loading..

Product

Our Product

We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.

loading..

Threatspy

Solutions

By Industry

Health Care

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecops

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

loading..

Threat Feeds

loading..

Threat Research

loading..

White Paper

loading..

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..

Our Story

loading..

Our Team

loading..

Careers

Press & Media

loading..

Contact Us
loading..
loading..

Join the waitlist

loading..

By submitting this form, you agree to our Subscription Agreement and Legal Policies.

background
background
loading..
loading..
loading..
Loading...

Backdoor

APT

TA428

loading..
loading..
loading..

CotSam, Never Before Seen Malware linked to TA428 involved in EU attack

CotSam: a never seen before malware strain involved in the targeted attacks across several European & Afghanistan institutions linked to infamous APT group TA42...

loading..
  09-Aug-2022
loading..
 7 min read

Related Articles

loading..

Twilio

Phishing

EvilProxy

EvilProxy operators leverage Reverse Proxy & Cookie Injection methods to evade M...

Exploitation techniques continue to evolve with sophisticated tools to orchestrate advanced phishing attacks against targets across the globe in the wake of the recent Twilio breach that resulted in the disclosure of 2FA (OTP) codes. New Phishing-as-a-Service (PhaaS) dubbed EvilProxy has been identified by the threat researchers at Secure Blink, and it is being widely promoted over the Dark Web. In other sources, the alternate moniker is Moloch, which has some ties to a phishing-kit built by a number of renowned underground players that have previously attacked financial institutions and the e-commerce industry. While the Twilio hack is purely tied to the supply chain, cybersecurity concerns lead to attacks against downstream targets. The productized underground service EvilProxy allows threat actors to attack MFA-enabled customers at scale without compromising upstream services. EvilProxy actors employ Reverse Proxy and Cookie Injection to evade two-factor authentication, hence proxyfying the victim's session. Previously, similar techniques were seen in the targeted operations of APT and cyberespionage organizations; however, EvilProxy has now effectively productized these techniques, demonstrating the relevance of the increase in assaults against online services and MFA authentication systems. Secure Blink threat researchers gained extensive insights across EvilProxy, including its structure, modules, functionalities, and the network infrastructure used to perform malicious behavior, as a consequence of the continuing investigation into the assaults against many workers of Fortune 500 firms. Initial incidents of EvilProxy have been linked to attacks against Google and msft clients with MFA enabled — either by SMS or Application Token. The first mention of EvilProxy was discovered in early May 2022, when the actors operating it released a demonstration video describing how it could be used to deliver advanced phishing links to compromise consumer accounts belonging to major brands including Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others. Notably, EvilProxy furthermore allows phishing attacks against the Python Package Index (PyPi): The official Python software repository (Python Package Index (PyPI)) recently announced (last week) that project contributors were the target of a phishing assault designed to get their user login information. The assault used JuiceStealer (as the last payload after the first breach) and, according to the findings of Secure Blink's Threat Researchers, was associated with EvilProxy perpetrators, who introduced this capability just before the attack was carried out. In addition to PyPi, EvilProxy's capabilities now support GitHub and npmjs (a JavaScript Package Manager used by over 11 million developers globally), allowing supply chain assaults through sophisticated phishing operations. It is quite probable that the actors want to target software developers and IT engineers in order to get access to their repositories and then compromise "downstream" targets. These tactics enable hackers to leverage the vulnerability of end users, who believe they are obtaining software packages from safe locations and are unaware that they have been infiltrated. ## Core Functionality A key feature of EvilProxy is its implementation of the _"Reverse Proxy"_ technique. The premise of the reverse proxy is straightforward: malicious actors lure victims to a phishing website and use the reverse proxy to get all the legitimate material the user expects, including login pages - it sniffs their traffic as it travels through the proxy. So, they may collect valid session cookies and skip the necessity for usernames, passwords, and/or 2FA tokens. Secure Blink has obtained videos released by EvilProxy actors illustrating how it can be exploited to hijack the victim's session and get access to the target account through Microsoft 2FA and Google email. Google 2FA Microsof Company 2FA EvilProxy is supplied on a subscription basis; when the end user (a cybercriminal) selects a service of interest to target (e.g., Facebook or Linkedin), the activation will be for a certain time period (10, 20, or 31 days as per the plans description which was published by the actors on multiple Dark Web forums). John Malkovich, one of the principal performers, serves as an administrator who verifies new clients. All major underground communities, including XSS, Exploit, and Breached, are covered by the service. EvilProxy's payments are managed by a human operator on Telegram. The subscription fee will be credited to the user's account in the TOR-hosted customer portal after payment has been accepted. The kit is accessible on the Dark Web hosted by the TOR network for $400 per month. Several tutorials and interactive videos on how to use the service and configuration suggestions are available on the EvilProxy website. Regarding the service's usability and configurability of new campaigns, traffic flows, and data collecting, the bad actors, performed well. After activation, the operator will be prompted for SSH credentials to deploy a Docker container and scripts. This strategy has also been used by another PhaaS service found by Secure Blink this year, dubbed "Frappo." The automatic installation contains a reference to the Gitlab user "Olf Dobs" (ksh8h297ydO) `apt update -qqy && apt dist-upgrade --no-install-recommends --no-install-suggests -o Dpkg::options::="--force-confdef" -y \ && apt install --no-install-recommends --no-install-suggests -y git \ && rm -rf /srv/control-agent && git clone --recurse-submodules https://gitlab.com/ksh8h297ayd0/docker-control-agent.git /srv/control-agent \ && cd /srv/control-agent && chmod +x ./install.sh \ && /srv/control-agent/install.sh '[license_key]' ===*=` Once the scripts have been successfully deployed, traffic originating from victims will be routed via a pair of "upstream" gateways: We were able to narrow down some of the phishing domains after doing more research. The evil guys register identically spelled domains so they may pass themselves off as respectable businesses. Here are a few examples of the fake Microsoft E-Mail URLs that EvilProxy may create: ## Login Phishing URL https://lmo.msdnmail[.]net/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2Fopenid%20profile%20https%3 A%2F%2Fwwwofc.msdnmail.net%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=637975588496970710 .Zjg3YzFkMmEtYTUxYy00NDliLWEzYzAtMTExZTliNjBkY2ZkY2U3NzM2MDMtZWNhZC00ZWFmLWE5YjMtYzgzZTFjM2E1ZDdl&ui_locales=en-US&mkt=en-US&state=jHi-CP0Nu4oFHIxklcT1adstnCWbwJwuXQWTxNSSsw-23qiXK-6EzyYoAyNZ6rHuHwsIYSkRp99F-bqPqhN4JVCnT4-3MQIDvdTKapKarcqaMFi6_xv2__3D0KfqBQ070ykGBGlwxFQ6Mzt9CwUsz2zdgcB4jFux2BhZQwcj-WumSBz0VQs5VePV-wz00E8rDxEXfQdlv-AT29EwdG77AmGWinyf3yQXSZTHJyo8s-IWSHoly3Kbturwnc87sDC3uwEn6VDIjKbbaJ-c-WOzrg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.16.0.0 ## Post-Authorization URL https://473126b6-bf9a-4a96-8111-fb04f6631ad8-571c4b21.msdnmail[.]net/mail/?realm=[victim_domain]&exsvurl=1&ll-cc=1033&modurl=0&JitExp=1&url=%2Fowa%2F%3Frealm%253d%2526exsvurl%253d1%2526ll-cc%253d1033%2526modurl%253d0%2526login_hint%253[victim_email]%252540[victim_domain] Those behind this use a wide variety of methods to identify potential victims and shield the phishing-kit code from being discovered. They collect information on VPN services, Proxies, TOR exit nodes, and other hosts that may be used for IP reputation research, similar to what fraud prevention and cyber threat intelligence (CTI) systems do (of potential victims). They either terminate the connection or send the user to a certain website (like "brave.com") if they think they are dealing with a bot or researcher. Fingerprinting is another method that has been discovered. When it comes to identifying potential virtual machines, which are utilized by security analysts to investigate dangerous information and clients connecting through RDP (Remote Desktop Protocol), the bad guys are very vigilant. ## Connotation Cybercriminals now have a low-cost, high-scalability option for conducting sophisticated phishing attacks against users of prominent online services with multi-factor authentication (MFA) enabled; however, selling EvilProxy needs verification. As more of these services begin to surface on the Dark Web, we should expect to see a rise in ATO/BEC activity and other hacks that aim to steal users' identities, especially in environments where Multi-Factor Authentication (MFA) can be readily circumvented using software like EvilProxy. ## Indicators of Compromise: The following is a list of domains and URLs associated with the EvilProxy infrastructure compiled by Secure Blink's Threat Researchers. Post-incident communication with victims, including those from Fortune 500 firms and users of major online services, led to the mapping of some of these hosts. Information about these hosts may aid cybersecurity researchers and incident responders in detecting and attributing suspected malicious behavior to EvilProxy when investigating events involving MFA, despite the very fluid nature of bad actors' activities (2FA). - 147[.]78[.]47[.]250 - 185[.]158[.]251[.]169 - 194[.]76[.]226[.]166 - msdnmail[.]net - evilproxy[.]pro - top-cyber[.]club - rproxy[.]io - login-live.rproxy[.]io - gw1.usd0182738s80[.]click:9000 - gw2.usd0182738s80[.]click:9000 - cpanel.evilproxy[.]pro - cpanel.pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd[.]onion

loading..
  21-Sep-2022
loading..
  1 min read
loading..

Golang

BianLian

Ransomware

Increases in the command and control infrastructure of the new cross-platform ra...

Secure Blink threat researchers have observed that Golan-based malware has grown in prominence, most likely due to its cross-platform functionalities and the fact that it makes reverse engineering even more complex. Threats developed using the Go language, such as Ransomware, RAT, Stealer, etc. The ransomware has targeted many well-known organizations (9 victims so far) across several industry sectors such as Manufacturing, Education, Healthcare, BFSI, etc. across Australia, North America, and the United Kingdom, primarily targeting SonicWall VPN devices and the Microsoft Exchange Server ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). ## Attack Flow The ransomware group first exploits the ProxyShell flaws to obtain access and then installs a Web shell or ngrok payload to monitor the victim's activity. According to analysts, the gang has taken precautions to avoid detection and minimize observable events as it seeks for data and selects machines to encrypt. According to the paper, BianLian deployed typical _"living off the land"_ (LoL) techniques for network profiling and lateral mobility. These included net.exe for adding and/or modifying user rights, netsh.exe for configuring host firewall policies, and reg.exe for modifying remote desktop and security policy enforcement registry settings. In addition to utilizing LoL techniques, the group is also known to deploy a bespoke implant as an additional method for sustaining constant network access. This _"simple but effective"_ backdoor's primary purpose is to retrieve arbitrary payloads from a remote server, load them into memory, and then execute them. BianLian has demonstrated proficiency with lateral movement techniques, altering their operations based on the network's capabilities and defenses, according to the assessment. BianLian, like other new cross-platform ransomware such as Agenda, Monster, and RedAlert, is capable of starting servers in Windows Safe Mode to execute its file-encrypting malware while evading detection by system-installed security solutions. In addition to deleting snapshots, removing backups, and running its Golang encryption module via Windows Remote Management (WinRM) and PowerShell scripts, additional methods were taken to evade security obstacles. The group's emergence contributes to the expanding number of threats utilizing Golang as a base language, which enables adversaries to make rapid modifications to a single code base that can subsequently be produced for various platforms. In the figure below, we have prepared a breakdown of the industries targeted by the BianLian ransomware ![Fig 1 Top Industries Targeted By BianLian.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fig_1_Top_Industries_Targeted_By_Bian_Lian_0ff434142a.jpg) ***Figure 1 – Industries Targeted by the BianLian Ransomware*** ## Technical Analysis For this evaluation, we used the hash of the 64-bit GoLang binary executable `eaf5e26c5e73f3db82cd07ea45e4d244ccb3ec3397ab5263a1a74add7bbcb6e2 (SHA256)` Below is the unique build ID of the GoLang ransomware. ![Figure-2-Go-Build-ID.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_2_Go_Build_ID_59c0dc90f7.jpg) ***Figure 2 – Go Build Identifier*** When the ransomware is executed, it checks the wine get version() method using the GetProcAddress() API to see if the file is operating in a WINE environment. ![Figure-3-Anti-analysis-Technique.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_3_Anti_analysis_Technique_2a561317e6.jpg) ***Figure 3 – Anti-analysis Technique*** After that, the ransomware uses the CreateThread() API call to generate numerous threads in order to encrypt files more quickly, making it more challenging to reverse engineer the malware. The diagram below depicts the many threads produced by the ransomware. ![Figure-4-Multiple-Thread-Creation.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_4_Multiple_Thread_Creation_e229ce428e.jpg) ***Figure 4 - Creation of Multiple Threads*** Using the GetDriveTypeW() API function, the malware then identifies the system drives (from A: to Z:) and encrypts all files available on the associated devices. The malware then dumps a ransom letter with the filename "Look at these instructions.txt" in various folders. The ransomware generates a notice with the following content. ![Figure-5-Malware-Writing-Ransom-Notes(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_5_Malware_Writing_Ransom_Notes_1_c0696f0499.jpg) ***Figure 5 - Depicts malware composing ransom notes*** After dropping the ransom message, the malware enumerates files and directories using the FindFirstFileW() and FindNextFileW() API calls to search for encryption. The following file extensions and file/folder names are exempt from encryption by the ransomware: On the victim's encryption, the ransomware encrypts files using GoLang Packages including crypto/cipher, crypto/aes, and crypto/rsa. ![Figure-6-Hardcoded-Strings-of-Crypto-GoLang-Packages.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_6_Hardcoded_Strings_of_Crypto_Go_Lang_Packages_d010aaa382.jpg) ***Figure 6- Hardcoded "Crypto" Strings in GoLang Packages*** The malware separates the file's contents into 10-byte chunks for encryption purposes. It first takes 10 bytes from the source file, encrypts them, and then writes the encrypted data to the destination file. It is possible to avoid detection by anti-virus software by slicing the data into little pieces. The image below depicts the code fragment of the encryption loop as well as the original and infected file contents prior to and after encryption. ![Figure-7-Encryption-routine-and-OriginalEncrypted-file-content(1).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_7_Encryption_routine_and_Original_Encrypted_file_content_1_1f64c44f2e.jpg) ***Figure 7 – Encryption algorithm and original/encrypted file content*** As demonstrated below, the malware then renames the encrypted files with the ".bianlian" extension and replaces them with the original file using the MoveFileExW() API method. ![Figure-8-MoveFileExW-API.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_8_Move_File_Ex_W_API_ad5aeb0ba6.jpg) ***Figure 8 - MoveFileExW() API*** Using the following command line, the ransomware deletes itself, leaving just the encrypted files and the ransom notice on the victim's computer. `cmd /c del C:UsersAdmin>Desktopnew one.exe` The image below depicts the BianLian ransomware encrypted files and ransom note text file after a victim's computer has been successfully infected. ![Figure-9-Files-encrypted-by-BianLian-Ransomware.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_9_Files_encrypted_by_Bian_Lian_Ransomware_1902703a73.jpg) ***Figure 9 - BianLian ransomware-encrypted files*** In the ransom note, victims are instructed on how to contact the threat actors in order to get their encrypted files restored. If the ransom is not paid within ten days, the threat actors threaten that their victims' sensitive information, including financial, client, company, technical, and personal files, has been downloaded and will be uploaded on their leak site. The ransom message also includes the TOX Messenger ID for ransom discussions as well as the Onion URL of the leak site page, as depicted in the figure below. ![Figure-10-Ransom-note.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_10_Ransom_note_c41d6ad983.jpg) ***Figure 10 – Ransom note*** The image below depicts the BianLian ransomware Onion leak homepage and the extortion items of the affected company. ![Figure-11-BianLian-Leak-site-home-page.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_11_Bian_Lian_Leak_site_home_page_e500fded0f.jpg) ***Figure 11 -The homepage of the BianLian Leak website is depicted*** The BianLian Leak website offers a list of all firms hit by ransomware and the contact information for the TA for ransomware data recovery. ![Figure-12-BianLian-Leak-site-affected-companies-list-TAs-contact-details.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Figure_12_Bian_Lian_Leak_site_affected_companies_list_T_As_contact_details_95d66ee6b9.jpg) ***Figure 12 - List of BianLian Leak site affected companies and contact information for threat actors*** ## Conclusion Organizational efficiency and security are two areas that are being negatively impacted by the rise of ransomware as an attack vector. BianLian is a GoLang-based malware that has infiltrated several businesses and is demanding astronomical sums in return for decryption keys. The threat actors use a twofold extortion strategy, taking data from the victimized company and then publishing it online if the ransom is not paid in a timely fashion. For different reasons, threat actors choose to create their ransomware in GoLang because it allows a single codebase to be compiled into all main operating systems. The threat actors in charge of BianLian are constantly adapting and expanding their toolset so as to remain undetected. Secure Blink will keep an eye out for BianLian and similar Ransomware gangs and evaluate their actions to learn more about their goals.

loading..
  16-Sep-2022
loading..
  1 min read
loading..

APT

A new APT group, tracked as ToddyCat, to a series of attacks targeting entities ...

ToddyCat APT, is a Chinese-speaking threat group involved in an ongoing cyberespionage campaign primarily targeting government and military sectors across Europe and Asia with a key focus on compromising multiple Microsoft Exchange servers leveraging two malicious programs – Samurai backdoor & Ninja Trojan. It is termed to be a fairly new sophisticated APT group, even though spotted for the first time back in December 2020 when it launched several attacks against the targets' Microsoft Exchange servers. As ToddyCat began to take advantage of the [ProxyLogon vulnerability on Microsoft Exchange Servers](https://www.secureblink.com/cyber-security-news/proxylogon-patching-frenzy-in-microsoft-exchange-servers) to infiltrate various enterprises across Europe and Asia, with a steady rise in February-March 2021. The APT group concentrated their focus on the system used by Asian diplomatic and governmental organizations in September 2021. And keeps its armament up to date and will still launch assaults in 2022. Although the primary infection vector for the most recent activity is unknown, the researchers have thoroughly examined the malware employed in the operations. ToddyCat uses the advanced cyberespionage tools Samurai Backdoor and Ninja Trojan, which may sneak into targeted networks and remain undetected for extended periods of time. As the last stage of the assault, Samurai is a modular backdoor that enables the attacker to control the remote system and move laterally within the infected network. Because it jumps between instructions using various control flow and case statements, this malware stands out because it makes it difficult to follow the sequence of events in the code. Additionally, it is used to launch the Ninja Trojan, a sophisticated tool that enables several users to operate on the same machine at once. Ninja Trojan offers a broad range of commands as well, enabling attackers to manage distant computers covertly. It is often launched by a variety of loaders after being loaded into a device's memory. Before fully infiltrating a vulnerable network, the Ninja Trojan begins the operation by obtaining configuration parameters from the encrypted payload. The malware's capabilities, which may be dynamically modified using a specific command, include manipulating file systems, launching reverse shells, forwarding TCP packets, and even seizing control of the network for specified periods of time. The malware also shares similarities with other well-known post-exploitation frameworks, such [CobaltStrike](https://bit.ly/3tbOxSN), but Ninja has additional capabilities that allow it to restrict the number of direct connections from the targeted network to the remote command and control systems without internet access. Additionally, it has the ability to alter HTTP header and URL paths in order to hide dangerous traffic in HTTP requests and manage HTTP indicators. Ninja Trojan is especially covert thanks to these abilities. "ToddyCat is a highly skilled threat actor with advanced technological abilities who can slip past security measures and infiltrate elite organizations. We still lack total visibility into their operations and strategies despite the amount of loaders and attacks that have been identified over the past year. A further remarkable feature of ToddyCat is its emphasis on advanced malware capabilities. Ninja Trojan earned its name because it is difficult to detect and, thus, difficult to eradicate. Using multi-layer defenses that offer information on internal assets and keep abreast of the most recent threat intelligence is the best approach to deal with this type of danger, according to Giampaolo Dedola, a security expert at Kaspersky. From February 26 until the beginning of March, we saw a rapid escalation and the attacker taking advantage of the ProxyLogon vulnerability to target numerous businesses in Europe and Asia. In December 2020, the organization began using the Microsoft Exchange vulnerability, but there wasn't enough data to confirm the theory. In any event, it's important to note that all of the targeted devices attacked between December and February were Microsoft Windows Exchange servers, which were infected using an unknown exploit and the same attack chain as that employed in March. In the first round of attacks, only Microsoft Exchange Servers were targeted. These servers had been infected with Samurai, a sophisticated passive backdoor that typically operates on ports 80 and 443. The malware allows for the execution of arbitrary C# code and is combined with a number of modules that let the attacker control the remote system and move laterally throughout the targeted network. The Samurai backdoor was also exploited in some specific instances to run a more sophisticated malicious program that we called Ninja. This tool is possibly a part of a post-exploitation toolbox that ToddyCat uses only. The logic of the code suggests that Ninja is a collaborative tool that enables numerous operators to operate the same machine at once. It offers a broad range of commands that would let attackers take control of distant computers, evade detection, and get really inside a target network. Some of the features are comparable to those offered by other well-known post-exploitation toolkits. The number of direct connections from the targeted network to the remote C2 and control systems without internet access, for instance, can be restricted using a capability similar to Cobalt Strike pivot listeners in Ninja. By altering HTTP header and URL paths, it also offers the capability of controlling HTTP indicators and hiding malicious traffic in HTTP requests that seem legal. This feature has elements that bring to mind the Malleable C2 profile from Cobalt Strike. Since its initial appearance in December 2020, ToddyCat has continued to be quite active, particularly in Asia, where we have found numerous more variations of loaders and installers that are used to load malware like Samurai and Ninja. Other waves of attacks against desktop computers that had been infected by Telegram-sent malicious loaders were also seen. While ToddyCat has been a sophisticated APT group equipped with multiple techniques to evade detection and manage to maintain a low profile. Throughout the entire investigation, multiple samples were discovered; however, despite the number of files and the duration of their activities, the attribution of the attacks to a known group could not be performed. ### Indicators of Compromise 5cfdb7340316abc5586448842c52aabc Dropper google.log 93c186c33e4bbe2abdcc6dfea86fbbff Dropper 5a912beec77d465fc2a27f0ce9b4052b Dll Loader Stage 2 iiswmi.dll f595edf293af9b5b83c5ffc2e4c0f14b Dll Loader Stage 3 websvc.dll 5a531f237b8723396bcfd7c24885177f Dll Loader Stage 2 fveapi.dll 1ad6dccb520893b3831a9cfe94786b82 Dll Loader Stage 2 fveapi.dll f595edf293af9b5b83c5ffc2e4c0f14b Dll Loader Stage 3 sbs_clrhost.dll 8a00d23192c4441c3ee3e56acebf64b0 Samurai Backdoor 5e721804f556e20bf9ddeec41ccf915d Ninja Trojan Other variants 33694faf25f95b4c7e81d52d82e27e7b 1.dll – Installer 832bb747262fed7bd45d88f28775bca6 Техинстр egov – ГЦП – Акрамов.exe – Loader 8fb70ba9b7e5038710b258976ea97c98 28.09.2021. Управление ИР и ИС.exe – Loader ee881e0e8b496bb62ed0b699f63ce7a6 Loader ae5d2cef136ac1994b63c7f8d95c9c84 Loader 5c3bf5d7c3a113ee495e967f236ab614 System.Core.dll – Loader bde2073dea3a0f447eeb072c7e568ee7 wabext.dll – Loader 350313b5e1683429c9ffcbc0f7aebf3b rcdll.dll – Loader Ninja C2 149.28.28[.]159 eohsdnsaaojrhnqo.windowshost[.]us File paths C:\inetpub\temp\debug.exe C:\Windows\Temp\debug.exe C:\Windows\Temp\debug.xml C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\web.exe C:\Users\Public\Downloads\dw.exe C:\Users\Public\Downloads\chrome.log C:\Windows\System32\chr.exe C:\googleup.exe C:\Program Files\microsoft\exchange server\v15\frontend\httpproxy\owa\auth\googleup.log C:\google.exe C:\Users\Public\Downloads\x64.exe C:\Users\Public\Downloads\1.dll C:\Program Files\Common Files\microsoft shared\WMI\iiswmi.dll C:\Program Files\Common Files\microsoft shared\Triedit\Triedit.dll C:\Program Files\Common Files\System\websvc.dll C:\Windows\Microsoft.NET\Framework\sbs_clrhost.dll C:\Windows\Microsoft.NET\Framework\sbs_clrhost.dat C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\web.xml C:\Users\Public\Downloads\debug.xml C:\Users\Public\Downloads\cache.dat C:\Windows\System32\config\index.dat C:\Windows\Microsoft.NET\Framework\netfx.dat %ProgramData%\adobe\2.dll %ProgramData%\adobe\acrobat.exe %ProgramData%\git\git.exe %ProgramData%\intel\mstacx.dll %ProgramData%\microsoft\drm\svchost.dll %ProgramData%\microsoft\mf\svchost.dll %ProgramData%\microsoft\mf\svhost.dll %program files%\Common Files\services\System.Core.dll %public%\Downloads\1.dll %public%\Downloads\config.dll %system%\Triedit.dll %userprofile%\Downloads\Telegram Desktop\03.09.2021 г.zip %userprofile%\Downloads\Telegram Desktop\Тех.Инструкции.zip %userprofile%\libraries\1.dll %userprofile%\libraries\chrome.exe %userprofile%\libraries\chrome.log %userprofile%\libraries\config.dll C:\intel\2.dll C:\intel\86.dll C:\intel\x86.dll

loading..
  25-Jun-2022
loading..
  1 min read