Campaign uses infostealers and clippers for financial gain
Aug. 16, 2024, 8:53 a.m.
Tags
External References
Description
Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and StealC, as well as clippers. In addition to distributing malware, the campaigns trick victims into providing credentials and linking cryptocurrency wallets to drain funds. The analysis covers three active sub-campaigns involving multistage malware, process injection, and various evasion techniques.
Date
Published: Aug. 16, 2024, 8:21 a.m.
Created: Aug. 16, 2024, 8:21 a.m.
Modified: Aug. 16, 2024, 8:53 a.m.
Indicators
f71bb213ae7abe03e416c650185971c8470c9ab5670e1b2c516d903bc783715b
f586b421f10b042b77f021463934cfeda13c00705987f4f4c20b91b5d76d476c
db4328dfbf5180273f144858b90cb71c6d4706478cac65408a9d9df372a08fc3
ea748caf0ed2aac4008ccb9fd9761993f9583e3bc35783cfa42593e6ba3eb393
ce0905a140d0f72775ea5895c01910e4a492f39c2e35edce9e9b8886a9821fb1
d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca
c990a578a32d545645b51c2d527d7a189a7e09ff7dc02cefc079225900f296ac
bafa7dbe2a5df97c8574824abd2ae78ffa0991f916e72debc9fc65e593ec2ee8
b7d3bc460a17e1b43c9ff09786e44ea4033710538bdb539400b55e5b80d0b338
b4b929362fb797f99f00b3e94b4bed796ae664a31a4dc5f507672687ad44322e
ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5
934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c
9d8547266c90cae7e2f5f5a81af27fb6bc6ade56a798b429cdb6588a89cec874
8265d6a8eb6c308a7b41cf60ba12f4a7e4616f6acf2736ee42aadcff336659e3
7d42e121560bc79a2375a15168ac536872399bf80de08e5cc8b3f0240cdc693a
7fbc872542b61d592eff2aa402d9310dafdb01f550226588e2d95050bac434fc
7b94558257ff060e0b30d08b3f51b0df6a46458fd5a726f41a48ec5f5675dd8b
7587be1d73dd90015c6200921d320ff0edcec19d7465b64d8ab8d12767c0f328
6cc3e6b74d2018ce3d86e6e9df2846a14cc980e8f95779b3ce4e83bb1ccd72bd
6b30a6026b7cc60a3cce4db9ae2461af86c3a0ec81d29c3397cfad69b7878754
69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
609129a9188ca3d16832594d44d746d7434e67a99c6dd20c1785aface9ed117d
5e31073312aa132a5c138e3c978ee1f3802a786c23cdf3965bee0d556b360932
5535bf554c8314b500fb9f00d5bdea0ade884cb7c74536bdaafa501361232e73
592052016d9621eb369038007ab13b19632b7353fafb65bd39268796d5237c8c
523d4eb71af86090d2d8a6766315a027fdec842041d668971bfbbbd1fe826722
4c33d4179fff5d7aa7e046e878cd80c0146b0b134ae0092ce7547607abc76a49
3e80405991c6fc66f90435472210e1479b646ead3a92bd3f28fba3dd9d640266
1f3aa94fb9279137db157fc529a8b7e6067cbd1fe3eb13c6249f7c8b4562958a
142b8d0080db24246615059e4badf439f68c2b219c68c7ac7f4d2fc81f5bb9c2
0d877b9163241e6d2df2779d54b9eda8abc909f022f5f74f084203134d5866e2
0891edb0cc1c0208af2e4bc65d6b5a7160642f89fd4b4dc321f79d2b5dfc2dcc
bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0
1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo
89.169.52.59
85.28.47.139
77.91.77.200
79.133.180.213
46.8.238.240
194.116.217.148
23.94.225.177
81.19.137.7
https://tydime.io/api.php'
dc-mx.bf442731a463.tidyme.io
yous.ai
wuwelej.top
voico.io
vinrevildsports.shop
tydime.io
tidymeapp.io
tidyme.io
supme.io
sinergijiasport.shop
runeonlineworld.io
refvhnhkkolmjbg.shop
peerme.io
partyroyaleplay.io
partyroyaleplay.com
partyroyale.games
partyroyale.fun
izxxd.top
gurunsmilrsports.shop
edvhukkkmvgcct.shop
dustfightergame.com
dintrinnssports.shop
batverssaports.shop
astrosounsports.shop
1h343lkxf4pikjd.dad
Attack Patterns
DanaBot
StealC
T1179
T1497
T1554
T1573
T1564
T1559
T1218
T1106
T1105
T1055
T1134
T1592
T1204
T1140
T1195
T1059