Payouts King Ransomware Initial Access Broker Deploys New Edgecution Malware

MITRE Techniques

• [T1566.002 ] Phishing: Spearphishing Link – Victims were lured through Microsoft Teams messages and a fake Microsoft website to download or execute payloads (‘impersonate a company’s IT staff’ and ‘need a spam filter update’).
• [T1218.005 ] System Binary Proxy Execution: Mshta – The campaign used script-based delivery mechanisms including AutoHotKey, batch, and PowerShell to launch the malware (‘deploy the Edgecution malware’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – An AutoHotKey script was used in the infection chain to configure and deploy the malware (‘Downloads an obfuscated AutoHotKey script’).
• [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – Batch scripts were used to set up and deploy Edgecution and launch the browser (‘Windows batch script’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell scripts were used to set up deployment and execute commands (‘PowerShell script’).
• [T1112 ] Modify Registry – The setup wrote an AppKey value in the Windows registry to decrypt Python backdoor strings (‘set a value named AppKey in the Windows registry’).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – A scheduled task was created to launch Microsoft Edge automatically (‘schedule a task to launch Microsoft Edge’).
• [T1204.002 ] User Execution: Malicious File – The victim was induced to download and run malicious files from the fake update portal (‘Download’).
• [T1105 ] Ingress Tool Transfer – The campaign downloaded obfuscated scripts, encrypted ZIP files, and embedded Python to stage the payload (‘Downloads an obfuscated AutoHotKey script’ and ‘an encrypted ZIP file’).
• [T1132.001 ] Data Encoding: Standard Encoding – The malware used encrypted ZIP content and obfuscated data to evade signatures (‘encrypted ZIP file’ and ‘obfuscated’).
• [T1218.005 ] System Binary Proxy Execution: Mshta – The extension invoked native host execution through a batch file and Python launcher (‘invoked by the web browser extension’).
• [T1219 ] Remote Access Software – The malicious extension and Python host provided persistent remote command execution and system access (‘execute arbitrary code on the compromised host’).
• [T1059.006 ] Command and Scripting Interpreter: Python – The native host was a Python backdoor that processed C2 commands and executed code (‘Python-based backdoor’).
• [T1106 ] Native API – The malware abused Chrome native messaging to interact with host-native applications beyond the browser sandbox (‘abusing this interface’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – The extension communicated with C2 over websockets (‘communicates with the C2 server over websockets’).
• [T1082 ] System Information Discovery – The Python backdoor collected and sent system information (‘collect and send system information’).
• [T1105 ] Ingress Tool Transfer – The backdoor wrote data and stored configuration files for C2 handling (‘Write data to a specific filename / path’ and ‘stores the C2 address in local storage’).
• [T1057 ] Process Discovery – The backdoor retrieved a list of running processes (‘Retrieve a list of running processes’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – The Python backdoor could execute PowerShell commands and code (‘Execute PowerShell commands / code’).