The New Malware Distribution Service

Oct. 16, 2024, 9:48 a.m.

Description

This analysis uncovers a novel malware distribution mechanism utilizing VBE scripts stored in archive files to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. It details the infection chain, which involves downloading encoded files from a command-and-control server, storing data in the registry, creating scheduled tasks, and employing techniques like process hollowing for payload injection. The final payload is revealed to be the SNAKE Keylogger, known for stealing sensitive data like keystrokes, screenshots, and clipboard contents.

External References

https://blog.sonicwall.com/en-us/2024/10/horus-protector-part-2-the-new-malware-distribution-service/
https://otx.alienvault.com/pulse/670f86c5b38b1037dd8353e4
Tags
malware
evasion
remcos
injection
njrat
bladabindi
njw0rm
lv
keylogger
2024-10-16
agenttesla
ekans
snakehose
distribution

Date

  • Created: Oct. 16, 2024, 9:26 a.m.
  • Published: Oct. 16, 2024, 9:26 a.m.
  • Modified: Oct. 16, 2024, 9:48 a.m.

Indicators

  • 899dc226fa35da5923b2c6e6e0b90834dd1ea0b4d2e156a6bc99acd1a183a2d4
  • 144.91.79.54
  • http://144.91.79.54/1109/r
  • http://144.91.79.54/1109/s
  • http://144.91.79.54/1109/file
  • http://144.91.79.54/1109/H011yiDJHSNr3TuAtkpt.txt
  • http://144.91.79.54
Download all indicators here!

Attack Patterns

  • SNAKEHOSE
  • EKANS - S0605
  • LV
  • Bladabindi
  • Njw0rm
  • njRAT - S0385
  • Remcos
  • AgentTesla