Back

Campaign uses infostealers and clippers for financial gain

Aug. 16, 2024, 8:53 a.m.

Tags

phishing
evasion
infostealer
cryptocurrency
injection
danabot
stealc
russian
2024-08-16
clipper

External References

https://securelist.com/

https://otx.alienvault.com/

Description

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and StealC, as well as clippers. In addition to distributing malware, the campaigns trick victims into providing credentials and linking cryptocurrency wallets to drain funds. The analysis covers three active sub-campaigns involving multistage malware, process injection, and various evasion techniques.

Date

Published Created Modified
Aug. 16, 2024, 8:21 a.m. Aug. 16, 2024, 8:21 a.m. Aug. 16, 2024, 8:53 a.m.

Indicators

f71bb213ae7abe03e416c650185971c8470c9ab5670e1b2c516d903bc783715b

f586b421f10b042b77f021463934cfeda13c00705987f4f4c20b91b5d76d476c

db4328dfbf5180273f144858b90cb71c6d4706478cac65408a9d9df372a08fc3

ea748caf0ed2aac4008ccb9fd9761993f9583e3bc35783cfa42593e6ba3eb393

ce0905a140d0f72775ea5895c01910e4a492f39c2e35edce9e9b8886a9821fb1

d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca

c990a578a32d545645b51c2d527d7a189a7e09ff7dc02cefc079225900f296ac

bafa7dbe2a5df97c8574824abd2ae78ffa0991f916e72debc9fc65e593ec2ee8

b7d3bc460a17e1b43c9ff09786e44ea4033710538bdb539400b55e5b80d0b338

b4b929362fb797f99f00b3e94b4bed796ae664a31a4dc5f507672687ad44322e

ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5

934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c

9d8547266c90cae7e2f5f5a81af27fb6bc6ade56a798b429cdb6588a89cec874

8265d6a8eb6c308a7b41cf60ba12f4a7e4616f6acf2736ee42aadcff336659e3

7d42e121560bc79a2375a15168ac536872399bf80de08e5cc8b3f0240cdc693a

7fbc872542b61d592eff2aa402d9310dafdb01f550226588e2d95050bac434fc

7b94558257ff060e0b30d08b3f51b0df6a46458fd5a726f41a48ec5f5675dd8b

7587be1d73dd90015c6200921d320ff0edcec19d7465b64d8ab8d12767c0f328

6cc3e6b74d2018ce3d86e6e9df2846a14cc980e8f95779b3ce4e83bb1ccd72bd

6b30a6026b7cc60a3cce4db9ae2461af86c3a0ec81d29c3397cfad69b7878754

69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699

609129a9188ca3d16832594d44d746d7434e67a99c6dd20c1785aface9ed117d

5e31073312aa132a5c138e3c978ee1f3802a786c23cdf3965bee0d556b360932

5535bf554c8314b500fb9f00d5bdea0ade884cb7c74536bdaafa501361232e73

592052016d9621eb369038007ab13b19632b7353fafb65bd39268796d5237c8c

523d4eb71af86090d2d8a6766315a027fdec842041d668971bfbbbd1fe826722

4c33d4179fff5d7aa7e046e878cd80c0146b0b134ae0092ce7547607abc76a49

3e80405991c6fc66f90435472210e1479b646ead3a92bd3f28fba3dd9d640266

1f3aa94fb9279137db157fc529a8b7e6067cbd1fe3eb13c6249f7c8b4562958a

142b8d0080db24246615059e4badf439f68c2b219c68c7ac7f4d2fc81f5bb9c2

0d877b9163241e6d2df2779d54b9eda8abc909f022f5f74f084203134d5866e2

0891edb0cc1c0208af2e4bc65d6b5a7160642f89fd4b4dc321f79d2b5dfc2dcc

bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0

1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo

89.169.52.59

85.28.47.139

77.91.77.200

79.133.180.213

46.8.238.240

194.116.217.148

23.94.225.177

81.19.137.7

https://tydime.io/api.php'

Attack Patterns

DanaBot

StealC

T1179

T1497

T1554

T1573

T1564

T1559

T1218

T1106

T1105

T1055

T1134

T1592

T1204

T1140

T1195

T1059