The Abuse of ITarian RMM by Dolphin Loader
Aug. 19, 2024, 1:55 p.m.
Description
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system monitoring, to operate stealthily and evade detection. The report provides an in-depth analysis of the Dolphin Loader's techniques, including the use of AutoIt scripts for payload execution and the abuse of the ITarian RMM software's 'Procedures' feature to run malicious Python scripts on registered devices.
Tags
Date
- Created: Aug. 19, 2024, 1:24 p.m.
- Published: Aug. 19, 2024, 1:24 p.m.
- Modified: Aug. 19, 2024, 1:55 p.m.
Indicators
- f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01
- 95.217.44.124
- 45.141.87.55
- 194.87.219.118
- https://unprotect.it/technique/easycrypter/
- https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
- https://apilumma1.fun/v1/downloadBuild
- http://comodozeropoint.com/Updates/1736162964/23/Salome.zip
- http://comodozeropoint.com/Updates/1736162964/23/Salome.zip'
- http://comodozeropoint.com/Updates/
- http://comodozeropoint.com/Requests/api/Core.zip'
- http://comodozeropoint.com/Requests/api/Core.zip
- http://194.87.219.118/crypt
- unprotect.it
- quialitsuzoxm.shop
- subprocess.call
- pieddfreedinsu.shop
- mennyudosirso.shop
- languagedscie.shop
- houseofgoodtones.org
- complaintsipzzx.shop
- comodozeropoint.com
- bassizcellskz.shop
- apilumma1.fun