The campaign distributes malicious documents that abuse an XML-driven download chain and legitimate payload hosting to deliver staged malware. It culminates with data-stealing payloads (Arkei Stealer and Eternity Stealer), using macro-based loaders and C2/download infrastructure to exfiltrate data and evade detection.
#ArkeiStealer #EternityStealer #InQuestLabs
#ArkeiStealer #EternityStealer #InQuestLabs
Keypoints
- Stage 1 Maldocs rely on an XML file (settings.xml.rels) to trigger a download of the next payload from a URL such as hxxps://github[.]com/Collabsss/dotm/raw/main/tj3wqx.dotm.
- Stage 2 uses a malicious macro to load an executable into C:UsersPublicservicehomework.exe and launch it.
- The stage 2 executable runs consecutive PowerShell scripts that are Base64 encoded, with 5-minute sleep intervals between network requests.
- Two final payloads are involved: Arkei Stealer (info-stealer) and Eternity Stealer (data collector), each designed to exfiltrate victim data.
- Arkei Stealer’s goal is to harvest account data (logins, passwords, autofill, crypto wallets, geolocation) and then delete itself.
- Exfiltration involves archiving collected data (ZIP) and sending it to remote servers (including Onion network), with evidence of C2 communication and sample indicators.
- IOC lists include stage 1 hashes, download URLs, and C2 domains/IPs, highlighting the threat actors’ infrastructure.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The campaign uses Maldocs to deliver the payload. “Stage 1 Maldocs” introduces the initial infection chain.
- [T1105] Ingress Tool Transfer – The XML file’s element downloads the next payload stage from a remote URL: “Using the following url ‘hxxps://github[.]com/Collabsss/dotm/raw/main/tj3wqx.dotm’.”
- [T1059.001] PowerShell – The stage 2 loader executes consecutive PowerShell scripts that are Base64 encoded, with pauses between requests: “The macro converts the URL and then loads the executable…”
- [T1027] Obfuscated/Compressed Files and Information – The scripts are obfuscated/encoded to hide payloads and commands.
- [T1560.001] Archive Collected Data – Arkei/Eternity Stealer collect data and archive it (ZIP) before exfiltration: “convert it into a ZIP archive and sends it to a server…”
- [T1005] Data from Local System – Arkei Stealer collects user data (logins, passwords, autofill, crypto wallets, geolocation).
- [T1041] Exfiltration Over C2 Channel – Data is exfiltrated to remote servers (including onion network): “sends it to a remote server…”
- [T1070.004] Indicator Removal on Host – The payload deletes itself after exfiltration: “the program deletes itself.”
- [T1071.001] Web Protocols – C2 communications over HTTP/HTTPS (including onion-based endpoints like the onion domain).
- [T1165] IoC Pivoting/Discovery Tactics (XMP ID pivot) – Pivoting on the overlooked anchor (XMP ID) is used as part of IOC discovery via InQuest Labs tooling.
Indicators of Compromise
- [Hash] SHA-256 – Stage 1 Maldocs sample: b3920fe11f1dcaf5a7f4cb8a37bed2dd6a8638c5f8a4312d4c07d11f7d0e62da, and 2 more hashes
- [Hash] SHA-256 – Stage 1 Maldocs sample: 08cd999cee6f248e0847c012e68476ca38f280855e3b2406189ff9eca49087be
- [URL/Domain] hxxp://ckrddvcveumq[.]ru/v7dgre.dotm
- [URL/Domain] hxxps://www.dropbox[.]com/s/e6yaipmzb8ik7dm/xcl2ba.dotm?dl=1
- [URL/Domain] hxxp://zyzkikpfewuf[.]ru/hour84a6d9k.dotm
- [Hash] SHA-256 – Stage 2 downloader: 7093aba8ae03275caab7372a7d56172df1716120d477dc276ee9f0b08816bd0c
- [Domain] hxxp://162.33.179[.]235/gatero0m.php
- [Domain] onion domain: lightnogu5owjjllyo4tj2sfos6fchnmcidlgo6c7e6fz2hgryhfhoyd.onion/stealer/918119271?pwds=0&cards=0&wlts=0&files=0&user=dXNlcg==&comp=aG9veWVxaXhsenk=&ip=OTUuMjExLjE5MC4xOTk=&country=TmV0aGVybGFuZHMgKE5MKQ==&city=SGFhcmxlbQ==&tag=32748
- [IP] 162.33.179.235 – C2/IP for staging
- [Domains] aztkiryhetxx[.]ru, ck rddvcveumq[.]ru, dvizhdom[.]ru, rwwmefkauiaa[.]ru (and 6+ more related indicators)
Read more: https://inquest.net/blog/2022/05/25/tandem-espionage