CrowdStrike Intelligence identified a Python-based information stealer named Connecio packed inside a ZIP masquerading as CrowdStrike Falcon updates. The malware collects system and browser data, obtains the external IP address, and uses Pastebin dead-drop URLs for C2 and SMTP-based exfiltration, with Readme.txt instructing victims to disable Windows Defender. #Connecio #CrowdStrikeFalcon #Pastebin #Python #InformationStealer #WindowsDefender #SMTP
Keypoints
- Connecio is a Python-based information stealer embedded in a ZIP that masquerades as a CrowdStrike Falcon update (CrowdStrike Falcon.zip).
- The archive contains Readme.txt instructing potential victims to disable Windows Defender and run the malicious Crowdfight Falcon.exe.
- The Falcon.exe file unpacks and executes a Python-compiled information stealer that collects system information, the external IP, and data from multiple web browsers.
- Command-and-control configuration is discovered via Pastebin dead-drop URLs, which also host SMTP accounts and cryptocurrency-address patterns.
- Exfiltration occurs over SMTP to configured recipients and hosts described in the Pastebin configurations.
- A YARA rule and MITRE ATT&CK mapping are provided, linking Connecio activity to Python execution, user execution of a malicious file, dead-drop resolution for C2, and exfiltration over SMTP.
- Connecio is associated with cryptocurrency addresses and clipboard-related theft potential via pyperclip, as indicated by the dead-drop content.
MITRE Techniques
- [T1059.006] Command and Scripting Interpreter – Python – ‘Connecio is written in the Python programming language.’
- [T1204.002] User Execution: Malicious File – ‘Connecio lures the user into executing the malware executable.’
- [T1102.001] Web Service: Dead Drop Resolver – ‘Connecio uses Pastebin dead-drop URLs to resolve its C2 infrastructure.’
- [T1048] Exfiltration: Exfiltration Over Alternative Protocol – ‘Connecio exfiltrates information over SMTP.’
Indicators of Compromise
- [Hash] File hashes – 5ba542fcfa45d50c0d65dda4dbbd7a28f737a2fc53841ddaab7f68ae1cdf5183, 56cbd8ce60f18d4cececfa703a92c0188dd81ed97b4de12e3f120d7ce736225a, 21653e267a6c7e4f10064ad2489dba54e04612cc7ce4043b8c8dcaf8b39210d6 and other related hashes
- [IP Address] C2 addresses – 139.99.232.135:80, 185.255.114.110:80, 185.255.114.63:80 and other addresses
- [SMTP Accounts] Exfiltration-sender accounts – [email protected], [email protected], [email protected]
- [SMTP Accounts] Exfiltration-recipient accounts – [email protected], [email protected], [email protected], [email protected]
- [SMTP Hosts] Exfiltration hosts – mail.dshu.xyz:465, web3versecoin.com:465, xryptbx.com:465
- [Cryptocurrency Addresses] Connecio-related addresses – 0x2DCC92C27C4429B506588012CaC53764780f3e3D, 0x6c5E3Ea51B382C49839417dAF3c84E3dA603D12f and other Connecio-related cryptocurrency addresses
Read more: https://www.crowdstrike.com/blog/threat-actor-distributes-python-based-information-stealer/