The attacker may have used the malware to check for antivirus-related processes running in the system.
Tag: T1041
Engage Report: Glutton PHP Backdoor
-
Tactic: Initial Access (TA0001)
-
Technique: Exploit Public-Facing Application (T1190)
-
Procedure: Exploit vulnerabilities (ODAY and NDAY) in public-facing PHP applications to gain initial access to the server.
-
Tactic: Initial Access (TA0001)
-
Technique: Valid Accounts (T1078)
-
Procedure: Leverage weak password brute-forcing techniques to compromise valid accounts and gain unauthorized access.
-
Tactic: Initial Access (TA0001)
-
Technique: Supply Chain Compromise (T1195)
-
Procedure: Distribute pre-compromised business systems embedded with the
10ader_shellbackdoor through cybercrime source code forums.
-
Tactic: Execution (TA0002)
-
Technique: Command and Scripting Interpreter: PHP (T1059.004)
-
Procedure: Execute malicious PHP code (
task_loader,init_task,client_loader, etc.) within the web application environment to carry out various malicious activities.
-
Tactic: Persistence (TA0003)
-
Technique: Server Software Component: Web Shell (T1505.003)
-
Procedure: Inject web shells (
10ader_shell) into PHP files to maintain persistence on the compromised server.
-
Tactic: Persistence (TA0003)
-
Technique: Create or Modify System Process: Launch Daemon (T1543.003)
-
Procedure: Install the Winnti backdoor as a daemon process by modifying the
/etc/init.d/networkfile.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): HTTP
-
Procedure: Establish an HTTP-based C2 channel for communication with the C2 server (
v6.thinkphp1.com,v20.thinkphp1.com) and retrieve additional payloads.
-
Tactic: Command and Control (TA0011)
-
Technique: Application Layer Protocol: Web Protocols (T1071.001): UDP
-
Procedure: Utilize UDP for C2 communication with the PHP backdoor, enabling command execution and data exfiltration.
-
Tactic: Defense Evasion (TA0005)
-
Technique: Obfuscated Files or Information (T1027)
-
Procedure: Employ obfuscation techniques in later stages of the attack (e.g., obfuscating the
10aderfunction code inclient_loader) to hinder analysis and detection. -
Tactic: Collection (TA0009)
-
Technique: System Information Discovery (T1082)
-
Procedure: Collect system information, including OS version, PHP version, and sensitive data from Baota panels, to gain situational awareness and identify valuable targets.
-
Tactic: Exfiltration (TA0010)
-
Technique: Exfiltration Over C2 Channel (T1041)
-
Procedure: Exfiltrate collected data over HTTP and UDP C2 channels to attacker-controlled servers.
China attacks U.S. Companies
The attackers leveraged WMI, Microsoft’s command-line tool, to execute commands on a remote computer, indicating a possible exploitation of external remote services for gaining initial access to the network.
Lumma Stealer and Amadey Bot in Manufacturing
A threat actor has gained initial access to the manufacturing network and is utilizing the Lumma Stealer and Amadey Bot malware to steal sensitive data and maintain persistence.
Unveiling RevC2 and Venom Loader
- Initial Access: The attack likely begins with a phishing email containing a malicious LNK file (VenomLNK).
- Execution: The LNK file executes an obfuscated batch script, which downloads and executes various payloads, including RevC2 and Venom Loader. Venom Loader utilizes DLL side-loading and JavaScript for execution.
- Persistence: Venom Loader establishes persistence by adding a PowerShell script to the autorun registry key.
- Command and Control: RevC2 uses WebSockets (ws://208.85.17[.]52:8082) for C2 communication, while More_eggs lite uses HTTP POST requests (/api/infos).
- Defense Evasion: Both RevC2 and Venom Loader employ obfuscation to hinder analysis. Venom Loader also uses DLL side-loading.
- Collection: RevC2 steals cookies, passwords, and takes screenshots.
- Exfiltration: Stolen data is exfiltrated over the C2 channel.
Exploitation of Firefox and Windows zero-day vulnerabilities
The RomCom threat actors are actively exploiting Firefox and Windows zero-day vulnerabilities to compromise systems, escalate privileges, establish persistence, and exfiltrate sensitive data.
Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure
T1566.001 – The attacker sends a phishing email containing a malicious link to a GitHub repository disguised as a legitimate project.
T1133 – The attacker hosts malicious code, disguised as an NPM package, on a public GitHub repository.
T1059.003 – The victim, a developer, uses the npm install command to install the malicious NPM package from the GitHub repository.
T1543 – The malicious NPM package contains a script that executes a malicious JavaScript file (‘test.js’) located in the ‘.vscode’ folder, establishing persistence on the victim’s machine.
T1071.001 – The malicious JavaScript file uses the cURL command to communicate with the attacker’s C2 server over HTTP to download additional payloads.
T1041 – The attacker uses the established C2 channel to exfiltrate sensitive data from the victim’s machine.
China shopping for Black Friday Gains
SilkSpecter actors are targeting online shoppers during the Black Friday period with spearphishing emails containing malicious attachments. These attachments likely contain obfuscated malware designed to evade detection and exfiltrate sensitive information like credit card details.
Financially Motivated Chinese Threat Actor SilkSpecter Targeting Black Friday Shoppers
- SilkSpecter used spearphishing emails with malicious attachments (T1566) to target Black Friday shoppers.
- The attachments likely contained malware, which, when executed, established a connection to the threat actor’s command-and-control (C2) server using common protocols like HTTP or HTTPS (T1071).
- This allowed the attackers to steal sensitive information like credit card details and personally identifiable information (PII) and send it back to their C2 server (T1041).
DONOT Hunt Me
A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.