Today > | 7 High | 13 Medium | 5 Low vulnerabilities   -   You can now download lists of IOCs here!

FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

June 19, 2024, 8:10 a.m.

Description

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (RAT) through process injection. The researcher provides a detailed reverse engineering analysis of the malware components, including decoding multiple layers of obfuscation, identifying the use of PowerSploit code, and tracing the malware's behavior and network communications. The report concludes by attributing the campaign to the threat actor APT10 and providing relevant indicators of compromise.

Date

Published: June 19, 2024, 7:24 a.m.

Created: June 19, 2024, 7:24 a.m.

Modified: June 19, 2024, 8:10 a.m.

Indicators

8e9820e308a6908492e9a227a097b649baa64056e247293ae2f48bf0dd228d54

61.97.243.15

116.193.154.28

web.outlooksysm.net

outlooksysm.net

Attack Patterns

Darkmoon

Breut

PoisonIvy - S0012

Poison Ivy

APT10

T1059.005

T1497.001

T1059.003

T1059.001

T1059.007

T1497

T1203

T1059