Keypoints
- Attack begins with a fake/modified WEXTRACT.EXE that contains a large CAB resource holding additional executables; the CAB’s RUNPROGRAM/POSTRUNPROGRAM resources control execution order.
- Execution chain: WEXTRACT.EXE → cydn.exe → aydx.exe → mika.exe → vona.exe → mnolyk.exe → further loaders and payloads (e.g., fuka.exe, nbveek.exe), with many stages dropping files to the TEMP folder.
- mika.exe disables Windows Defender by adding registry keys under Real-Time Protection (e.g., DisableRealtimeMonitoring, DisableBehaviourMonitoring), making the change persistent and irreversible via Settings.
- Persistence and protection of payloads are achieved via scheduled tasks (schtasks.exe /Create … /SC MINUTE) and ACL modifications (cacls.exe to set restrictive permissions on dropped binaries).
- Multiple components download additional DLLs/EXEs from remote IPs (e.g., 62.204.41.5, 62.204.41.251, 193.233.20.7); some payloads are variants of Amadey and RedLine Stealer and perform data exfiltration to C2s.
- Final stage runs downloaded DLLs via rundll32.exe (clip64.dll, cred64.dll), which connect to Amadey C2s and exfiltrate specified browser, wallet, and OS data paths.
MITRE Techniques
- [T1036] Masquerading – The campaign uses a “fake version of the wextract.exe” to disguise malicious activity (‘fake version of the wextract.exe’).
- [T1105] Ingress Tool Transfer – Components download additional DLLs and EXEs from remote hosts (‘Malicious DLLs are downloaded from 62.204.41.5’).
- [T1562] Impair Defenses – Changes to Defender settings via registry make real-time protection irreversibly off (‘turn off Windows Defender in all possible ways’ and added keys like DisableRealtimeMonitoring).
- [T1053] Scheduled Task/Job – The malware creates scheduled tasks to re-run payloads every minute (‘/Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR …’).
- [T1218.011] Signed Binary Proxy Execution: rundll32 – DLL payloads are executed through rundll32.exe to load malicious DLLs (‘the two dlls downloaded by mnolyk.exe, clip64.dll and cred64.dll, are executed through rundll32.exe’).
- [T1041] Exfiltration Over C2 Channel – Stolen browser and wallet data are sent back to C2 servers (‘all the data residing at the specified paths is sent back to the C2 server’).
Indicators of Compromise
- [IPv4] C2 and download servers – 193.233.20.7 (linked to Redline Stealer), 62.204.41.88 (Amadey C2), and other IPs such as 62.204.41.5, 62.204.41.251, 193.233.20.11, 176.113.115.17.
- [File name] Dropped executables (TEMP folder) – WEXTRACT.EXE (dropper masquerade), cydn.exe, aydx.exe, mika.exe, vona.exe, mnolyk.exe, and many follow-on EXEs like fuka.exe, nbveek.exe.
- [File hash] Example payload hashes – 80fed7cd4c7d7cb0c05fe128ced6ab2b9b3d7f03edcf5ef532c8236f00ee7376, d8e9b2d3afd0eab91f94e1a1a1a0a97aa2974225f4f086a66e76dbf4b705a800 (and ~18 more hashes listed).
- [DLL names] Malicious libraries – clip64.dll, cred64.dll (executed via rundll32 and identified as Amadey DLLs).
WEXTRACT.EXE (a 32-bit PE) is used as a resource-based dropper: its resource section contains a large CAB that embeds executables, with RUNPROGRAM and POSTRUNPROGRAM entries orchestrating sequential extraction and execution. The initial drop sequence extracts cydn.exe and vona.exe to the system TEMP folder; cydn.exe’s resource CAB similarly contains aydx.exe and mika.exe, which are executed in turn, producing a clear multi-stage chain where each stage unpacks the next payload.
Early-stage components perform defensive suppression and environment preparation: mika.exe (a small .NET binary) disables Windows Defender by writing registry keys under Real‑Time Protection (e.g., DisableRealtimeMonitoring, DisableBehaviourMonitoring), preventing re-enablement through Settings. The campaign also establishes persistence and protection for its binaries by creating scheduled tasks via schtasks.exe (e.g., /Create /SC MINUTE /MO 1 /TN …) and altering file ACLs with cacls.exe so dropped executables cannot be removed or overwritten by normal users.
Later stages fetch and run additional payloads from remote hosts: aydx.exe and mnolyk.exe contact remote IPs to download DLLs (cred.dll/clip.dll) and EXEs (fuka.exe, nikas.exe, igla.exe, nbveek.exe), then execute DLLs via rundll32.exe. Network connections to C2 servers (examples: 62.204.41.88, 193.233.20.7, 176.113.115.17) are used for command retrieval and exfiltration; the C2 instructs which browser profiles, crypto wallet directories and other user data to collect, and the malware transmits the gathered data back to the attacker-controlled servers.