Outpost24’s investigation of the cybercriminal group EncryptHub revealed details of their malicious operations, including stealer logs and malware tools. This analysis uncovered 20 indicators of compromise (IoCs) and associated artifacts for further threat detection.
Affected: EncryptHub, cybersecurity sector
Affected: EncryptHub, cybersecurity sector
Keypoints :
- Outpost24 identified vulnerabilities in the EncryptHub group’s cyber infrastructure.
- Discoveries included stealer logs, malware executables, and PowerShell scripts.
- 20 indicators of compromise (IoCs) were reported, including domains and IP addresses.
- An additional analysis revealed 64 email-connected domains, with one deemed malicious.
- New artifacts were detected, comprising a range of connected domains and IP addresses.
- A sample of findings is available for download on Outpost24’s website.
MITRE Techniques :
- T1071.001: Application Layer Protocol (Application Protocol – HTTP) – Usage of Telegram for command and control.
- T1060: Registry Run Keys / Startup Folder – Possible usage of malware executables stored in startup locations.
Indicator of Compromise :
- [Domain] global-protect[.]net
- [Domain] encrypthub[.]us
- [Domain] coinbase[.]com
- [Domain] crypt0x[.]com
- [IP Address] 82[.]115[.]223[.]199
Full Story: https://circleid.com/posts/decrypting-the-inner-dns-workings-of-encrypthub
Views: 35