Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

Aug. 23, 2024, 10:01 a.m.

Description

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establishes a reverse shell on the infected system. Similarities between this campaign and KONNI group's tactics, such as command obfuscation and the use of AutoIt-ported malware, suggest the threat actor behind this attack could be linked to KONNI.

External References

https://medium.com/s2wblog/threat-tracking-analysis-of-punk-003s-lilith-rat-ported-to-autoit-script-30dd59e68213
https://otx.alienvault.com/pulse/66c859652afe873facaacaf6
Tags
obfuscation
rat
autoit
downloader
2024-08-23
lilith
konni
lilith rat

Date

  • Created: Aug. 23, 2024, 9:41 a.m.
  • Published: Aug. 23, 2024, 9:41 a.m.
  • Modified: Aug. 23, 2024, 10:01 a.m.

Indicators

  • e63082cf4db94f06d583a6313e48353366b44ce07b7ffceacc5bc4db88bd8810
  • c2cc785857c64fa1f8fbb2e359a2638f187cd77cd29ca6701e38d750e822faa4
  • ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015
  • 9e1a3653029b5378736ea1debba44cd81988de73b6d8689f9eba792e719da79a
  • 808425bc599cd60989c90978d179af1d4c72dd7abfe5e0518aca44b48af15725
  • 7c08b9178c05ab765a3d7754ac99f4ba1abddb226dbb6cc898bc692bba1898a1
  • 77d05cc623f860ca2e6d47cdafc517aa0612de88291de7f2a3d95c5d04f1658a
  • 778e46f8f3641a92d34da68dffc168fdc936841c5ad3d8b44da62a7b2dfe2ee1
  • 5ea09247ad85915a8d1066d1825061cc8348e14c4e060e1eba840d5e56ab3e4d
  • 5bcfb56c4c884e3657bbfeacca37853113d640b77dff9af519c08c4b64ca029d
  • 2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e
  • 0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed
  • 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
  • 93.183.93.185
  • 62.113.118.157
  • 185.231.154.22
  • www.cammirando.com
  • http://62.113.118.157:57860
  • http://93.183.93.185:57860
  • http://185.231.154.22:52720
  • file.drive002.com
  • werxtracts.com
  • ttzcloud.com
  • storkse.com
  • sibbss.com
  • serviceset.net
  • radionaranjalstereo.com
  • phasechangesolutions.com
  • oryzanine.com
  • mq734121.info
  • downwarding.com
  • jethropc.com
  • bgfile.com

Attack Patterns

  • Lilith RAT
  • puNK-003
  • T1053.005
  • T1564.003
  • T1539
  • T1564.001
  • T1555.003
  • T1059.003
  • T1059.001
  • T1571
  • T1547.001
  • T1518.001
  • T1204.002
  • T1105
  • T1041