Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and...

Aug. 5, 2024, 9:04 a.m.

Description

eSentire's Threat Response Unit (TRU) uncovered a malware campaign affecting a government customer. The infection involved multiple threats - XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT - hosted on a TryCloudflare WebDAV server. The initial vector was a phishing email with a malicious ZIP file. The attack employed obfuscated batch and encrypted Python scripts to deploy the RATs, utilizing techniques like direct syscalls, shellcode decryption, and Early Bird APC queue injection to evade detection.

External References

https://www.esentire.com/blog/quartet-of-trouble-xworm-asyncrat-venomrat-and-purelogs-stealer-leverage-trycloudflare
https://otx.alienvault.com/pulse/66b08e4f70d0dbfb6fb12d0c
Tags
xworm
phishing
government
asyncrat
venomrat
2024-08-05
purelogs stealer

Date

  • Created: Aug. 5, 2024, 8:33 a.m.
  • Published: Aug. 5, 2024, 8:33 a.m.
  • Modified: Aug. 5, 2024, 9:04 a.m.

Indicators

  • http://stickers-ext-payment-print.trycloudflare.com/kbsfaw.pdf
  • ujhn.duckdns.org
  • rvxwrm5.duckdns.org
  • ncmomenthv.duckdns.org
  • anachyyyyy.duckdns.org
  • welxwrm.duckdns.org
  • todfg.duckdns.org
Download all indicators here!

Attack Patterns

  • PureLogs Stealer
  • VenomRAT
  • XWorm
  • AsyncRAT

Additional Informations

  • Government