Ande Loader Leads to 0bj3ctivity Stealer Infection

Aug. 12, 2024, 11:42 a.m.

Description

In July 2024, eSentire's Threat Response Unit observed a phishing attack leading to a 0bj3ctivity Stealer malware infection. The attack involved a malicious JavaScript file that retrieved and executed Ande Loader and the 0bj3ctivity Stealer. Ande Loader created persistence, downloaded additional payloads, and performed process injection. The 0bj3ctivity Stealer exfiltrated data from various browsers and messengers to Telegram, servers, or SMTP, including credentials, credit card information, and system details. The attack utilized obfuscation, anti-analysis techniques, and a multi-stage delivery mechanism to evade detection.

External References

https://www.esentire.com/blog/ande-loader-leads-to-0bj3ctivity-stealer-infection?
https://otx.alienvault.com/pulse/66b9f17cd27eff3524070020
Tags
malware
loader
obfuscation
phishing
stealer
infection
2024-08-12
ande loader
0bj3ctivity stealer

Date

  • Created: Aug. 12, 2024, 11:26 a.m.
  • Published: Aug. 12, 2024, 11:26 a.m.
  • Modified: Aug. 12, 2024, 11:42 a.m.

Indicators

  • https://whatismyipaddressnow.co/API/FETCH/filter.php?countryid=14&token=FEzEd9JbsoLF
  • https://whatismyipaddressnow.co/API/FETCH/getcountry.php
Download all indicators here!

Attack Patterns

  • 0bj3ctivity Stealer
  • Ande Loader
  • T1597
  • T1600
  • T1567.002
  • T1086
  • T1589
  • T1055.012
  • T1185
  • T1564.003
  • T1018
  • T1497.001
  • T1547.001
  • T1213
  • T1056.001
  • T1071.001
  • T1518.001
  • T1598
  • T1105
  • T1083
  • T1592
  • T1027