Description
eSentire's Threat Response Unit (TRU) uncovered a malware campaign affecting a government customer. The infection involved multiple threats - XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT - hosted on a TryCloudflare WebDAV server. The initial vector was a phishing email with a malicious ZIP file. The attack employed obfuscated batch and encrypted Python scripts to deploy the RATs, utilizing techniques like direct syscalls, shellcode decryption, and Early Bird APC queue injection to evade detection.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 5, 2024, 8:33 a.m. | Aug. 5, 2024, 8:33 a.m. | Aug. 5, 2024, 9:04 a.m. |
Indicators
http://stickers-ext-payment-print.trycloudflare.com/kbsfaw.pdf
Attack Patterns
PureLogs Stealer
VenomRAT
XWorm
AsyncRAT
T1055.004
T1055.001
T1543.003
T1055.003
T1608
T1574.002
T1055.002
T1497.001
T1059.001
T1027.005
T1497
T1574
T1566.001
T1543
T1055
T1027
T1566
T1059
Additional Informations
Government