PureHVNC Deployed via Python Multi-stage Loader
Aug. 9, 2024, 11:39 a.m.
Tags
External References
Description
FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a series of harmful activities. All the malware employs packing and obfuscation tools like Kramer, donut, and laZzzy to conceal their presence. The analysis focuses on the PureHVNC malware, which collects victim information, targets crypto wallets, password managers, and two-factor authenticators, and can execute additional plugins for remote desktop control and execution.
Date
Published: Aug. 9, 2024, 11:25 a.m.
Created: Aug. 9, 2024, 11:25 a.m.
Modified: Aug. 9, 2024, 11:39 a.m.
Indicators
d4e8bf427c196d1d5ffca52a5af7162cc5cf4df730ee3fe65b4381ac79662a15
b393323b9834656a2999198d4f02c1a159c6034d3c20c483d22a30aab3810c0c
95a33ba5550747baf72e39b020e6215b6047983eda17250408cd6f4c16a93089
8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68
7c4e613cf4db19f54030097687227809f965a951a26a44a882692ece6e642e3c
72ce64d50f9aa15b21631307d2143f426364634a7a2ee4b401ef76bd88c4ff3b
71b797032458aab9b4a1a203e7ca413f009af1961cffb98590e34f672574599a
561f4b4e2c16f21b0db015819340fc59484e4994022c4cca46cf778006d5d441
503ce7bcefdffb96b5de78254f947598a410b86d3aaf597c7334e248c46dae5b
2b7ee0ccfa45d2f53098cd8aa4ce73cb00ace462d8490e6843bf05cd07854553
16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a
vxsrwrm.duckdns.org
xoowill56.duckdns.org
ghdsasync.duckdns.org
float-suppose-msg-pulling.trycloudflare.com
drvenomjh.duckdns.org
ncmomenthv.duckdns.org
anachyyyyy.duckdns.org
Attack Patterns
PureHVNC
VenomRAT
XWorm
AsyncRAT
T1547.003
T1559.001
T1021.001
T1053.005
T1055.002
T1059.001
T1547.001
T1105
T1566.001
T1027