The Abuse of ITarian RMM by Dolphin Loader
Aug. 19, 2024, 1:55 p.m.
Tags
External References
Description
This report explores how the Dolphin Loader, a malware-as-a-service loader, abuses the legitimate ITarian Remote Monitoring and Management (RMM) software to distribute various malware payloads. The loader leverages the built-in functionality of RMM tools, such as remote command execution and system monitoring, to operate stealthily and evade detection. The report provides an in-depth analysis of the Dolphin Loader's techniques, including the use of AutoIt scripts for payload execution and the abuse of the ITarian RMM software's 'Procedures' feature to run malicious Python scripts on registered devices.
Date
Published: Aug. 19, 2024, 1:24 p.m.
Created: Aug. 19, 2024, 1:24 p.m.
Modified: Aug. 19, 2024, 1:55 p.m.
Indicators
f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01
95.217.44.124
45.141.87.55
194.87.219.118
https://unprotect.it/technique/easycrypter/
https://houseofgoodtones.org/richardmilliestpe/Aunteficator_em_BHdAOse8_installer_Win7-Win11_x86_x64.msi
https://apilumma1.fun/v1/downloadBuild
http://comodozeropoint.com/Updates/1736162964/23/Salome.zip
http://comodozeropoint.com/Updates/1736162964/23/Salome.zip'
http://comodozeropoint.com/Updates/
http://comodozeropoint.com/Requests/api/Core.zip'
http://comodozeropoint.com/Requests/api/Core.zip
http://194.87.219.118/crypt
unprotect.it
quialitsuzoxm.shop
subprocess.call
pieddfreedinsu.shop
mennyudosirso.shop
languagedscie.shop
houseofgoodtones.org
complaintsipzzx.shop
comodozeropoint.com
bassizcellskz.shop
apilumma1.fun
Attack Patterns
Dolphin Loader
SectopRAT
DarkGate
RedLine
LummaC2
Rhadamanthys
Dolphin Loader
T1085
T1574.002
T1059.005
T1027.002
T1059.003
T1059.001
T1070
T1105
T1036
T1027
T1059