PureHVNC Deployed via Python Multi-stage Loader
Aug. 9, 2024, 11:39 a.m.
Description
FortiGuard Labs uncovered a sophisticated attack campaign utilizing multiple obfuscation and evasion techniques to distribute and execute various malware, including VenomRAT, XWorm, AsyncRAT, and PureHVNC. The campaign starts with a phishing email containing a malicious attachment that initiates a series of harmful activities. All the malware employs packing and obfuscation tools like Kramer, donut, and laZzzy to conceal their presence. The analysis focuses on the PureHVNC malware, which collects victim information, targets crypto wallets, password managers, and two-factor authenticators, and can execute additional plugins for remote desktop control and execution.
Tags
Date
- Created: Aug. 9, 2024, 11:25 a.m.
- Published: Aug. 9, 2024, 11:25 a.m.
- Modified: Aug. 9, 2024, 11:39 a.m.
Indicators
- d4e8bf427c196d1d5ffca52a5af7162cc5cf4df730ee3fe65b4381ac79662a15
- b393323b9834656a2999198d4f02c1a159c6034d3c20c483d22a30aab3810c0c
- 95a33ba5550747baf72e39b020e6215b6047983eda17250408cd6f4c16a93089
- 8d28191f647572d5e159f35ae55120ddf56209a18f2ca95a28d3ca9408b90d68
- 7c4e613cf4db19f54030097687227809f965a951a26a44a882692ece6e642e3c
- 72ce64d50f9aa15b21631307d2143f426364634a7a2ee4b401ef76bd88c4ff3b
- 71b797032458aab9b4a1a203e7ca413f009af1961cffb98590e34f672574599a
- 561f4b4e2c16f21b0db015819340fc59484e4994022c4cca46cf778006d5d441
- 503ce7bcefdffb96b5de78254f947598a410b86d3aaf597c7334e248c46dae5b
- 2b7ee0ccfa45d2f53098cd8aa4ce73cb00ace462d8490e6843bf05cd07854553
- 16a4de0540181bab7c5d25fcdf90838a28f2dff4ed9e0e37de3f5f1ab20afe0a
- vxsrwrm.duckdns.org
- xoowill56.duckdns.org
- ghdsasync.duckdns.org
- float-suppose-msg-pulling.trycloudflare.com
- drvenomjh.duckdns.org
- ncmomenthv.duckdns.org
- anachyyyyy.duckdns.org
Attack Patterns
- PureHVNC
- VenomRAT
- XWorm
- AsyncRAT
- T1547.003
- T1559.001
- T1021.001
- T1053.005
- T1055.002
- T1059.001
- T1547.001
- T1105
- T1566.001
- T1027