A threat actor distributed a password-protected installer disguised as Falcon Crash Reporter to a German entity via spearphishing, enabling execution of a Mythic C2 agent named Ciro using LLVM IR bitcode. The operation demonstrates advanced social engineering, data exfiltration readiness, and multi-layered evasion and encryption techniques. #Ciro #Mythic #FalconCrashReporter #Spearfishing #LLVM #AES256
Keypoints
- The attack used a voice-based social-engineering approach, impersonating IT staff to persuade the victim to download the malicious installer.
- The installer launches an agent written for the Mythic C2 framework, executed as LLVM IR bitcode via an included LLVM interpreter.
- The Ciro agent collects system information and communicates with the C2 server over encrypted HTTP, using Base64 encoding and AES-256-CBC encryption.
- Decoy pages and a fake startup flow were used to hide the intrusion and improve user trust during the installation.
- Persistent and post-infection capabilities include startup folder shortcuts, file management, process injection, and various data/command capabilities.
- Defensive techniques include password-protected content, RC4 decryption of embedded data, and LLVM interpreter execution detected via suspicious interpreter activity.
MITRE Techniques
- [T1587.001] Resource Development β The actor developed a custom Mythic C2 agent named Ciro. β βThe actor developed a custom Mythic C2 agent named Ciro.β
- [T1566.002] Initial Access β Phishing: Spearphishing Link β βThe malicious installer is delivered through a spearphishing link with a website impersonating the target entity.β
- [T1059] Execution β Command and Scripting Interpreter β βCiro LLVM bitcode is executed using LLVM interpreter via the command line.β
- [T1204.002] User Execution β Malicious File β βThe actor persuades the user via social-engineering tactics to execute the installer.β
- [T1547.001] Persistence β Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder β βThe actor establishes persistence for Ciro by creating a shortcut within the systemβs Startup folder.β
- [T1140] Defense Evasion β Deobfuscate/Decode Files or Information β βAfter the user provides a password, the InnoSetup installer decrypts the embedded Ciro files using RC4.β
- [T1071.001] Command and Control β Application Layer Protocol: Web Protocols β βCiro C2 is conducted over HTTP.β
- [T1132.001] Data Encoding β Data Encoding: Standard Encoding β βCiro C2 ciphertext is encoded using Base64.β
- [T1573.001] Encrypted Channel β Encrypted Channel: Symmetric Cryptography β βCiro C2 is encrypted using AES-256 in CBC mode.β
Indicators of Compromise
- [File Hashes] β 05d700c67e18358ee4e6c1c3e95c8c4ad687d96fc531aff7a5b07f3dbda8e14b, 82ef869e8f7accde731f8c289f19436347a30af1d53c8f61bde5bac8bc91ad1a, 4bc4b1381c0b99185b148d4a1edbd74730020b30a3541856c43d22a56e8782a9
- [Domains] β csmon.westeurope.cloudapp.azure.com, www.warnmelderzentrale.com
- [File Names] β csmon8.dat, Java8Runtime.exe
Read more: https://www.crowdstrike.com/blog/malicious-inauthentic-falcon-crash-reporter-installer-ciro-malware/