Keypoints
- Incidents span 9/2/2023 through 9/30/2024 and consistently use business-themed lures (invoices, quotes, shipment docs).
- Attackers delivered malware via compressed containers and disk images: .rar, .7z, .lzh, .iso, .zip, .gz, .txz and .img files.
- Common payloads observed: Formbook, VIPLogger, SnakeKeylogger, XLoader, Remcos, RedLine, OriginLogger, PureLogs and XWorm.
- Dropper chains include nested steps (e.g., 7z -> vbe -> SnakeKeylogger; 7z -> .bat -> Guloader -> Remcos; link -> .bat -> XWorm).
- IOC set includes numerous file hashes, C2 domains and IP:port endpoints, plus Telegram API endpoints used for exfiltration/command channels.
- Targeting breadth varied per email from 2 up to 22 recipients, indicating both small- and large-scale distribution methods.
MITRE Techniques
- [T1003] Credential Dumping – Use of keyloggers to capture credentials (‘Procedure: Use of keyloggers to capture credentials.’)
- [T1001] Data Obfuscation – Use of compressed file formats (rar, 7z, lzh, iso, zip) to hide malicious payloads (‘Procedure: Use of compressed file formats (rar, 7z, lzh, iso, zip) to hide malicious payloads.’)
- [T1219] Remote Access Software – Use of Remcos for remote access and control (‘Procedure: Use of Remcos for remote access and control.’)
- [T1056] Input Capture – Use of keyloggers to capture user input (‘Procedure: Use of keyloggers to capture user input.’)
Indicators of Compromise
- [File hashes] Associated with specific families – originlogger: 103df9c2f3a2592830ff9d610176280942829477f2b89a36d9695248f0f4f843, redline: 55dd90013201853f29bb56e9e832f1a6483da1d154e500b7d08c86335e7f037b, and 40+ other hashes.
- [C2 domains / URLs] Command-and-control or hosting – ftersaleb.top (multiple XLoader paths), spacesave.duckdns.org:14645 (Remcos), and several other domains like ellinksa.shop and route4.org.
- [IP:port endpoints] Remote services/C2 addresses – 154.216.20.37:5888 (PureLogs), 198.12.90.244:49780 (RedLine) and additional IP:port combos.
- [Email addresses] Lures or compromised senders – [email protected], [email protected], and multiple other recipient/From addresses used in campaigns.
- [Attachment/container types] Compression and container formats observed – .rar (e.g., -> Formbook/XLoader), .7z (e.g., -> VBE -> SnakeKeylogger), .lzh (-> XLoader), .iso and .zip, plus .gz/.txz and .img files.
- [Telegram endpoints] Exfiltration/command channels – https://api.telegram.org/bot6523340491, api.telegram.org/bot4579221711 (used by keyloggers/VIPLogger instances).
Attackers used business-oriented email lures carrying compressed archives or disk images that unpacked staged droppers. Typical chains include archive -> script (VBE/BAT) -> secondary loader (Guloader, VBE) -> final payload (SnakeKeylogger, Remcos, XLoader). Other chains delivered stealer families directly from compressed archives (e.g., .rar -> Formbook) or used file types like .img/.iso to bypass simple attachment filters.
The campaigns leveraged many hosting/C2 infrastructure points and observable artifacts: dozens of file hashes mapped to families (OriginLogger, XLoader, SnakeKeylogger, VIPLogger, RedLine, PureLogs), multiple domains (ftersaleb.top, ellinksa.shop, route4.org), IP:port endpoints for C2, and Telegram bot endpoints for exfiltration and control. Detection and triage should focus on archive-based delivery, nested script loaders (VBE/BAT), and network indicators listed above.
Containment and remediation recommendations derived from the observed procedure: block identified C2 domains/IPs, hunt for the listed hashes and nested script artifacts in endpoint telemetry, review email gateway logs for attachments using the referenced archive formats and lures, and inspect any systems that executed VBE/BAT scripts for persistence and credential theft indicators.
Read more: https://gist.github.com/silence-is-best/2efe46038a58d20e173fb5ca0a3f7f43