Today > | 1 Medium vulnerabilities   -   You can now download lists of IOCs here!

Quartet of Trouble: XWorm, AsyncRAT, VenomRAT, and...

Aug. 5, 2024, 9:04 a.m.

Tags
xworm
phishing
government
asyncrat
venomrat
2024-08-05
purelogs stealer
External References
Description

eSentire's Threat Response Unit (TRU) uncovered a malware campaign affecting a government customer. The infection involved multiple threats - XWorm, VenomRAT, PureLogs Stealer, and AsyncRAT - hosted on a TryCloudflare WebDAV server. The initial vector was a phishing email with a malicious ZIP file. The attack employed obfuscated batch and encrypted Python scripts to deploy the RATs, utilizing techniques like direct syscalls, shellcode decryption, and Early Bird APC queue injection to evade detection.

Date

Published: Aug. 5, 2024, 8:33 a.m.

Created: Aug. 5, 2024, 8:33 a.m.

Modified: Aug. 5, 2024, 9:04 a.m.

Indicators

http://stickers-ext-payment-print.trycloudflare.com/kbsfaw.pdf

ujhn.duckdns.org

rvxwrm5.duckdns.org

ncmomenthv.duckdns.org

anachyyyyy.duckdns.org

welxwrm.duckdns.org

todfg.duckdns.org

Download all indicators here!

Attack Patterns

PureLogs Stealer

VenomRAT

XWorm

AsyncRAT

T1055.004

T1055.001

T1543.003

T1055.003

T1608

T1574.002

T1055.002

T1497.001

T1059.001

T1027.005

T1497

T1574

T1566.001

T1543

T1055

T1027

T1566

T1059

Additional Informations

Government