Threat Research

in2al5d p3in4er is Almost Completely Undetectable

Securonix

The in2al5d p3in4er loader is a highly evasive component that powers Aurora’s delivery chain. Morphisec explains its anti-VM checks, runtime payload decryption, process hollowing, and decoy-website/social-engineering techniques that rely on YouTube distribution and fake sites to lure victims. #Aurora #in2al5d_p3in4er #YouTube

Keypoints

  • The loader in2al5d p3in4er is an evasive, loader-based component used to enhance Aurora’s malware delivery.
  • The loader uses anti-VM/sandbox techniques by querying the graphics vendor ID and terminating if not whitelisted.

MITRE Techniques

  • [T1566.003] Phishing: Spearphishing via Service – Threat actors take over popular YouTube accounts and post videos with links to malicious websites. [‘Threat actors take over popular YouTube accounts and post videos with links to malicious websites.’]
  • [T1036] Masquerading – Fake decoy websites look identical to original sites with similar URLs, logos, and branding. [‘The decoy websites look identical to the original websites.’]
  • [T1497] Virtualization/Sandbox Evasion – Anti-VM checks using graphics vendor IDs to decide execution path. [‘The anti-VM function checks the graphics vendor ID.’]
  • [T1055.012] Process Hollowing – Payload is decrypted and injected into sihost.exe via a process hollowing technique. [‘injects it into sihost.exe using a process hollowing technique.’]
  • [T1027] Obfuscated/Deobfuscated Files and Information – Payload decrypted in chunks and Win APIs resolved dynamically with a XOR key ‘in2al5d p3in4er’. [‘resolve necessary Win APIs dynamically and decrypt these names using a XOR key: “in2al5d p3in4er”‘]
  • [T1071.001] Web Protocols – Loader communicates with C2 infrastructure (Aurora) via IPs/ports (e.g., 45.15.156.182:8081). [‘C2 – Aurora’ and remote IPs on port 8081.]

Indicators of Compromise

  • [Domain] Malicious/Compromised Websites – cv-builder.site, siamaster.com.mx, chatgptex.us, allfreesoftware.online, all-free-software.online
  • [Hash] Loader – 380978251b2c661ff15b2610763770dfa14fb360ad0ca64243e0d5d5893952cb, 66383d931f13bcdd07ca6aa50030968d44d8607cf19bdaf70ed4f9ac704ac4d1
  • [IP] C2/Loader infrastructure – 45.15.156.182:8081, 199.127.62.3:8081, 94.142.138.73:8081, and 7 more addresses

Read more: https://blog.morphisec.com/in2al5d-p3in4er

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint