FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy
June 19, 2024, 8:10 a.m.
Tags
External References
Description
This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Geocities Japan accounts to host malware payloads. The campaign leveraged VBScript and PowerShell scripts to execute encoded commands, ultimately delivering the Poison Ivy remote access trojan (RAT) through process injection. The researcher provides a detailed reverse engineering analysis of the malware components, including decoding multiple layers of obfuscation, identifying the use of PowerSploit code, and tracing the malware's behavior and network communications. The report concludes by attributing the campaign to the threat actor APT10 and providing relevant indicators of compromise.
Date
Published: June 19, 2024, 7:24 a.m.
Created: June 19, 2024, 7:24 a.m.
Modified: June 19, 2024, 8:10 a.m.
Indicators
8e9820e308a6908492e9a227a097b649baa64056e247293ae2f48bf0dd228d54
61.97.243.15
116.193.154.28
web.outlooksysm.net
outlooksysm.net
Attack Patterns
Darkmoon
Breut
PoisonIvy - S0012
Poison Ivy
APT10
T1059.005
T1497.001
T1059.003
T1059.001
T1059.007
T1497
T1203
T1059