantum Ransomware Infection

Cl0p Ransomware Plagues Businesses Worldwide

Silkloader

Inside Mispadu Massive Infection Campaign in LATAM

Blackguard Stealer Extends Its Capabilities in New Variant

Trigona Ransomware Attacks MSSQL Servers

Summary

• Poorly managed MSSQL servers were discovered infected with the Trigona ransomware. The infected devices were also infected with shell malware that can take advantage of a privilege escalation (MS16032) vulnerability to execute a malicious binary. The ransomware created a registry run key for persistence and deleted volume shadow copies to inhibit system recovery.

IOCs

Trigonabgicgadfig_browsing77Dll.dll

• • SHA1: c609ec0c1061fe3f04bc30e965a4d3d2450bd8d1

• • MD5: 46b639d59fea86c21e5c4b05b3e29617

• • SHA256: 19667eba21a1caefda0a23cb43bdcb09070944e7cf7e3c2c11de1ba036677f09

Trigonabgicgadfig_browsing78Exe.exe

• • SHA1: 41bcf469661ab9609a0d181953c2f8ffb75bb483

• • MD5: 530967fb3b7d9427552e4ac181a37b9a

• • SHA256: fb128dbd4e945574a2795c2089340467fcf61bb3232cc0886df98d86ff328d1b

Trigonabgicgadfig_browsing79Exe.exe

• • SHA1: 672c0f37540788ba3332f1093b7b6b7b8817e27a

• • MD5: 5db23a2c723cbceabec8d5e545302dc4

• • SHA256: 09a5f38e6d534378583eb30ac6d893211983367cb0e01b58a11ef8933eb1f9a0

Trigonabgicgadfig80_browsingExe.exe

• • SHA1: 2da7e0aea8f6392b2cc0858a3d0d0a67dd51e9b9

• • MD5: 1cece45e368656d322b68467ad1b8c02

• • SHA256: c7a930f1ca5670978aa6d323d16c03a97d897c77f5cff68185c8393830a6083f

Trigonabgicgadfig_edr77Dll.dll

• • SHA1: c609ec0c1061fe3f04bc30e965a4d3d2450bd8d1

• • MD5: 46b639d59fea86c21e5c4b05b3e29617

• • SHA256: 19667eba21a1caefda0a23cb43bdcb09070944e7cf7e3c2c11de1ba036677f09

Daggerfly Targets Telecommunications Company in Africa

Summary

The Daggerfly APT group, also known as Evasive Panda and Bronze Highland, targeted a telecommunications organization in Africa. The campaign leveraged the MgBot malware framework, which can perform network scans and steal sensitive data. The operation used the living-of-the-land tools BITSAdmin and PowerShell to download the legitimate AnyDesk remote desktop software for persistence.

IOCs

Daggerflybgicgadcbd25_browsingExe.exe

• • MD5: f78d1df059683b7c09433fd5d680d0d6

• • SHA1: b904237c6fcf1a9c148b4564b6c199d03f654d47

• • SHA256: 90e15eaf6385b41fcbf021ecbd8d86b8c31ba48c2c5c3d1edb8851896f4f72fe

Daggerflybgicgadcbd26_browsingExe.exe

• • MD5: 5a7a799e2400a0dfe73a877a4dd7a3b4

• • SHA1: 2df8b44ab20f55c4fcd7a5d5f926a8921e320f89

• • SHA256: d9b6e22b3a3ca6a7e2d5328ca66e79e2c1ee342d08f0489d6a16f6af84e6d1bf

Daggerflybgicgadcbd2_browsing7Dll.dll

• • MD5: 3f76c3dc3b70d3881edf2eaf6bb1b2a7

• • SHA1: 9b0496a84e0b1b45d8d6a7b139f5a0ce979a764d

• • SHA256: 37a1f2e08f0e8a73a7a4a4c3f7d4db9a5a5e5fcd1e54b41c9f9ec73b7d85e0d6

Daggerflybgicgadcbd28_browsingDll.dll

• • MD5: 40287f6ba1c6d05de6edfa7b4d8b4f4d

• • SHA1: 4dfb8c6a9a6a2ed6d0e5bb1a87be5f178b2da5d5

• • SHA256: a1965a5a3d5d5f85b8e489e1a298aa392a5f7d9a2a2f2607bbd1ddc17f7f1ab0

Daggerflybgicgadcbd29_browsingDll.dll

• • MD5: a3a3a5b5f88e76b1a91ca34a5d7d5ab9

• • SHA1: 2d1aeb7c555b8c6b0a6a1e0a7d6e8bb6a1c53ba0

• • SHA256: 70d8b20df4b4bb3d4d1e4e0860b80a6a2d6a0e6d8d4f4e4be3e4d1d4e1e4d7b4

Daggerflybgicgadcbd30_browsingDll.dll

• • MD5: c6d7f6e8a9b1e6f5d4c3b2a1b0a9b8c7

• • SHA1: 2a9b7c6d5e4f3b1a0a8b7f6e5

• • cb8aede4ad660adc1c78a513e7d5724cac8073bea9d6a77cf3b04b019395979a

• • 585db6ab2f7b452091ddb29de519485027665335afcdb34957ff1425ecc3ec4b

• • 29df6c3f7d13b259b3bc5d56f2cdd14782021fc5f9597a3ccece51ffac2010a0

• • ea2be3d0217a2efeb06c93e32f489a457bdea154fb4a900f26bef83e2053f4fd

• • 0bcdcc0515d30c28017fd7931b8a787feebe9ee3819aa2b758ce915b8ba40f99

• • a16a70b0a1ac0718149a31c780edb126379a0d375d9f6007a6def3141bec6810

• • db489e9760da2ed362476c4e0e9ddd6e275a84391542a6966dbcda0261b3f30a

• • 632cd9067fb32ac8fbbe93eb134e58bd99601c8690f97ca53e8e17dda5d44e0e

• • c31b409b1fe9b6387b03f7aedeafd3721b4ec6d6011da671df49e241394da154

• • 7bcff667ab676c8f4f434d14cfc7949e596ca42613c757752330e07c5ea2a453

• • 03bc62bd9a681bdcb85db33a08b6f2b41f853de84aa237ae7216432a6f8f817e

• • 3f75818e2e43a744980254bfdc1225e7743689b378081c560e824a36e0e0a195

• • 53d2506723f4d69afca33e90142833b132ed11dd0766192a087cb206840f3692

• • 22069984cba22be84fe33a886d989b683de6eb09f001670dbd8c1b605460d454

• • b45355c8b84b57ae015ad0aebfa8707be3f33e12731f7f8c282c8ee51f962292

• • 7b945fb1bdeb27a35fab7c2e0f5f45e0e64df7821dd1417a77922c9b08acfdc3

• • e8be3e40f79981a1c29c15992da116ea969ab5a15dc514479871a50b20b10158

• • b5c46c2604e29e24c6eb373a7287d919da5c18c04572021f20b8e1966b86d585

• • 2f4a97dc70f06e0235796fec6393579999c224e144adcff908e0c681c123a8a2

• • 1b8500e27edc87464b8e5786dc8c2beed9a8c6e58b82e50280cebb7f233bcde4

• • 26d129aaa4f0f830a7a20fe6317ee4a254b9caac52730b6fed6c482be4a5c79d

• • ae39ced76c78e7c2043b813718e3cd610e1a8adac1f9ad5e69cf06bd6e38a5bd

• • f6f6152db941a03e1f45d52ab55a2e3d774015ccb8828533654e3f3161cfcd21

• • cb7d9feda7d8ebfba93ec428d5a8a4382bf58e5a70e4b51eb1938d2691d5d4a5

• • 90e15eaf6385b41fcbf021ecbd8d86b8c31ba48c2c5c3d1edb8851896f4f72fe

• • c89316e87c5761e0fc50db1214beb32a08c73d2cad9df8c678c8e44ed66c1dab

• • 706c9030c2fa5eb758fa2113df3a7e79257808b3e79e46869d1bf279ed488c36

• • 017187a1b6d58c69d90d81055db031f1a7569a3b95743679b21e44ea82cfb6c7

• • 2dcf9e556332da2a17a44dfceda5e2421c88168aafea73e2811d65e9521c715c

• • 2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc

• • d9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934

• • ee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024

• • 54198678b98c2094e74159d7456dd74d12ab4244e1d9376d8f4d864f6237cd79

• • a6ed16244a5b965f0e0b84b21dcc6f51ad1e413dc2ad243a6f5853cd9ac8da0b

• • c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350

• • 5a0976fef89e32ddcf62c790f9bb4c174a79004e627c3521604f46bf5cc7bea2

• • 1cf04c3e8349171d907b911bc2a23bdb544d88e2f9b8fcc516d8bcf68168aede

• • 17dce65529069529bcb5ced04721d641bf6d7a7ac61d43aaf1bca2f6e08ead56

• • 98b6992749819d0a34a196768c6c0d43b100ef754194308eae6aaa90352e2c13

Ragnar Locker

Summary

Ragnar Locker is both a criminal group and a ransomware strain that primarily targets critical infrastructure. Active since 2020, the group gains initial access by exploiting vulnerabilities in public-facing applications and utilizing custom and commercial tools. Upon successful compromise, they use the users\public folder as a staging directory to run execution scripts for discovery tasks, install remote access tools, and execute additional payloads.

IOCs

Ragnarlockerbgicdddeji101_browsingExe.exe

• • SHA1: bbbffe248c90e28e89df348d9fbb6958771152fb

• • MD5: 3b849bece3794e082c495d12593c4f5e

• • SHA256: bc23fce117a33ada4c677084aa9eed8bfc99cefdb6049383fcab1dc31b5d41d1

Ragnarlockerbgicdddeji101_edrExe.exe

• • SHA1: bbbffe248c90e28e89df348d9fbb6958771152fb

• • MD5: 3b849bece3794e082c495d12593c4f5e

• • SHA256: bc23fce117a33ada4c677084aa9eed8bfc99cefdb6049383fcab1dc31b5d41d1

Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job

Summary

Description: Researchers have discovered a new campaign conducted by Lazarus, known as “Operation DreamJob,” which targets Linux users with malware for the first time. The researchers state that this new targeting confirms with high confidence that Lazarus was responsible for the recent supply chain attack on VoIP provider 3CX.

IOCs

Lazarusbgicddcjjh2_browsingElf.elf

• • SHA1: 3a63477a078ce10e53dfb5639e35d74f93cefa81

• • MD5: 3cf7232e5185109321921046d039cf10

• • SHA256: 492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd

Lazarusbgicddcjjh1_browsingZip.zip

• • SHA1: 9d8bade2030c93d0a010aa57b90915eb7d99ec82

• • MD5: fc41cb8425b6432af8403959bb59430d

• • SHA256: f638e5a20114019ad066dd0e856f97fd865798d8fbed1766662d970beff652ca

Lazarusbgicddcjjh1_edrZip.zip

• • SHA1: 9d8bade2030c93d0a010aa57b90915eb7d99ec82

• • MD5: fc41cb8425b6432af8403959bb59430d

• • SHA256: f638e5a20114019ad066dd0e856f97fd865798d8fbed1766662d970beff652ca

Lazarusbgicddcjjh2_edrElf.elf

• • SHA1: 3a63477a078ce10e53dfb5639e35d74f93cefa81

• • MD5: 3cf7232e5185109321921046d039cf10

• • SHA256: 492a643bd1efdaca4ca125ade1b606e7bbf00e995ac9115ac84d1c4c59cb66dd

• • https://od.lk

• • https://journalide.org

Additional IOCs for 3CS Breach

Over time, an increasing number of IOCs have been detected by analysts in the cybersecurity landscape. These IOCs are associated with malicious activities such as beaconing to actor-controlled infrastructure, deploying second-stage payloads, and in a few instances, exhibiting hands-on-keyboard behavior. 3CXDesktopApp, which is at the center of these activities, is an enterprise voice and video conferencing PABX software designed for call routing. It is developed by 3CX, a company specializing in business communications software.

IOCs

3cxdesktopappbgibiafhgi14_browsingMacho.macho

• • MD5: a267243cc99cd38810f5043158fc8208

• • SHA1: 2abc98e004dc5ebb426a3611d7b4a1c2d1c939bd

• • SHA256: 51079c7e549cbad25429ff98b6d6ca02dc9234e466dd9b75a5e05b9d7b95af72

3cxdesktopappbgibiafhgi5_browsingDll.dll

• • MD5: 74bc2d0b6680faa1a5a76b27e5479cbc

• • SHA1: bf939c9c261d27ee7bb92325cc588624fca75429

• • SHA256: 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896

3cxdesktopappbgibiafhgi4_browsingDll.dll

• • MD5: cb01ff4809638410a531400a66376fa3

• • SHA1: ff3dd457c0d00d00d396fdf6ebe7c254fed2a91e

• • SHA256: 253f3a53796f1b0fbe64f7b05ae1d66bc2b0773588d00c3d2bf08572a497fa59

3cxdesktopappbgibiafhgi10_browsingMacho.macho

• • MD5: 3703770e32820397c6e7e1e1221e6d0d

• • SHA1: 5d833bcc679db38a45111269e727ec58b75c8d31

• • SHA256: 92005051ae314d61074ed94a52e76b1c3e21e7f0e8c1d1fdd497a006ce45fa61

3cxdesktopappbgibiafhgi13_browsingMacho.macho

• • MD5: f6d63e45fe3b18454462711a97053b5a

• • SHA1: e8d14c5b3bb4290fb028504efac8cfee0bfd15b5

• • SHA256: ac99602999bf9823f221372378f95baa4fc68929bac3a10e8d9a107ec8074eca

3cxdesktopappbgibiafhgi9_browsingMacho.macho

• • MD5: ca8c0385ce2b8bdd19423c8b98a5924b

• • SHA1: f3487a1324f4c11b35504751a5527bc60eb95382

• • SHA256: b86c695822013483fa4e2dfdf712c5ee777d7b99cbad8c2fa2274b133481eadb

3cxdesktopappbgibiafhgi6_browsingDll.dll

• • MD5: 27b134af30f4a86f177db2f2555fe01d

• • SHA1: 188754814b37927badc988b45b7c7f7d6b4c8dd3

• • SHA256: c485674ee63ec8d4e8fde9800788175a8b02d3f9416d0e763360

Aukill EDR Killer Malware Abuses Process Explorer Driver

Summary

The AuKill tool exploits an outdated version of the driver used by version 16.32 of Microsoft’s Process Explorer. It disables EDR processes before deploying either a backdoor or ransomware on the target system. The tool has been used in at least three ransomware incidents since the beginning of 2023 to sabotage the target’s protection and ransomware deployment.

IOCs

Aukillbgibjigjfc1_browsingExe.exe

• • SHA1: ff11360f6ad22ba2629489ac286b6fdf4190846e

• • MD5: 811bd70aa6d099716b49794870c07b7d

• • SHA256: 08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540

Aukillbgibjigjfc1_edrExe.exe

• • SHA1: ff11360f6ad22ba2629489ac286b6fdf4190846e

• • MD5: 811bd70aa6d099716b49794870c07b7d

• • SHA256: 08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540

Fake Chrome Updates Spread Malware

Summary

A campaign running since the end of last year uses hacked sites to push fake web browser updates to potential victims. Malwarebytes reports that the campaign has now expanded to target speakers of Korean, Spanish, and Japanese. Affected sites include news, stores, and adult portals. Attackers are likely targeting sites based on vulnerability rather than content served, making it difficult to predict where these bogus updates will appear next.

IOCs

Fakeupdatebgibjiehcf2_browsingExe.exe

• • SHA1: 40fc800c56c5b2268c9b97a70cc230b086f6c078

• • MD5: 16feb4ab1e1f7870627a42ddae4755b9

• • SHA256: 002dd3cc05fa8b7b266c33a3c652bccd9340eabcaca1e44d4abae8b2e4ad3547

Fakeupdatebgibjiehcf1_browsingZip.zip

• • SHA1: 04c131e5caac1a81c18eff641774b885c5ddba61

• • MD5: 5e2efae752c73a3cdc0a900af39bbd5b

• • SHA256: 24f60f14ccea5ae2ae320e166b8fa5cd4769fcdf7b8338ca0c456d2e5b975cb8

Fakeupdatebgibjiehcf2_edrExe.exe

• • SHA1: 40fc800c56c5b2268c9b97a70cc230b086f6c078

• • MD5: 16feb4ab1e1f7870627a42ddae4755b9

• • SHA256: 002dd3cc05fa8b7b266c33a3c652bccd9340eabcaca1e44d4abae8b2e4ad3547

Fakeupdatebgibjiehcf1_edrZip.zip

• • SHA1: 04c131e5caac1a81c18eff641774b885c5ddba61

• • MD5: 5e2efae752c73a3cdc0a900af39bbd5b

• • SHA256: 24f60f14ccea5ae2ae320e166b8fa5cd4769fcdf7b8338ca0c456d2e5b975cb8

Qbot Using New Attack Vector in its Latest Phishing Emails

Summary

QBot, also known as QakBot, has evolved from a banking trojan into malware that facilitates initial entry into corporate networks for other threat actors. It deploys supplementary payloads, including Cobalt Strike, Brute Ratel, and other malware, allowing other threat actors to infiltrate the compromised system. The recent phishing campaign uses new attack vectors and has several IOCs and files associated with it.

IOCs

Qbotbgibjicjeg3_browsingDll.dll

• • SHA1: 59569dfd57245fe2132364d690aca1ed7f2dcba4

• • MD5: d0a338ff4f216fc647281eb49f08628a

• • SHA256: 483d45f68e449c607129770a374a718dff4bad42a314c4424d91d5d2ea9c3430

Qbotbgibjicjeg1_browsingHtml.html

• • SHA1: 0988905bc960607608a0cbe3c8d5624735175392

• • MD5: dfc1983c3e7a041ba251b2310b6d1524

• • SHA256: 3e13e46159b545b37b47bddbbda467ee5269d88df981d47617bee1646e0adba4

Qbotbgibjicjeg2_browsingCpp.cpp

• • SHA1: 3d2c568f7554058f22172d32880db29eeac2e780

• • MD5: ff2fbe2db1ea2003cb63df65b8b6eccc

• • SHA256: ed2728b28524bb01e629a6984e36bd26ab0eb727bb65e583eb826d378e20f02b

Qbotbgibjicjeg3_edrDll.dll

• • SHA1: 59569dfd57245fe2132364d690aca1ed7f2dcba4

• • MD5: d0a338ff4f216fc647281eb49f08628a

• • SHA256: 483d45f68e449c607129770a374a718dff4bad42a314c4424d91d5d2ea9c3430

Qbotbgibjicjeg2_edrCpp.cpp

• • SHA1: 3d2c568f7554058f22172d32880db29eeac2e780

• • MD5: ff2fbe2db1ea2003cb63df65b8b6eccc

• • SHA256: ed2728b28524bb01e629a6984e36bd26ab0eb727bb65e583eb826d378e20f02b

Qbotbgibjicjeg1_edrHtml.html

• • SHA1: 0988905bc960607608a0cbe3c8d5624735175392

• • MD5: dfc1983c3e7a041ba251b2310b6d1524

• • SHA256: 3e13e46159b545b37b47bddbbda467ee5269d88df981d47617bee1646e0adba4

URL

• • http://45.66.248.25

CrossLock Ransomware Emerges: New Golangbased Malware on the Horizon

Summary

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from its victims. This technique involves not only encrypting the victim’s data but also exfiltrating it from their system. The attackers then threaten to publicly leak or sell the stolen data on the dark web if the ransom is not paid to decrypt the data. This approach puts significant pressure on the victim to pay the ransom, as they risk losing access to their data as well as the potential consequences of data exposure or theft.

IOCs

Crosslockbgibjiachc1_browsingExe.exe

• • SHA1: 55de88118fe8abefb29dec765df7f78785908621

• • MD5: 9756b1c7d0001100fdde3efefb7e086f

• • SHA256: 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72

Crosslockbgibjiachc1_edrExe.exe

• • SHA1: 55de88118fe8abefb29dec765df7f78785908621

• • MD5: 9756b1c7d0001100fdde3efefb7e086f

• • SHA256: 495fbfecbcadb103389cc33828db139fa6d66bece479c7f70279834051412d72

Windows ZeroDay Vulnerability CVE202328252 Exploited by Nokoyawa Ransomware Group

Summary

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been employed in a ransom operation identified by Kaspersky. The Nokoyawa ransomware group has used CVE202328252 in recent attacks against businesses in the Middle East, North America, and Asia regions. Kaspersky has detected five distinct but similar exploits utilized by threat actors to target industries such as retail and wholesale, energy, manufacturing, healthcare, and software development.

IOCs

Nokoyawabgibjhgdej1_browsingExe.exe

• • SHA1: 0f5457b123e60636623f585cc2bf2729f13a95d6

• • MD5: 40c9dc2897b6b348da88b23deb0d3952

• • SHA256: 7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6

Nokoyawabgibjhgdej1_edrExe.exe

• • SHA1: 0f5457b123e60636623f585cc2bf2729f13a95d6

• • MD5: 40c9dc2897b6b348da88b23deb0d3952

• • SHA256: 7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6

CVEs

• • CVE202224521

• • CVE202237969

• • CVE202323376

• • CVE202328252

Apt36 Expands Interest Within Indian Education Sector

Summary

Transparent Tribe is a suspected Advanced Persistent Threat (APT) based in Pakistan which has been in operation since at least 2013. The threat actor has targeted the Indian government and military personnel but expanded its scope towards Indian educational institutions and students. The group distributed malicious documents via phishing email documents which were hosted on hosting services or attacker created domains. The malicious documents were used to distribute Crimson RAT which masqueraded as an update process. Crimson RAT is obfuscated with Eazfuscator and has various capabilities such as keylogging screen capture exfiltration enumeration and starting and stopping processes.

IOCs

Apt36bgibiadegf2_browsing7Exe.exe • MD5: b60da0d0ee64df0eb180170984f689d0 • SHA1: 973cb3afc7eb47801ff5d2487d2734ada6b4056f • SHA256: 32c2f8d068172457b33db145bc409a43df1175aaca30e2ac11d9b51c20bc807a

Apt36bgibiadegf28_browsingExe.exe • MD5: 85e9bdb40322b52c1faa450722276a86 • SHA1: 87e0ea08713a746d53bef7fb04632bfcd6717fa9 • SHA256: b74250a2259c947073225bbb24f11f4239d0ea4dabc45f4a40a4bbd46793fa6b

Apt36bgibiadegf29_browsingExe.exe • MD5: be4d70a6fa8d9cba1cd5173931f37a3d • SHA1: 911226d78918b303df5110704a8c8bb599bcd403 • SHA256: 83494953bb6fc04774efe41ba5013ff2500feb0ea6e3a29bbcbf89ae4e9e8727

Apt36bgibiadegf30_browsingDocx.docx • MD5: db05d76ff9a9d3f582bd4278221f244a • SHA1: 9ed39c6a3faab057e6c962f0b2aaab07728c5555 • SHA256: 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee

Apt36bgibiadegf31_browsingDocx.docx • MD5: f8f0fa1baea7ee466e24935700b318bb • SHA1: af6608755e2708335dc80961a9e634f870aecf3c • SHA256: 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227

Apt36bgibiadegf32_browsingExe.exe • MD5: e40e0a71efd051374be1663e08f0dbd8 • SHA1: 842f55579db786e46b20f7a7053861170e1c0c5e • SHA256: 63f96f77786b8499ce4e08a1883a1d5569563da14b507390cfcbd7b37c5dfb9a

Apt36bgibiadegf33_browsingDocx.docx • MD5: 9649531d94b75c1b8f4ca47c46abef13 • SHA1: fd46411b315beb36926877e4b021721fcd111d7a • SHA256: e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129

Apt36bgibiadegf34_browsingDocx.docx • MD5: abc96ec4610c799d9289159d1146e49c • SHA1: 738d31ceca78ffd053403d3b2bc15847682899a0 • SHA256: 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b

Apt36bgibiadegf35_browsingExe.exe • MD5: 33a48bb729e916b5571d02f444104e93 • SHA1: 516db7998e3bf46858352697c1f103ef456f2e8e • SHA256: 5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea

Apt36bgibiadegf36_browsingDocx.docx • MD5: 40ebd1557ea9f8f855c10af807ea6188 • SHA1: e000596ad65b2427d7af3313e5748c2e7f37fba7 • SHA256: 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110

Apt36bgibiadegf2_edr7Exe.exe • MD5: b60da0d0ee64df0eb180170984f689d0 • SHA1: 973cb3afc7eb47801ff5d2487d2734ada6b4056f • SHA256: 32c2f8d068172457b33db145bc409a43df1175aaca30e2ac11d9b51c20bc807a

Apt36bgibiadegf28_edrExe.exe • MD5: 85e9bdb40322b52c1faa450722276a86 • SHA1: 87e0ea08713a746d53bef7fb04632bfcd6717fa9 • SHA256: b74250a2259c947073225bbb24f11f4239d0ea4dabc45f4a40a4bbd46793fa6b

Apt36bgibiadegf29_edrExe.exe • MD5: be4d70a6fa8d9cba1cd5173931f37a3d • SHA1: 911226d78918b303df5110704a8c8bb599bcd403 • SHA256: 83494953bb6fc04774efe41ba5013ff2500feb0ea6e3a29bbcbf89ae4e9e8727

Apt36bgibiadegf30_edrDocx.docx • MD5: db05d76ff9a9d3f582bd4278221f244a • SHA1: 9ed39c6a3faab057e6c962f0b2aaab07728c5555 • SHA256: 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee

Apt36bgibiadegf31_edrDocx.docx • MD5: f8f0fa1baea7ee466e24935700b318bb • SHA1: af6608755e2708335dc80961a9e634f870aecf3c • SHA256: 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227

Apt36bgibiadegf32_edrExe.exe • MD5: e40e0a71efd051374be1663e08f0dbd8 • SHA1: 842f55579db786e46b20f7a7053861170e1c0c5e • SHA256: 63f96f77786b8499ce4e08a1883a1d5569563da14b507390cfcbd7b37c5dfb9a

Apt36bgibiadegf33_edrDocx.docx • MD5: 9649531d94b75c1b8f4ca47c46abef13 • SHA1: fd46411b315beb36926877e4b021721fcd111d7a • SHA256: e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129

Apt36bgibiadegf34_edrDocx.docx • MD5: abc96ec4610c799d9289159d1146e49c • SHA1: 738d31ceca78ffd053403d3b2bc15847682899a0 • SHA256: 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b

Apt36bgibiadegf35_edrExe.exe • MD5: 33a48bb729e916b5571d02f444104e93 • SHA1: 516db7998e3bf46858352697c1f103ef456f2e8e • SHA256: 5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea

Apt36bgibiadegf36_edrDocx.docx • MD5: 40ebd1557ea9f8f855c10af807ea6188 • SHA1: e000596ad65b2427d7af3313e5748c2e7f37fba7 • SHA256: 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110

Apt36bgibiadegf30_mailDocx.docx • MD5: db05d76ff9a9d3f582bd4278221f244a • SHA1: 9ed39c6a3faab057e6c962f0b2aaab07728c5555 • SHA256: 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee

Apt36bgibiadegf31_mailDocx.docx • MD5: f8f0fa1baea7ee466e24935700b318bb • SHA1: af6608755e2708335dc80961a9e634f870aecf3c • SHA256: 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227

Apt36bgibiadegf33_mailDocx.docx • MD5: 9649531d94b75c1b8f4ca47c46abef13 • SHA1: fd46411b315beb36926877e4b021721fcd111d7a • SHA256: e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129

Apt36bgibiadegf34_mailDocx.docx • MD5: abc96ec4610c799d9289159d1146e49c • SHA1: 738d31ceca78ffd053403d3b2bc15847682899a0 • SHA256: 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b

Apt36bgibiadegf36_mailDocx.docx • MD5: 40ebd1557ea9f8f855c10af807ea6188 • SHA1: e000596ad65b2427d7af3313e5748c2e7f37fba7 • SHA256: 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110

• • 32c2f8d068172457b33db145bc409a43df1175aaca30e2ac11d9b51c20bc807a

• • b74250a2259c947073225bbb24f11f4239d0ea4dabc45f4a40a4bbd46793fa6b

• • 83494953bb6fc04774efe41ba5013ff2500feb0ea6e3a29bbcbf89ae4e9e8727

• • 5cc41e73253431a36c4f41b2c2a33af8dfbf963483c49e9dc9756cecbb7e18ee

• • 96c2ca2f52d3902cd7a91d1a2180098ee2d1d8b18c8f1c929ed977f0b10ea227

• • 63f96f77786b8499ce4e08a1883a1d5569563da14b507390cfcbd7b37c5dfb9a

• • e44864bc4f93bab943a71540af5a343cc186c078e6da79995e60fff22c12f129

• • 0038d5c42e8085080cea2f240079c5c0d2464bf99729a9822b27eeeea849833b

• • 5d2b37c02e60bbed036c9bb6e4f2c75de6e42c03b69c713c33d3b9325ed1b1ea

• • 2006af8ccfa3a4511664c48c867d6b2325d9672ccbd7bc254d8068d13ee55110

URLs

• • http://clouddrive.store

• • ttp://drivephone.online

Chinaz DDoS Bot Malware Distributed to Linux SSH Servers

Summary

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft Windows also exists. The malicious software can perform SYN UDP ICMP and DNS flood attacks. The malware also collects and exfiltrates system and network information to actor-controlled C&C servers.

IOCs

Chinazbgiabfjcjj33_browsingElf.elf

• • SHA1: 05de02436153498818c061ed9feb6c3085b9071e

• • MD5: c69f5eb555cc10f050375353c205d5fa

• • SHA256: df318d08c8f0e11ccebb48f7a4df29c5f54cccb16200d8e9e36d8aa6b7189c45

Chinazbgiabfjcjj34_browsingExe.exe

• • SHA1: 200e09de526d088df0e9e70ae17a8fbdd36dc023

• • MD5: 2ec7348e6b6b32d50a01c3ffe480ef70

• • SHA256: 9d689a79269188691f0d681536faadaed9ac346a0ef49cbaeb8b9cefa7b8cb0b

Chinazbgiabfjcjj35_browsingElf.elf

• • SHA1: 14075386e307a2ccb247541efac86284efefc217

• • MD5: c9eb0815129c135db5bbb8ac79686b9a

• • SHA256: 14afd7d319cf271a7d871f297a27eac388d7f0381a1fc0691b18a8dd15ddf327

Chinazbgiabfjcjj33_edrElf.elf

• • SHA1: 05de02436153498818c061ed9feb6c3085b9071e

• • MD5: c69f5eb555cc10f050375353c205d5fa

• • SHA256: df318d08c8f0e11ccebb48f7a4df29c5f54cccb16200d8e9e36d8aa6b7189c45

Chinazbgiabfjcjj34_edrExe.exe

• •   SHA1: 200e09de526d088df0e9e70ae17a8fbdd36dc023

• • MD5: 2ec7348e6b6b32d50a01c3ffe480ef70

• • SHA256: 9d689a79269188691f0d681536faadaed9ac346a0ef49cbaeb8b9cefa7b8cb0b

Chinazbgiabfjcjj35_edrElf.elf

• • SHA1: 14075386e307a2ccb247541efac86284efefc217

• • MD5: c9eb0815129c135db5bbb8ac79686b9a

• • SHA256: 14afd7d319cf271a7d871f297a27eac388d7f0381a1fc0691b18a8dd15ddf327

URLs

http://45.113.163.219/linux32 http://45.113.163.219/linux64 http://45.113.163.219/win32

Resurgence of the Mexals Cryptojacking Campaign

Summary

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues to evolve. A new wave of attacks started in late 2022 with new functionality including SSH worm and LAN spreader modules and improved obfuscation. The malicious software kills competitor miners and CPU-heavy processes, clears command history for defense evasion, and creates a cron job for persistence.

IOCs

Resurgencebgibgdedhf3_browsingElf.elf

• • SHA1: e998494f91b08b52b28fe3304e9322962e3d1b58

• • MD5: 946689ba1b22d457be06d95731fcbcac

• • SHA256: 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a

Resurgencebgibgdedhf4_browsingElf.elf

• • SHA1: 787942f85273ffe57fba89beb16aed1258486a40

• • MD5: af354459aa81e1908665f4f98c7f759d

• • SHA256: 0037cc30be8824b8d5c1576d6a93342de063778ee210d3127de6c3b1173de451

Resurgencebgibgdedhf5_browsingElf.elf

• • SHA1: 8ba7c2b9d432d938760d272e0732fcefca1411de

• • MD5: f52c0b32b3f617de2e8e30db04df09d1

• • SHA256: cc0b01955db20101f93771f81a9fa6ab7c091cac8435529996020d4f3932a3e7

Resurgencebgibgdedhf6_browsingElf.elf

• • SHA1: 1a552e137fa9b2cade5efd708016927a5fdbeeff

• • MD5: 5287edba33d593df8511b8fc7e44603c

• • SHA256: 2a5db77895b09980d9fefdfe79602d69341b29312d8afc1c183fbf8d79f04bcd

Resurgencebgibgdedhf_browsing7Elf.elf

• • SHA1: c377e7e073c2aeb116f9aed9d325a132cabf6472

• • MD5: 2b846edfe925bf15bbaaaea8ecd3ef18

• • SHA256: 183aba3414c78ad553b1af5a9875926d5b1021498db63d3cc42bdf00e7315ef6

Resurgencebgibgdedhf8_browsingElf.elf

• • SHA1: 1a25fcb115ee7f4aa493142817ae995e27931b93

• • MD5: 44102492e7235a8b0b26861af68927db

• • SHA256: 44d35c673b274ea227c578b165212dadd4af2eba784db12adee1bfd8ce506a85

Resurgencebgibgdedhf9_edrElf.elf

• • MD5: 4afff4318c080e0abd7dc12034b885a1

• • SHA1: d41d8f3997d0712b280e2faae21e61d4ab93a032

• • SHA256: 09083e01529521e7d871c68e34d90e978c55191874f0acedeeb58ac041497f77

Resurgencebgibgdedhf11_edrElf.elf

• • MD5: c6d1ca0e4a0498bd02b67d8fac519ccd

• • SHA1: 1c8c16db8f458ded97484e56af58f638adbafc72

• • SHA256: 1e878334ff97bce5c948dda62a1046cd2121a657b612e412e423e36b5ee6461a

Resurgencebgibgdedhf12_edrSh.sh

• • MD5: 037500ae7c49a0e080cf532149e33654

• • SHA1: d10c3a3df80b9c142b05a6fab9a61a1e117f73fc

• • SHA256: 815dd34957f6c640ff6a70b16a71c5781a4618fe51d5d77a6e51526eb49cf2f5

Resurgencebgibgdedhf13_edrElf.elf

• • MD5: fe2157ffedfcf23dd1846c820ee96e8c

• • SHA1: 7b24581356ccbd2d01b9ac55bfd3343251c04ccd

• • SHA256: 2487cde56c2937964b6e27be8d484480a880e4386d15f0c6adf4fda88cf29864

URLs:

• • https://discord.com/api/webhooks/1036206037373571082/9bs01KrTTrcbSAPI_iadV1Bhn56A4X4fxzCYEw3zMq95H1mFvlKWb6KYzvEoVfTnS

• • https://discord.com/api/webhooks/954295081765072926/Zu7VuLpfgRqSmCyFvz3BCkR1Lt7clYOJeayCFzZwtPmZlVn9og_6mPS_BJY374m5Y3

• • https://discord.com/api/webhooks/1036205058456563722/1_saZM0fE7nLgYG668LmDfNmSvrWpD6Z8nIXljm0qlm6YyMxAyYuZIu4LhN2gHsgSQy

• • https://discord.com/api/webhooks/965651135102865479/PFdU4u8yZrn0XhzIKShcaxL3_IaBjsstYmFEXlThF2_1XCnwXSAjKos3ptwKYpPyGqvI

• • https://discord.com/api/webhooks/1036225255049531422/qyOrT3SxHaOC-9yS2NQiPxlSMYmRFFIpU-rMKzmcDv9pQyP4uaZEiZXDXioUtf0DJLUB

• • https://discord.com/api/webhooks/848592916951203860/WeWBGYSVreTlE0aO_6alVN3Qrj6_aRxnaDpq4_6wD04V2aHlMFvgik2Z2h78Dstg9fZY

IP Addresses:

• • http://139.99.123.196

• • http://212.193.30.11

• • http://212.192.241.163

• • http://185.225.74.231

Money Message Ransomware Targets Windows and Linux Devices

Summary

The Money Message ransomware targets both the Windows and Linux operating systems and exfiltrates sensitive data before encryption. The malware creates a custom mutex, stops a range of services and processes, and deletes all Volume Shadow Copy Service (VSS) snapshots. The Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm are leveraged for encryption while a ransom note is created in money_message.log.

IOCs

Moneybgibdigdgi_browsing73Exe.exe

• • SHA1: a85ff9091f298ea2d6823a7b0053daa08b237423

• • MD5: 163e651162f292028ca9a8d7f1ed7340

• • SHA256: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b

Moneybgibdigdgi_browsing74Exe.exe

• • SHA1: 456e5cb1739cb5f29020d1a692289a5af07ce90d

• • MD5: 400fa5d02c1ac704cd290d959b725e67

• • SHA256: dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac

Moneybgibdigdgi_browsing75Elf.elf

• • SHA1: 3b4ecff980285461642cc4aef60d4a1b9708453e

• • MD5: abe3c3cc45dec9c01762ba3e534564ed

• • SHA256: 4f8bd37851b772ee91ba54b8fd48304a6520d49ea4a81d751570ea67ef0a9904

Moneybgibdigdgi_edr75Elf.elf

• • SHA1: 3b4ecff980285461642cc4aef60d4a1b9708453e

• • MD5: abe3c3cc45dec9c01762ba3e534564ed

• • SHA256: 4f8bd37851b772ee91ba54b8fd48304a6520d49ea4a81d751570ea67ef0a9904

Moneybgibdigdgi_edr73Exe.exe

• • SHA1: a85ff9091f298ea2d6823a7b0053daa08b237423

• • MD5: 163e651162f292028ca9a8d7f1ed7340

• • SHA256: bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b

Moneybgibdigdgi_edr74Exe.exe

• • SHA1: 456e5cb1739cb5f29020d1a692289a5af07ce90d

• • MD5: 400fa5d02c1ac704cd290d959b725e67

• • SHA256: dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac

URLs and IPs

hxxp://money-message[.]com 185[.]62[.]190[.]58

CVEs

CVE-2021-41379: Vulnerability in the Windows Print Spooler service CVE-2021-34527: Windows Print Spooler remote code execution vulnerability

Mantis Uses New Tooling in Attacks Against Palestinian Targets

Summary

The Mantis cyber-espionage group, also known as Desert Falcon, targeted entities within the Palestinian territories with custom backdoors. The Micropsia backdoor was used to run secondary payloads, including a reverse proxy and a data exfiltration tool. Arid Gopher was also dropped by Micropsia and included a legitimate 7-Zip executable, a tool to set persistence, and a copy of the legitimate Shortcut.exe utility.

IOCs

Mantisbgiaghffcg48_browsingExe.exe

• • SHA1: 6e43d26dc58234373532f27436ce6510ba0301cc

• • MD5: 871d46a82c6c6172b91323a85ea196db

• • SHA256: 21708cea44e38d0ef3c608b25933349d54c35e392f7c668c28f3cf253f6f9db8

Mantisbgiaghffcg50_browsingRar.rar

• • SHA1: efabf3e323b0231d6e0a9ecd2d5d42eee1a42a3b

• • MD5: c1948aca777a2b360e2588279ca584f9

• • SHA256: 11b81288e5ed3541498a4f0fd20424ed1d9bd1e4fae5e6b8988df364e8c02c4e

Mantisbgiaghffcg49_browsingExe.exe

• • SHA1: e9ed5cc8e5bce59e2d0eee8f39e79cdda53d4517

• • MD5: ebd1cf78fbb8531533426cb19f78d58e

• • SHA256: 1d1a0f39f339d1ddd506a3c5a69a9bc1e411e057fe9115352482a20b63f609aa

Mantisbgiaghffcg49_edrExe.exe

• • SHA1: e9ed5cc8e5bce59e2d0eee8f39e79cdda53d4517

• • MD5: ebd1cf78fbb8531533426cb19f78d58e

• • SHA256: 1d1a0f39f339d1ddd506a3c5a69a9bc1e411e057fe9115352482a20b63f609aa

Mantisbgiaghffcg48_edrExe.exe

• • SHA1: 6e43d26dc58234373532f27436ce6510ba0301cc

• • MD5: 871d46a82c6c6172b91323a85ea196db

• • SHA256: 21708cea44e38d0ef3c608b25933349d54c35e392f7c668c28f3cf253f6f9db8

Mantisbgiaghffcg50_edrRar.rar

• • SHA1: efabf3e323b0231d6e0a9ecd2d5d42eee1a42a3b

• • MD5: c1948aca777a2b360e2588279ca584f9

• • SHA256: 11b81288e5ed3541498a4f0fd20424ed1d9bd1e4fae5e6b8988df364e8c02c4e

Malicious ISO File Leads to Quantum Ransomware Infection

Summary:

A spam campaign was discovered using IcedID contained within an ISO image to drop variants from the Quantum ransomware family. Multiple Windows utilities such as net nltest and ipconfig were used for reconnaissance while Atera Splashtop and a Cobalt Strike beacon were used for persistence. Additional tools including ProcDump PowerShell Mimikatz and Rclone were used to collect and exfiltrate sensitive information.

IOCs

Maliciousbgiaghfehb2_browsingExe.exe

• • SHA1: 970e793c86266b20d280c04e0f41ec7ae9c2093c

• • MD5: 397020072f5787dbbc0c344f98623bbd

• • SHA256: 6511d6e84343c2d3a4cd36853170509e2751e27c86f67c6a031dc88e7e495e48

Maliciousbgiaghfehb3_browsingExe.exe

• • SHA1: a7e163eaa0fc2afb9c0d5ac6f79cb3e49919dd3c

• • MD5: df5ce1159ef2e257df92e1825d786d87

• • SHA256: 842737b5c36f624c9420a005239b04876990a2c4011db87fe67504fa09281031

Maliciousbgiaghfehb4_browsingExe.exe

• • SHA1: fffa0ce086791c41360971e3ce6a0d1af1701616

• • MD5: 92edbbeff775928cfc6e3c8efefe4ecc

• • SHA256: fc4da07183de876a2b8ed1b35ec1e2657400da9d99a313452162399c519dbfc6

Maliciousbgiaghfehb5_browsingExe.exe

• • SHA1: f8473c6c8b298a3d72c8ca890667eddab62d2ba8

• • MD5: 9bd6b1f24b9589a3fbc1d54b6e6184b8

• • SHA256: 03a9d6afc99e70333723d921bd1265ac948cdabb8b15689b5ceb1c02365a9572

URLs

http://choifejuce.lol http://erinindiaka.quest https://alockajilly.com http://considerf.info http://fazehotafa.com http://antiflamez.bar http://guteyutu.com http://111.90.143.191 http://zoomersoidfor.com http://opiransiuera.com http://199.127.60.117 http://45.66.151.109 http://172.93.181.165 http://78.128.112.139 http://199.101.184.230

Cl0p Ransomware Plagues Businesses Worldwide

Summary

The Cl0p Ransomware-as-a-Service (RaaS) model has been in operation since at least 2019. The malware exfiltrates sensitive information before encrypting files and threatens to release the stolen data if the ransom is not paid. The malicious software is compiled using Microsoft Visual C/C++ and can solely encrypt network drives a predetermined list of files or encrypt all local and network drives.

IOCs

Cl0pbgiagaagee8_browsingElf.elf

• • SHA1: 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5

• • MD5: 31e0439e6ef1dd29c0db6d96bac59446

• • SHA256: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

Cl0pbgiagaagee9_browsingExe.exe

• • SHA1: eaa8a81f8564b2da25b9d91797fda8e53fca93b8

• • MD5: a610664961870a1817df06f3eae1010b

• • SHA256: e98c2fa10d77d345c960fc63436405a8b5024bd9b938a5962f70f66842e8b2cf

Cl0pbgiagaagee10_browsingExe.exe

• • SHA1: a074790705ecbede2e67cced4bcb62d833d828a5

• • MD5: 1e98a8d79ed7afbd77f6536dd7b4398f

• • SHA256: 343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335

Cl0pbgiagaagee11_browsingExe.exe

• • SHA1: 25109b11c5dd418ca98f7971b8cc4ded8b0cd446

• • MD5: bcf497379b84656ede89d562067d1ced

• • SHA256: 4839c7e3dde1e707cb538ab301d792b3ad75b45b03c65a4a6095c2a65ce65c84

Cl0pbgiagaagee12_browsingExe.exe

• • SHA1: 40b7b386c2c6944a6571c6dcfb23aaae026e8e82

• • MD5: f59d2a3c925f331aae7437dd7ac1a7c8

• • SHA256: 46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed

Cl0pbgiagaagee8_edrElf.elf

• • SHA1: 46b02cc186b85e11c3d59790c3a0bfd2ae1f82a5

• • MD5: 31e0439e6ef1dd29c0db6d96bac59446

• • SHA256: 09d6dab9b70a74f61c41eaa485b37de9a40c86b6d2eae7413db11b4e6a8256ef

Cl0pbgiagaagee9_edrExe.exe

• • SHA1: eaa8a81f8564b2da25b9d91797fda8e53fca93b8

• • MD5: a610664961870a1817df06f3eae1010b

• • SHA256: e98c2fa10d77d345c960fc63436405a8b5024bd9b938a5962f70f66842e8b2cf

Cl0pbgiagaagee10_edrExe.exe

• • SHA1: a074790705ecbede2e67cced4bcb62d833d828a5

• • MD5: 1e98a8d79ed7afbd77f6536dd7b4398f

• • SHA256: 343cb2d5900f5fe4abd5442a4a18541753fbb6ca5ff4ee7f2c312ed96e413335

Cl0pbgiagaagee11_edrExe.exe

• • SHA1: 25109b11c5dd418ca98f7971b8cc4ded8b0cd446

• • MD5: bcf497379b84656ede89d562067d1ced

• • SHA256: 4839c7e3dde1e707cb538ab301d792b3ad75b45b03c65a4a6095c2a65ce65c84

Cl0pbgiagaagee12_edrExe.exe

• • SHA1: 40b7b386c2c6944a6571c6dcfb23aaae026e8e82

• • MD5: f59d2a3c925f331aae7437dd7ac1a7c8

• • SHA256: 46cd508b7e77bb2c1d47f7fef0042a13c516f8163f9373ef9dfac180131c65ed

Silkloader

Summary

The initial SILKLOADER samples found were maliciously crafted libvlc.dll files designed to be dropped alongside a legitimate but renamed VLC binary. Execution of the binary causes the malicious DLL to be side-loaded. It is worth noting that side-loading malware through VLC Media Player is a technique that has previously been used by threat actors. Operations leveraging DLL side-loading techniques to launch Cobalt Strike beacons such as LithiumLoader4 have also been observed in the past.

IOCs

Silkloaderbgiaedfaeg29_browsingDll.dll

• • SHA1: 1d43b8fd92e7df7c65b6e57427917e804de6a564

• • MD5: ec73981cee1c74ea3b7ec7f7b2fa6178

• • SHA256: 262d966fd82312bcb82b056b2dc378b173f5c335917bc53125aef7f5a03cfce4

Silkloaderbgiaedfaeg28_browsingDll.dll

• • SHA1: 4d7a649ecbb2075b0e8c84ba42ef31f67bc14e78

• • MD5: 95a0e7a6e3f74b83600966b97df41960

• • SHA256: f1f5142a456e8a316b281ad7f2fe1b463d93f30460a6be3afa9c5593f1392656

Silkloaderbgiaedfaeg2_browsing7Dll.dll

• • SHA1: d2f41e0ac1ba669df87f9080307ec5161c2cf714

• • MD5: d5c79fd0be4960aed844b0ed94ae8ca5

• • SHA256: e4dadabd1cee7215ff6e31e01f6b0dd820851685836592a14f982f2c7972fc25

Silkloaderbgiaedfaeg26_browsingDll.dll

• • SHA1: 157ad611845eb40b51cd058bfd1cfa32eac9039c

• • MD5: 62dc12b501d4fdb94c17f7de20f715e4

• • SHA256: d77a59e6ba3a8f3c000a8a8955af77d2898f220f7bf3c0968bf0d7c8ac25a5ad

Silkloaderbgiaedfaeg25_browsingDll.dll

• • SHA1: 88d5a8450f21dc9354ca7129be9944a4fdae52ee

• • MD5: 2a4765084931fe83c36e081bb6db4b19

• • SHA256: c83ac6dc96febd49c7c558e8cf85dd8bcb3a84fdc78b3ba72ebf681566dc1865

Silkloaderbgiaedfaeg24_browsingDll.dll

• • SHA1: ab1b95de9b592116e1ab820ce0aea50439aab942

• • MD5: 48313534030e8504d7fb7dbc783e784b

• • SHA256: a6fff6890c0b6642931f9b0bfd67f830bb85af0f218280776170abfcc5baa576

Silkloaderbgiaedfaeg23_browsingDll.dll

• • SHA1: 495fd09317498d2b0021fd6b3326ae3b32044fb1 • MD5: 6dc22e4ea039a430abd055d71a0450bc • SHA256: 7c2ea97f8fff301a03f36fb6b87d08dc81e948440c87c2805b9e4622eb4e1991

Silkloaderbgiaedfaeg22_browsingDll.dll • SHA1: 3c9e8a47c696c3910a78e1b8270ec83d16f2d693 • MD5: 2ecdb2c9d65c5de06dfb4b3f84e35d0c • SHA256: 7070b232de836ce33b7778f6b6f7aecb252d542831367bc78d0eea77461be9a7

Silkloaderbgiaedfaeg21_browsingDll.dll • SHA1: 42d283ad6aed710327fbc71acb9ea48b6746cb83 • MD5: 9ced7d4916964bde6636d7ee5bff4bfa • SHA256: 575caa641dbb83364e8c0664737666f3bcd24d40316ff149c9ef476115b927cb

Silkloaderbgiaedfaeg20_browsingDll.dll • SHA1: 29c1213b8fb73198dcd34de1fe2cbbe65df7f199 • MD5: 70883e29a1c7ccdb0fd993c06595b06d • SHA256: 56377607abfb0616fc1dc222cc765966954155b69b5c4b16cad92cdd353720a4

Silkloaderbgiaedfaeg19_browsingDll.dll • SHA1: caa80da075d3367fc5bafc1cf3a61bbc7ee0abcd • MD5: 314769d32dee3393f0abdd6462d5d4ed • SHA256: 5623f7b2a3e459d91ed85d20c20b58fb7edc166c63a3a72b703d7af400bdc12c

Silkloaderbgiaedfaeg18_browsingDll.dll • SHA1: e3dc0927f5cf07865587dc75ff8106eb1d161829 • MD5: 0a692eb6c9cf7ae6016c2e43bde8ec43 • SHA256: 54d45b872ee6651d670c3580da74ca56f626bc6ed5ce60cc7e3ba71bb68cd23f

Silkloaderbgiaedfaeg1_browsing7Dll.dll • SHA1: cfae4f3ddffe86d81376e6ae62890e0f0ef473e4 • MD5: 7c2fd853e5cfbeb24342208979fcb859 • SHA256: 3d1df6633ec9b16f856c6ddf7c40138e524f7c5e286af2271e32643f88f071a2

Silkloaderbgiaedfaeg16_browsingDll.dll • SHA1: bba1f4db26c003855c1d10b686cb3e40eab0278e • MD5: b04a3ad09c033fc82d929493ea43d26d • SHA256: 2e57d2d14d8f98464e501d99dad0ae2c2f237b45aceecb73850c17ad1455e39c

Silkloaderbgiaedfaeg15_browsingDll.dll • SHA1: b2a50390b18d9b90928e67998cd612682365e717 • MD5: e237a245ebae6b05aed1f0cc18653950 • SHA256: 0248572780e94f3557c50d2c161365f09b175438ed5e750ccc5b5f1c895118c2

Silkloaderbgiaedfaeg13_browsingExe.exe • SHA1: 619fcb16ddf64e132f22d1e55a8eb36bcb2fa35c • MD5: 5f70544d19ccf00e8b2ca71a60e157af • SHA256: e24be344923aea8223fe90f23bfa7151b149ef032e67ba5972a9a10bd63effc6

Silkloaderbgiaedfaeg11_browsingExe.exe • SHA1: 1ff6a23948739b3b1ca354080835771448be8cb0 • MD5: c6ebe8b2f3f282ae0d6fed6cacfe4653 • SHA256: d378d01f863454911a345869b66d60769a894c74dfebaa0a9a07efc884a3d15c

Silkloaderbgiaedfaeg10_browsingExe.exe • SHA1: a01f0b6462b6c5da49896df1142ccd54530df115 • MD5: be7d99345ff6d24422d4bea162cb21c0 • SHA256: bf02668f884937f697af326a6678fe5c1d3844e104da8c4049f23d63dcb5bb5c

Silkloaderbgiaedfaeg9_browsingExe.exe • SHA1: cc4e88a254a920a7bb5927819cdfab49affbaa53 • MD5: 503f813ecdf9c0f162946c07ef5d7b97 • SHA256: 9c1914143b0ba7fa15848223d0695664fc8225c37eed09eeb00e0af1b7ee0d7b

Silkloaderbgiaedfaeg8_browsingExe.exe • SHA1: 3fb6cd18b13cfe39f4c72e832942002124e93278 • MD5: 64f650a5377729fe61072f4300b40857 • SHA256: 0322f9201a3887659f7568f3f2292248e29afc19a6e80cdda6915834a3fc925d

Silkloaderbgiaedfaeg_browsing7Exe.exe • SHA1: 5f42204b2bac349c60e460b31ed7d8cb3cfc0118 • MD5: 544107beb5ab8c894253576d2cef1b0c • SHA256: d93155adefca33960a5a125f10854dc8178e80e9bf3b86600a4c59647dd80114

Silkloaderbgiaedfaeg6_browsingDll.dll • SHA1: f34e8cc26b1d45c245af3cf797600c9366402356 • MD5: 1d2be08c0a54658541f43c9f2053264d • SHA256: a0b496d927dd1b2e01fcb29c2ef76671e34e7cd841e485c401e15dccad8e897e

Silkloaderbgiaedfaeg5_browsingDll.dll • SHA1: ae86bd2ede21b656e556b68b844b29c8f7d75572 • MD5: 0d4f415d08c6ec73c38d2f03df5b019d • SHA256: 994f2777f175a6fb784df7b138069f0a6503a458df67915317f23a0a37c16067

Silkloaderbgiaedfaeg4_browsingDll.dll • SHA1: eec02d57089889e9864b85a89d0e5791a69fc374 • MD5: e3414ecc97bafe1384e7700f1d8bd284 • SHA256: 75288b3d1da8d634477609ea804a351915aa7f0a12a50e1eba1d8578debc8ab2

Silkloaderbgiaedfaeg3_browsingDll.dll • SHA1: 841bd42f08613e86d7bd39a675b3087074d730ee • MD5: 026d88c36a541ad4ba479193aea6d94e • SHA256: 70826162169e5326601d85a0b459645c6bf8fda641d3d3015c035da0cf16db42

Silkloaderbgiaedfaeg2_browsingExe.exe • SHA1: b51701709e9a3c0a706a0bf18b2ef11fd944a4d6 • MD5: 2ec895b18e6b8bdbc85cdb3c8724e4f6 • SHA256: 676ace0449fbad2f5498df7b16c3576f73252f23032604e1a94ce4b5a855974e

Silkloaderbgiaedfaeg1_browsingExe.exe • SHA1: 6e5905c4d796bffb88aec87bbdeea9bb45c5dd09 • MD5: 837f93120be9f7f203fca410ee16a096 • SHA256: 1ef852362ab9bb0af061eb8a19556962c7f5a350e3ef0c2751401afd4cef9f3e

Silkloaderbgiaedfaeg14_browsingElf.elf • SHA1: 5ac80ab0a218144b515e24ca854ed4f05c03e635 • MD5: 6ef8eeea8d289bf1ffce142e2df348ab • SHA256: 326383ed5b2480fac2b5aad00c7ae198f290f0ec4c86503b86fabe748cdf904e

Silkloaderbgiaedfaeg12_browsingElf.elf • SHA1: 3fc671df6c6bc8340fcb40af29151a5b05673e3e • MD5: 01d0b01afb5c2e650dafde87b56fa788 • SHA256: 04c7a062a9bd9fe6fe1b0c4e72e319aff866a42b21d8971f1215c347ee5e8980

Silkloaderbgiaedfaeg29_edrDll.dll • SHA1: 1d43b8fd92e7df7c65b6e57427917e804de6a564 • MD5: ec73981cee1c74ea3b7ec7f7b2fa6178 • SHA256: 262d966fd82312bcb82b056b2dc378b173f5c335917bc53125aef7f5a03cfce4

Silkloaderbgiaedfaeg28_edrDll.dll • SHA1: 4d7a649ecbb2075b0e8c84ba42ef31f67bc14e78 • MD5: 95a0e7a6e3f74b83600966b97df41960 • SHA256: f1f5142a456e8a316b281ad7f2fe1b463d93f30460a6be3afa9c5593f1392656

Silkloaderbgiaedfaeg2_edr7Dll.dll • SHA1: d2f41e0ac1ba669df87f9080307ec5161c2cf714 • MD5: d5c79fd0be4960aed844b0ed94ae8ca5 • SHA256: e4dadabd1cee7215ff6e31e01f6b0dd820851685836592a14f982f2c7972fc25

Silkloaderbgiaedfaeg26_edrDll.dll • SHA1: 157ad611845eb40b51cd058bfd1cfa32eac9039c • MD5: 62dc12b501d4fdb94c17f7de20f715e4 • SHA256: d77a59e6ba3a8f3c000a8a8955af77d2898f220f7bf3c0968bf0d7c8ac25a5ad

Silkloaderbgiaedfaeg25_edrDll.dll • SHA1: 88d5a8450f21dc9354ca7129be9944a4fdae52ee • MD5: 2a4765084931fe83c36e081bb6db4b19 • SHA256: c83ac6dc96febd49c7c558e8cf85dd8bcb3a84fdc78b3ba72ebf681566dc1865

Silkloaderbgiaedfaeg24_edrDll.dll • SHA1: ab1b95de9b592116e1ab820ce0aea50439aab942 • MD5: 48313534030e8504d7fb7dbc783e784b • SHA256: a6fff6890c0b6642931f9b0bfd67f830bb85af0f218280776170abfcc5baa576

Silkloaderbgiaedfaeg23_edrDll.dll • SHA1: 495fd09317498d2b0021fd6b3326ae3b32044fb1 • MD5: 6dc22e4ea039a430abd055d71a0450bc • SHA256: 7c2ea97f8fff301a03f36fb6b87d08dc81e948440c87c2805b9e4622eb4e1991

Silkloaderbgiaedfaeg22_edrDll.dll • SHA1: 3c9e8a47c696c3910a78e1b8270ec83d16f2d693 • MD5: 2ecdb2c9d65c5de06dfb4b3f84e35d0c • SHA256: 7070b232de836ce33b7778f6b6f7aecb252d542831367bc78d0eea77461be9a7

Silkloaderbgiaedfaeg21_edrDll.dll • SHA1: 42d283ad6aed710327fbc71acb9ea48b6746cb83 • MD5: 9ced7d4916964bde6636d7ee5bff4bfa • SHA256: 575caa641dbb83364e8c0664737666f3bcd24d40316ff149c9ef476115b927cb

Silkloaderbgiaedfaeg20_edrDll.dll • SHA1: 29c1213b8fb73198dcd34de1fe2cbbe65df7f199 • MD5: 70883e29a1c7ccdb0fd993c06595b06d • SHA256: 56377607abfb0616fc1dc222cc765966954155b69b5c4b16cad92cdd353720a4

Silkloaderbgiaedfaeg19_edrDll.dll • SHA1: caa80da075d3367fc5bafc1cf3a61bbc7ee0abcd • MD5: 314769d32dee3393f0abdd6462d5d4ed • SHA256: 5623f7b2a3e459d91ed85d20c20b58fb7edc166c63a3a72b703d7af400bdc12c

Silkloaderbgiaedfaeg18_edrDll.dll • SHA1: e3dc0927f5cf07865587dc75ff8106eb1d161829 • MD5: 0a692eb6c9cf7ae6016c2e43bde8ec43 • SHA256: 54d45b872ee6651d670c3580da74ca56f626bc6ed5ce60cc7e3ba71bb68cd23f

Silkloaderbgiaedfaeg1_edr7Dll.dll • SHA1: cfae4f3ddffe86d81376e6ae62890e0f0ef473e4 • MD5: 7c2fd853e5cfbeb24342208979fcb859 • SHA256: 3d1df6633ec9b16f856c6ddf7c40138e524f7c5e286af2271e32643f88f071a2

Silkloaderbgiaedfaeg16_edrDll.dll • SHA1: bba1f4db26c003855c1d10b686cb3e40eab0278e • MD5: b04a3ad09c033fc82d929493ea43d26d • SHA256: 2e57d2d14d8f98464e501d99dad0ae2c2f237b45aceecb73850c17ad1455e39c

Silkloaderbgiaedfaeg15_edrDll.dll • SHA1: b2a50390b18d9b90928e67998cd612682365e717 • MD5: e237a245ebae6b05aed1f0cc18653950 • SHA256: 0248572780e94f3557c50d2c161365f09b175438ed5e750ccc5b5f1c895118c2

Silkloaderbgiaedfaeg13_edrExe.exe • SHA1: 619fcb16ddf64e132f22d1e55a8eb36bcb2fa35c • MD5: 5f70544d19ccf00e8b2ca71a60e157af • SHA256: e24be344923aea8223fe90f23bfa7151b149ef032e67ba5972a9a10bd63effc6

Silkloaderbgiaedfaeg11_edrExe.exe • SHA1: 1ff6a23948739b3b1ca354080835771448be8cb0 • MD5: c6ebe8b2f3f282ae0d6fed6cacfe4653 • SHA256: d378d01f863454911a345869b66d60769a894c74dfebaa0a9a07efc884a3d15c

Silkloaderbgiaedfaeg10_edrExe.exe • SHA1: a01f0b6462b6c5da49896df1142ccd54530df115 • MD5: be7d99345ff6d24422d4bea162cb21c0 • SHA256: bf02668f884937f697af326a6678fe5c1d3844e104da8c4049f23d63dcb5bb5c

Silkloaderbgiaedfaeg9_edrExe.exe • SHA1: cc4e88a254a920a7bb5927819cdfab49affbaa53 • MD5: 503f813ecdf9c0f162946c07ef5d7b97 • SHA256: 9c1914143b0ba7fa15848223d0695664fc8225c37eed09eeb00e0af1b7ee0d7b

Silkloaderbgiaedfaeg8_edrExe.exe • SHA1: 3fb6cd18b13cfe39f4c72e832942002124e93278 • MD5: 64f650a5377729fe61072f4300b40857 • SHA256: 0322f9201a3887659f7568f3f2292248e29afc19a6e80cdda6915834a3fc925d

Silkloaderbgiaedfaeg_edr7Exe.exe • SHA1: 5f42204b2bac349c60e460b31ed7d8cb3cfc0118 • MD5: 544107beb5ab8c894253576d2cef1b0c • SHA256: d93155adefca33960a5a125f10854dc8178e80e9bf3b86600a4c59647dd80114

Silkloaderbgiaedfaeg6_edrDll.dll • SHA1: f34e8cc26b1d45c245af3cf797600c9366402356 • MD5: 1d2be08c0a54658541f43c9f2053264d • SHA256: a0b496d927dd1b2e01fcb29c2ef76671e34e7cd841e485c401e15dccad8e897e

Silkloaderbgiaedfaeg5_edrDll.dll • SHA1: ae86bd2ede21b656e556b68b844b29c8f7d75572 • MD5: 0d4f415d08c6ec73c38d2f03df5b019d • SHA256: 994f2777f175a6fb784df7b138069f0a6503a458df67915317f23a0a37c16067

Silkloaderbgiaedfaeg4_edrDll.dll • SHA1: eec02d57089889e9864b85a89d0e5791a69fc374 • MD5: e3414ecc97bafe1384e7700f1d8bd284 • SHA256: 75288b3d1da8d634477609ea804a351915aa7f0a12a50e1eba1d8578debc8ab2

Silkloaderbgiaedfaeg3_edrDll.dll • SHA1: 841bd42f08613e86d7bd39a675b3087074d730ee • MD5: 026d88c36a541ad4ba479193aea6d94e • SHA256: 70826162169e5326601d85a0b459645c6bf8fda641d3d3015c035da0cf16db42

Silkloaderbgiaedfaeg2_edrExe.exe • SHA1: b51701709e9a3c0a706a0bf18b2ef11fd944a4d6 • MD5: 2ec895b18e6b8bdbc85cdb3c8724e4f6 • SHA256: 676ace0449fbad2f5498df7b16c3576f73252f23032604e1a94ce4b5a855974e

Silkloaderbgiaedfaeg1_edrExe.exe • SHA1: 6e5905c4d796bffb88aec87bbdeea9bb45c5dd09 • MD5: 837f93120be9f7f203fca410ee16a096 • SHA256: 1ef852362ab9bb0af061eb8a19556962c7f5a350e3ef0c2751401afd4cef9f3e

Silkloaderbgiaedfaeg14_edrElf.elf • SHA1: 5ac80ab0a218144b515e24ca854ed4f05c03e635 • MD5: 6ef8eeea8d289bf1ffce142e2df348ab • SHA256: 326383ed5b2480fac2b5aad00c7ae198f290f0ec4c86503b86fabe748cdf904e

Silkloaderbgiaedfaeg12_edrElf.elf • SHA1: 3fc671df6c6bc8340fcb40af29151a5b05673e3e • MD5: 01d0b01afb5c2e650dafde87b56fa788 • SHA256: 04c7a062a9bd9fe6fe1b0c4e72e319aff866a42b21d8971f1215c347ee5e8980

URLs and IPS

• • http://193.106.191.187

• • https://020-rce500.r1z.rocks

• • http://45.144.179.204

• • http://cerupedi.com

• • http://data.hik.icu

• • https://d3-up.ssndob.cn.com

• • http://107.148.12.162

• • https://dl.kaspersky360.com

• • http://dl.kasperskyupdates.com

• • http://193.106.191.208

Inside Mispadu Massive Infection Campaign in LATAM

Summary

The Metabase Q Security Operations Center had alerted on a recent attempt to infect a customer’s network. Although the customers’ endpoint detection and response security tools properly blocked the initial payload, the use of fake certificates to try to evade detection was unusual and warranted additional investigation by Metabase Q’s Threat Intelligence Team. During the analysis of the artifacts, 20 different spam campaigns were identified, which targeted Chile, Mexico, Peru, and Portugal. The campaigns focused on credential stealing, specifically online banking, schools, government services, social media, gaming, ecommerce, public repositories, and Outlook email. In several cases, the cyber criminals created fake webpages for the victim, such as online banking windows.

IOCs

Mispadubgiaecbcdj_browsing7Txt.txt

• • SHA1: bf0d9f8f7cb3e1e2d8665e5cf190d5f8e0b167ea

• • MD5: 72e83b133a9e4cecd21fdb47334672f6

• • SHA256: cd0fffdcaeff7a2c075e4104c4a48a0a07185b2822f1b534aef61986076caa7e

Mispadubgiaecbcdj4_browsingTxt.txt

• • SHA1: f3d3a35e7713b564725a45f5b8ee4e23d2371d29

• • MD5: 2858cdf0b9fb6ddd18709909df612063

• • SHA256: dedf8d748b672a1b689405ea0369da4a77c7de8acf839b1422888984e9915fca

Mispadubgiaecbcdj2_browsingTxt.txt

• • SHA1: 2d351c44d9c7593eed224e0015c571440f010c8b

• • MD5: e5967a8274d40e0573c28b664670857e

• • SHA256: 3504e40c6a3cfdd5fa084250cf488cf9d3fad763f3c327ad4d99cf08be328cff

Mispadubgiaecbcdj8_browsingHtml.html

• • SHA1: 0e7d922b8fb2dfe1a2c43f28550a9bd1066d0bca

• • MD5: a96125294afa1c3f92ab7be615dc1cbe

• • SHA256: 91e61286b7881351a6ce33e1bed5ee6f219f906511af1fe2ce21f679a28b7dec

Mispadubgiaecbcdj6_browsingExe.exe

• • SHA1: b60d2b33b6577c3520094e2605f2a0642a7ca3f4

• • MD5: b41e2b88fff36ff4937dc19f2677ee84

• • SHA256: c2864517d05573df58bb07ee2ca4011158b05c7dee35c65869677f6661d4d882

Mispadubgiaecbcdj5_browsingExe.exe

• • SHA1: ed6969557a8f3c6c1e86deae90731c80aaaeae84

• • MD5: 618a60899aae66ea55e5dc8374c7b828

• • SHA256: a0a22e2f26f0e04e2b097e1611f5a83d3e3b9a3a3d826e079e8bc5b5caceb0a5

Mispadubgiaecbcdj7_browsingExe.exe

• • SHA1: 8f2f2c7b2e2d1e7e011d35c3e0363a9a032eaf7b

• • MD5: d3a91e3ca6b740d8d0a408e0c97a9e37

• • SHA256: 4b6b20e6a850f6a0f8fa2dca20c7b64a9f686d7d45b64719c7a6196a25a6c0c8

Mispadubgiaecbcdj9_browsingExe.exe

• • SHA1: 3c1b3ecf6d276d8e19b6f0adab9f1d4e4e4d95b7

• • MD5: 1f7c8e285d41c7e3e42af3d372681678

• • SHA256: 56f22efde0a0e5e8d5c5a27e5ac5b5e0f8db2cc1f7d8b0c0a7ef122ca1235f5b

Mispadubgiaecbcdj1_browsingExe.exe

• • SHA1: 5c9637d45b2d0b7a63b85eeec1b3a9ac6c3b8d45

• • MD5: 3b3c4a4d0eb2c0d3f3e28f0336a351a2

• • SHA256: 9abf20b3a8a31e4957a6b31f6c7dd8a75a8821c39e9eb9b1787f63a592e35f7c

Blackguard Stealer Extends Its Capabilities in New Variant

Summary

AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.

Key takeaways:

• BlackGuard steals user sensitive information from a wide range of applications and browsers.
• The malware can hijack crypto wallets copied to clipboard.
• The new variant is trying to propagate through removable media and shared devices.

IOCs

Blackguardbgiaebigcd1_browsingExe.exe

• • SHA1: 9a79c41f2faee86794ce19fe60bfce4ba65ad2dc

• • MD5: 3235ebcead914e4a210dc9dbe5c36c2f

• • SHA256: 88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3

Blackguardbgiaebigcd1_edrExe.exe

• • SHA1: 9a79c41f2faee86794ce19fe60bfce4ba65ad2dc

• • MD5: 3235ebcead914e4a210dc9dbe5c36c2f

• • SHA256: 88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3

URLs and Ips

URL: http://23.83.114.131

That is all for now.

Stay cyber safe!