Recent Satacom campaign delivers cryptocurrency-stealing addon

MITRE Techniques

• [T1204.001] User Execution: Malicious Link – The initial infection begins with a ZIP archive file. It is downloaded from a website that appears to mimic a software portal that allows the user to download their desired (often cracked) software for free. “The initial infection begins with a ZIP archive file. It is downloaded from a website that appears to mimic a software portal that allows the user to download their desired (often cracked) software for free.”
• [T1204.002] User Execution: Malicious File – The archive contains several legitimate DLLs and a malicious Setup.exe file that the user needs to execute manually to initiate the infection chain. “The archive contains several legitimate DLLs and a malicious Setup.exe file that the user needs to execute manually to initiate the infection chain.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – The malicious extension installation script is responsible for downloading the extension in a ZIP archive file from a third-party website server. “The PowerShell script downloads the archived file to the computer’s Temp directory and then extracts it to a folder inside the Temp directory.”
• [T1547.009] Shortcut Modification – The PS script searches for .LNK files and modifies their Target to load the extension, enabling stealthy startup. “modifies the ‘Target’ parameter for all existing browser shortcuts with the flag “–load-extension=[pathOfExtension]””
• [T1176] Browser Extensions – The installer downloads and installs a malicious Chromium-based browser extension. “downloads the extension in a ZIP archive file from a third-party website server.”
• [T1055.012] Process Injection – The malware creates a new PE DLL in Temp, injects it into explorer.exe, and uses process hollowing. “process hollowing”
• [T1113] Screen Capture – The extension can perform various browser-related data extractions, including screenshots of opened tabs. “the extension is capable of … screenshots of opened tabs” />
• [T1071.004] DNS – The C2 address is retrieved via a DNS TXT record query (don-dns[.]com) and decrypted strings guide the next URL. “DNS query for TXT record through Google to don-dns[.]com”
• [T1071.001] Web Protocols – C2 communication uses application-layer protocols via DNS to fetch payload data. “DNS TXT record … base64-encoded RC4-encrypted string”
• [T1568] Dynamic Resolution – The C2 server address can be changed by threat actors at any time by issuing a new transaction. “The server address can be changed by the threat actors at any time.”
• [T1041] Exfiltration Over C2 Channel – The web inject script facilitates BTC withdrawal to the threat actors’ wallet, representing data exfiltration via the C2 channel. “withdrawal function to steal the BTC currency from the victim.”