Threat Research

Threat Analysis: Examination of puNK-003’s Lilith RAT Converted to AutoIt Script

Securonix

The S2W TALON threat research center analyzed CURKON, a malicious LNK downloader masquerading as a tax-evasion document that drops a decoy and pulls additional payloads from a hardcoded attacker server, culminating in Lilith RAT execution. The activity shows ties to the KONNI/KiN relationship via obfuscation and malware traits, with puNK-003 identified as the operator, though CURKON and KONNI differ in their execution goals. #LilithRAT #CURKON #puNK-003 #KONNI #LINKON #AutoIt

Keypoints

  • The TALON center identifies CURKON as a downloader LNK linked to the puNK-003 group.
  • CURKON downloads an AutoIt script and a legitimate AutoIt3 executable, then executes Lilith RAT.
  • The malware shows similarities to KONNI tactics but with a downloader role rather than a dropper, and it does not use KONNI’s typical VBS/BAT scripts.
  • AutoIt is used to port Lilith RAT, enabling arbitrary command execution on infected hosts.
  • TALON notes potential ties between puNK-003 and KONNI based on obfuscation methods and malware traits.
  • Campaigns employ decoy documents, hardcoded C2 servers, and persistence mechanisms (scheduled tasks, startup keys) to maintain presence.

MITRE Techniques

  • [T1204.002] Malicious File – The LNK CURKON file drops a decoy document and downloads a malicious AutoIt script and a legitimate AutoIt3 executable, ultimately executing Lilith RAT. “The downloaded files include a malicious AutoIt script and a legitimate AutoIt3 executable, ultimately executing the Lilith RAT malware.”
  • [T1059.001] PowerShell – LNK CURKON executes a PowerShell command embedded in its execution arguments. “LNK(CURKON) file execution with arguments setting a PowerShell command.”
  • [T1059.003] Windows Command Shell – The PowerShell command is invoked via cmd.exe. “cmd.exe is used to run a PowerShell command.”
  • [T1053.005] Scheduled Task – Lilith RAT is registered via schtasks to run periodically for persistence. “scheduled task to run every 5–10 minutes.”
  • [T1547.001] Registry Run Keys / Startup Folder – A Start_Web.lnk is created in the startup folder to auto-run the AutoIt script. “Start_Web.lnk file in startup folder to auto-run.”
  • [T1564.001] Hidden Files and Directories – The malware creates a hidden folder under C drive with a hard-coded name. “creates a hidden folder under the C drive with a hard-coded string.”
  • [T1564.003] Hidden Window – The malware uses a hidden window as part of its evasion. “hidden window.”
  • [T1027.010] Command Obfuscation – The PowerShell command and its arguments are obfuscated to hinder analysis. “obfuscation used in the PowerShell command.”
  • [T1555.003] Credentials from Web Browsers – The malware includes browser credential access capabilities. “Credentials from Web Browsers.”
  • [T1518.001] Security Software Discovery – The sample checks for security software (e.g., Avast) before executing persistence logic. “Security Software Discovery.”
  • [T1571] Non-Standard Port – C2 communications occur on non-standard ports (e.g., 57860). “Non-Standard Port.”
  • [T1105] Ingress Tool Transfer – The malware downloads additional tools/files from the attacker server as part of its infection chain. “downloads additional files from a hardcoded attacker server.”
  • [T1041] Exfiltration Over C2 Channel – Exfiltration over the C2 channel is indicated in the technique map. “Exfiltration Over C2 Channel.”

Indicators of Compromise

  • [IP] 93.183.93[.]185:57860 – C2 server address used by Lilith RAT components.
  • [IP] 185.231.154[.]22:52720 – Additional attacker IP observed in the network artifacts.
  • [IP] 62.113.118[.]157:57860 – Another C2-related endpoint.
  • [Domain] jethropc[.]com/wp-admin/css/temp/hurry/?rv=papago^&za=honey0 – malicious hosting URL used for payload delivery.
  • [Domain] phasechangesolutions[.]com/wp-admin/css/temp/movement/?ra=aaaaaa^&zw=default0 – malicious hosting URL.
  • [Domain] cammirando[.]com/wp-admin/css/temp/movement/?ra=aaaaaa – malicious hosting URL.
  • [Domain] oryzanine[.]com/index.php – command-and-control domain used in network IOCs.
  • [MD5] 9d6c79c0b395cceb83662aa3f7ed0123 – CURKON file hash.
  • [MD5] 2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e – CURKON file hash.
  • [MD5] 3334d2605c0df26536058f73a43cb074 – CURKON file hash.
  • [MD5] ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015 – CURKON file hash.
  • [MD5] 4f865db4192afb5bbcdeb2e899ca97a4 – CURKON file hash.
  • [MD5] 5ea09247ad85915a8d1066d1825061cc8348e14c4e060e1eba840d5e56ab3e4d – CURKON file hash.
  • [MD5] 6263a… (truncated in list) – CURKON file hash.
  • [MD5] d336… (truncated in list) – CURKON file hash.
  • [MD5] 0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed – CURKON file hash.
  • [MD5] 5613ba2032bc1528991b583e17bad59a – Lilith RAT (AutoIt Script) hash.
  • [MD5] 5548… (truncated) – Lilith RAT (AutoIt Script) hash.
  • [MD5] 1fc4… (truncated) – Lilith RAT (AutoIt Script) hash.
  • [MD5] 909b… (truncated) – Lilith RAT (AutoIt Script) hash.
  • [MD5] 19dc387bffdc0a22f640bd38af320db4 – LINKON hash.
  • [MD5] 7788e46f8f3641a92d34da68dffc168fdc936841c5ad3d8b44da62a7b2dfe2ee1 – LINKON hash.
  • [MD5] 6d6433c328f6cdce4a80efce3a29ea3e – LINKON hash.
  • [MD5] 2e31a… (truncated) – LINKON hash.

Read more: https://medium.com/s2wblog/threat-tracking-analysis-of-punk-003s-lilith-rat-ported-to-autoit-script-30dd59e68213

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint