Threat Research

Ande Loader Triggers 0bj3ctivity Stealer Infection

Esentire

eSentire’s Threat Response Unit describes a July 2024 phishing campaign that delivered Ande Loader and the 0bj3ctivity Stealer via a Discord CDN-hosted JavaScript dropper, with PowerShell and base64-encoded payloads involved. The malware uses anti-debugging, obfuscation, and in-memory execution to exfiltrate browser data to Telegram or a C2 server, while seeking persistence and evading analysis. #AndeLoader #0bj3ctivityStealer

Keypoints

  • eSentire operates 24/7 Security Operations Centers (SOCs) with elite threat hunters.
  • In July 2024, a phishing attack resulted in a 0bj3ctivity Stealer infection.
  • The attack used a malicious JavaScript file (Enquiry-Dubai.js) on a Discord CDN to fetch Ande Loader and the stealer.
  • Ande Loader provides persistence and loader capabilities, including registry-based Run Keys and process injection.
  • The stealer exfiltrates browser data and can send it via Telegram or a C2 server, with anti-debugging and obfuscation features.
  • Recommendations emphasize user awareness training and advanced detection/defense measures.

MITRE Techniques

  • [T1566] Phishing – Initial compromise via phishing emails. – “Initial compromise through phishing emails.”
  • [T1059.001] PowerShell – The JavaScript file contains an AES-encrypted PowerShell script. – “The JavaScript file contains an AES-encrypted PowerShell script.”
  • [T1055] Process Injection – Injecting malicious payloads into legitimate processes. – “Performs process injection of the downloaded payload via Process Hollowing into the AddInProcess32.exe process.”
  • [T1547.001] Registry Run Keys – Creates persistence via Registry Run Keys (the malicious JavaScript file is renamed to “pipa.js” and placed under the C:ProgramData folder). – “Creates persistence via Registry Run Keys (the malicious JavaScript file is renamed to “pipa.js” and placed under the C:ProgramData folder).”
  • [T1041] Exfiltration Over C2 Channel – Sending exfiltrated data to a C2 server or Telegram. – “Sending exfiltrated data to a C2 server or Telegram.”
  • [T1027] Obfuscated Files or Information – Using obfuscation techniques to hide malicious scripts. – “strings in the stealer payload are obfuscated.”
  • [T1003] Credential Dumping – Extracting credentials from web browsers. – “Extracting credentials from web browsers.”

Indicators of Compromise

  • [MD5] context – Enquiry-Dubai.js (MD5: 42436fb03b579a159464fb2af53696f1), new-image.jpg (MD5: 41914711cfdaba63ddf1701270077855)
  • [Domain] context – whatismyipaddressnow.co, ip-api.com
  • [File name] context – Enquiry-Dubai.js, new-image.jpg
  • [URL] context – https://pub-39c431b0c306497287a06e8cea23fa74.r2.dev/177.txt, https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=FEzEd9JbsoLF

Read more: https://www.esentire.com/blog/ande-loader-leads-to-0bj3ctivity-stealer-infection

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint