FusionCore is a European threat actor group that operates Malware-as-a-Service and hacker-for-hire operations, offering a wide catalog of custom malware and a ransomware affiliate program. They leverage phishing as their main initial-access vector, run a webshop and Telegram channels, and plan further expansion into extortion and affiliates with tools like SarinLocker and Typhon Reborn. #FusionCore #SarinLocker #TyphonReborn #RootFinder #AnthraxxxLocker
Keypoints
- FusionCore is a European threat actor group founded in 2022 by individual known as “Hydra,” offering MaaS and hacker-for-hire services with a broad malware catalogue.
- The group’s portfolio includes Typhon-R Stealer, RootFinder Stealer, RootFinder RAT, RootFinder Ransomware, Cryptonic Crypter, GoldenMine, ApolloRAT, SarinLocker, Kratos Dropper, and others in active development.
- They have launched a ransomware affiliate program and a webshop (AnthraXXXLocker), with a growing network of affiliates and developers.
- Phishing is described as their primary initial-access vector, with operations supported via Telegram channels and a private botnet used for malware-spreading services.
- Threat actors rely on open-source tools (Obfuscar, NETShield, ConfuserEx) and crypters, and they employ mining tools (NBMiner, XMRig) as part of their toolkit.
MITRE Techniques
- [T1566.001] Phishing – Primary initial access method; “Using phishing as their primary attack vector for initial access.”
- [T1071.001] Web Protocols – C2 and data transfer over web protocols; “Uses HTTPS, Performs DNS lookups, Downloads files from webservers via HTTP.”
- [T1567.002] Exfiltration to Telegram – Data exfiltration via Telegram API; “Exfiltrates data using Telegram API.”
- [T1055] Process Injection – Lateral movement/privilege escalation via suspended-process techniques; “Spawn processes in suspended mode (likely to inject code).”
- [T1027] Obfuscated/Encrypted Files or Information – Use of crypters to evade detection; “increase evasiveness of their crypter stub (software that can encrypt, obfuscate, and manipulate malware).”
- [T1547.001] Registry Run Keys / Startup Folder – Persistence by referencing startup folder; “Reference startup folder.”
- [T1497] Virtualization/Sandbox Evasion -Anti-analysis techniques; “Contains long sleeps (>3 min) and checks for debugging or VM artifacts.”
- [T1620] Reflective Code Loading – Loading .NET assemblies in memory; “Reflective Code Loading: Load .NET assembly.”
- [T1082] System Information Discovery – Gathering system specs to tailor malware; “Queries information about the installed CPU (vendor, model number etc.).”
- [T1005] Data from Local System – Data targeting and exfiltration of browser data, etc.; “Tries to harvest and steal browser information (history, passwords, etc.).”
Indicators of Compromise
- [MD5] SarinLocker v1.0 related – Fa914f6b81cf4b03052d11798e562f1c, 4cdd313daa831401382beac13bea4f00, and 2 more hashes
- [SHA1] SarinLocker v1.0 related – 856707241a7624681d6a46b2fa279bd56aa6438a, d9806de5917acdfa6f5c0c0f83cf7f4b42830e9d
- [SHA256] SarinLocker v1.0 related – 1a0211f6bc0aab4889364024bd2ec9a3baa56e654d07586bb9c06b0c86f68eaf, 563dfc726daaec005638ed3271657aa3e2a2529b7940cd0741d5a47e7e9b9c2c
- [IPv4] RootFinder RAT – 20.99.160[.]173
- [MD5] RootFinder Stealer – 373bb4e17fbf239f2d02ea3fb3dfa352
- [SHA1] RootFinder Stealer – bd93aa67e43350ea3c4833671d68709621a1304d
- [SHA256] RootFinder Stealer – 575c5ad5a00e3ce13a75079666adfd254734f9c99555f4edf42ca3fa5d83f6f6
- [SHA256] AnthraxxxLocker Ransomware Payload – eed648bb9bd45a440b2ceadbbae04e69f9c7f098ab8980c019a6736e4f7bd10b
Read more: https://www.cyfirma.com/outofband/the-rise-of-fusioncore-an-emerging-cybercrime-group-from-europe/