FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

June 19, 2024, 8:10 a.m.

Description

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (RAT) through process injection. The researcher provides a detailed reverse engineering analysis of the malware components, including decoding multiple layers of obfuscation, identifying the use of PowerSploit code, and tracing the malware's behavior and network communications. The report concludes by attributing the campaign to the threat actor APT10 and providing relevant indicators of compromise.

External References

https://blog.malwaremustdie.org/2024/06/mmd-068-2024-english-report-of-fhappi.html
https://otx.alienvault.com/pulse/667287b169e8b7ffe42a0078
Tags
malware
apt
powershell
2024-06-19
poison ivy
poisonivy
geocities
encodedpayload
breut
darkmoon

Date

  • Created: June 19, 2024, 7:24 a.m.
  • Published: June 19, 2024, 7:24 a.m.
  • Modified: June 19, 2024, 8:10 a.m.

Indicators

  • 8e9820e308a6908492e9a227a097b649baa64056e247293ae2f48bf0dd228d54
  • 61.97.243.15
  • 116.193.154.28
  • web.outlooksysm.net
  • outlooksysm.net
Download all indicators here!

Attack Patterns

  • Darkmoon
  • Breut
  • PoisonIvy - S0012
  • Poison Ivy
  • APT10
  • T1059.005
  • T1497.001
  • T1059.003
  • T1059.001
  • T1059.007
  • T1497
  • T1203
  • T1059