The New Malware Distribution Service

Oct. 16, 2024, 9:48 a.m.

Tags
malware
evasion
remcos
injection
njrat
bladabindi
njw0rm
lv
keylogger
2024-10-16
agenttesla
ekans
snakehose
distribution
External References
Description

This analysis uncovers a novel malware distribution mechanism utilizing VBE scripts stored in archive files to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. It details the infection chain, which involves downloading encoded files from a command-and-control server, storing data in the registry, creating scheduled tasks, and employing techniques like process hollowing for payload injection. The final payload is revealed to be the SNAKE Keylogger, known for stealing sensitive data like keystrokes, screenshots, and clipboard contents.

Date

Published: Oct. 16, 2024, 9:26 a.m.

Created: Oct. 16, 2024, 9:26 a.m.

Modified: Oct. 16, 2024, 9:48 a.m.

Indicators

899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4

144.91.79.54

http://144.91.79.54/1109/r

http://144.91.79.54/1109/s

http://144.91.79.54/1109/file

http://144.91.79.54/1109/H011yiDJHSNr3TuAtkpt.txt

http://144.91.79.54

Download all indicators here!

Attack Patterns

SNAKEHOSE

EKANS - S0605

LV

Bladabindi

Njw0rm

njRAT - S0385

Remcos

AgentTesla

T1107

T1490

T1497

T1005

T1070

T1564

T1036

T1027

T1053

T1056

T1562

T1558

T1059