This article examines a sophisticated malware that utilizes the I2P network for Command and Control (CnC) communication. Distributed via phishing emails, the malware employs various techniques to evade detection and maintain persistence on the infected systems. Its architecture consists of a loader and multiple plugins, each serving specific functions, from downloading and activating payloads to managing user accounts. Overall, it showcases advanced capabilities to remain hidden and manipulate system operations.
Affected: malware, phishing, cybersecurity, Windows systems
Affected: malware, phishing, cybersecurity, Windows systems
Keypoints :
- The malware uses I2P for anonymous CnC communication.
- Infection starts with a phishing email leading to a fake captcha page.
- A PowerShell script is used to download the first stage malware loader.
- The loader uses UAC bypass techniques to elevate privileges.
- It employs two payloads to manipulate Microsoft Defender settings and evade detection.
- The malware blocks Windows update services and Microsoft Defender processes.
- A Remote Access Trojan (RAT) and additional plugins are installed for further exploitation.
- Malware components create detailed logs and can conduct user account management.
- The malware shows signs of activity dating back to March 2024.
- Several samples of the malware and its components are identified for analysis.
MITRE Techniques :
- Execution (T1203) – The infection chain begins with the user executing a PowerShell script via a phishing link.
- Privilege Escalation (T1548.001) – The malware uses UAC bypass techniques to gain elevated privileges.
- Defense Evasion (T1562.001) – The malware modifies Microsoft Defender settings to prevent detection.
- Command and Control (T1071.001) – I2P is used for encrypted CnC communication, ensuring anonymity.
- Persistence (T1543.003) – The malware installs a service to maintain persistence on the infected system.
Indicator of Compromise :
- [URL] hxxp://porn-zoo[.]sbs/
- [Hash] 6f4699c909135fa5b5300aa5c8996ca8f252d1b136c1d47904135ee371f5cac6 (Initial loader)
- [Hash] 49adf0fc74600629f12adf366ecbacdff87b24e7f2c8dea532ea074690ef5f84 (Batch File)
- [Hash] 44cf4321c138c4cacecc95deba735f508c96049e7f0e8f0538684dc4f0c1e9a5 (RAT Installer)
- [Hash] a78945e7532ecdb29b9448a1f3eef2f45ec2f01ca070b9868258cbcd31eac23f (WFP Filter creator)
Full Story: https://www.gdatasoftware.com/blog/2024/12/38093-ip2rat-malware