Threat Actor Distributes Python-Based Info Stealer Using Fake Update
July 29, 2024, 12:03 p.m.
Tags
External References
Description
An unidentified threat actor exploited the July 19, 2024 Falcon sensor content issue to distribute a Python-based information stealer named Connecio. The malware was delivered via a malicious ZIP file masquerading as a Falcon update. Connecio collects system information, browser data, and exfiltrates it over SMTP to attacker-controlled accounts. It also contains functionality for clipboard hijacking related to cryptocurrency addresses.
Date
Published: July 29, 2024, 11:29 a.m.
Created: July 29, 2024, 11:29 a.m.
Modified: July 29, 2024, 12:03 p.m.
Indicators
CrowdStrike_CSA_240846_01
d7c1be2d0b7d2714ff710676d228ac751c4eba280309e1241a9f7e441299a177
5ba542fcfa45d50c0d65dda4dbbd7a28f737a2fc53841ddaab7f68ae1cdf5183
56cbd8ce60f18d4cececfa703a92c0188dd81ed97b4de12e3f120d7ce736225a
21653e267a6c7e4f10064ad2489dba54e04612cc7ce4043b8c8dcaf8b39210d6
bc1qr9euay9qsfwsgh2edeqfk0rpw90c9zl9f69kfk
bc1qlneepetqamw7vmfludvrjgnk7tjprzlcy5e293
bc1qfwx6sase663vranpr7mkf485ypz3nzvtl0xtld
1Q4V4c1d6Vmr1Bf9BWejixnF8XnfdY6m4s
17tVNxknYnnkrvY3vN4Tw23fXQdSmn7CDU
13KadCbGWS4rzXiAyc7HHW2HDopN59hKa6
185.255.114.63
185.255.114.110
139.99.232.135
http://xryptbx.com:465
http://web3versecoin.com:465
http://mail.dshu.xyz:465
send@dshu.xyz
logsmaster@xryptbx.com
logs@theprofits.online
logs@web3versecoin.com
info2024@klaxusonline.com
frank@dshu.xyz
6000@xryptbx.com
mail.dshu.xyz
web3versecoin.com
xryptbx.com
theprofits.online
klaxusonline.com
dshu.xyz
Attack Patterns
Connecio
T1102.001
T1059.006
T1048
T1204.002