Login
HYAS Threat Intel Report May 20 2024
Weekly Threat Intelligence Report
Date: May 20, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
Cyber Threat Intelligence Analysis
This week in the HYAS Insight threat intelligence platform, we found a concerning open directory hosting multiple pieces of malware. This discovery, coupled with historical passive DNS data linking the IP to a domain infamous from previous DNS tunneling campaigns suggests a significant and ongoing threat. Here is what we found:
Overview
An open directory located at http://194.37.97[.]162/ is hosting multiple pieces of malware. This IP is associated with M247 Dallas Infrastructure and is located in Grand Prairie, TX. Historical passive DNS data from 2023 links this IP to a claudfront.net domain, known for its involvement in DNS tunneling campaigns. This raises the possibility that the malware is being hosted from a compromised machine.
Malware Analysis
1. BecauseBranch.exe
MD5: f1152d572e1722ea2568eff98efc161f
Family: Risepro
Command & Control (C2): 37.120.237.196:50500
C2 ISP: M247 LTD Quebec Infrastructure
Activity: Recent C2 activity from April indicates the actor logged in locally to the box using the user agent string resembling a common browser configuration: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36.
2. UncleLt4.exe
Type: Generic Trojan/Backdoor
MD5: 76ffea4f11b3dcd48281600e289ef5e3
C2 Servers: retdirectyourman[.]eu; supfoundrysettlers[.]us; yourserenahelpcustom[.]uk
VirusTotal Analysis: The file shows several detections and details are available on VirusTotal.
Analysis
The malware being hosted on an open directory indicates a potential compromise of the hosting machine, making it part of a broader infrastructure used by threat actors.
BecauseBranch.exe (Risepro family) is likely being used to establish a persistent foothold in the victim's system, allowing for remote control and possibly data exfiltration. The local login activity to the C2 box indicates active management by the threat actor, increasing the threat level.
UncleLt4.exe appears to be a generic Trojan/backdoor with multiple C2 servers across various domains, indicating a robust and redundant infrastructure. This enhances its resilience against takedown efforts.
Mitigation Strategies
Immediate Actions:
- Block access to the open directory IP (194.37.97[.]162) and associated C2 servers (37.120.237.196, retdirectyourman[.]eu, supfoundrysettlers[.]us, yourserenahelpcustom[.]uk) at the network perimeter.
- Perform a comprehensive scan of the network to identify and isolate infected systems.
Β
Endpoint Protection:
- Ensure all endpoints have up-to-date antivirus and anti-malware solutions capable of detecting and mitigating Risepro family malware and generic Trojans.
- Implement behavioral analysis tools to detect unusual login patterns and process executions.
Β
Network Security:
- Deploy Intrusion Detection and Prevention Systems (IDPS) to monitor for suspicious network activity, particularly DNS tunneling.
- Utilize DNS filtering services to block access to malicious domains.
Β
User Awareness and Training:
- Educate users on the dangers of downloading and executing unknown files.
- Provide training on recognizing phishing attempts and suspicious network activities.
Β
Incident Response:
- Develop and refine an incident response plan to handle malware infections and C2 communications swiftly.
- Conduct regular drills to ensure readiness in mitigating similar threats.
Β
Threat Intelligence Sharing:
- Share indicators of compromise (IOCs) with relevant information sharing and analysis centers (ISACs) and industry peers.
- Stay updated with threat intelligence feeds to monitor for emerging threats.
Β
Actionable Intelligence
Indicators of Compromise (IOCs):
IP Addresses: 194.37.97[.]162, 37.120.237.196
Domains: retdirectyourman[.]eu, supfoundrysettlers[.]us, yourserenahelpcustom[.]uk
MD5 Hashes: f1152d572e1722ea2568eff98efc161f (BecauseBranch.exe), 76ffea4f11b3dcd48281600e289ef5e3 (UncleLt4.exe)
Detection Signatures:
- Monitor for user agent strings matching: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- Look for network traffic directed to the aforementioned IPs and domains.
Β
By implementing these strategies and leveraging the provided intelligence, organizations can better defend against and mitigate the impact of these malware threats.
Risepro Malware: A Deep Dive into Recent Discoveries
A recent emerging threat is the Risepro malware, identified through an open directory hosting malicious executables. This blog post delves into the specifics of this threat, detailing the indicators of compromise (IOCs), analysis of the malware samples, and strategic insights for cybersecurity professionals.
Open Directory Discovery
An open directory located at `http://194.37.97[.]162/`, hosted by M247 Dallas Infrastructure in Grand Prairie, TX, has been identified as a source of malware. This directory contains several malicious files, marking it as a critical point of interest for cybersecurity researchers. The open directory could be used as a source of malicious downloads in a phishing attack, for example.
Interestingly, passive DNS analysis from 2023 revealed an association with the domain `claudfront.net`, previously linked to DNS tunneling campaigns. This connection raises the possibility that the command and control (C2) infrastructure may be operated from compromised machines, further complicating threat attribution and mitigation efforts.
Β
Malware Samples and Analysis
BecauseBranch.exe
MD5 Hash: f1152d572e1722ea2568eff98efc161f
Family: Risepro
C2 Server: 37.120.237.196:50500
C2 ISP: M247 LTD Quebec Infrastructure
Activity:
Recent attribution efforts in April indicate local login activities to the C2 box, suggesting direct involvement of the threat actor. The actor's user agent string is:
``` Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/123.0.0.0 Safari/537.36
``` This information is crucial for identifying and mitigating the threat within network environments.
UncleLt4.exe
Classification: Generic Trojan/Backdoor
MD5 Hash: 76ffea4f11b3dcd48281600e289ef5e3
C2 Servers: retdirectyourman[.]eu; supfoundrysettlers[.]us; yourserenahelpcustom[.]uk
A comprehensive analysis provides detailed information about this malware, indicating its nature as a backdoor and its ability to establish persistent connections to its C2 servers. This persistence mechanism is a common trait among advanced malware, aiming to maintain control over compromised systems.
Technical Analysis and Indicators of Compromise
BecauseBranch.exe and UncleLt4.exe both exhibit characteristics that highlight the sophistication of modern malware. From their use of multiple C2 servers to the deployment of generic trojan functionalities, these malware samples demonstrate the complexity of threats facing cybersecurity defenses today.
Strategic Insights and Recommendations
1. Network Monitoring: Implement robust network monitoring solutions to detect unusual traffic patterns and connections to known malicious IP addresses and domains.
2. Endpoint Security: Deploy advanced endpoint security solutions capable of identifying and quarantining malicious executables based on behavioral analysis and known IOCs.
3. Threat Intelligence Sharing: Participate in threat intelligence sharing communities to stay updated on emerging threats and leverage collective knowledge for enhanced defense mechanisms.
4. Regular Audits: Conduct regular security audits and vulnerability assessments to identify and remediate potential entry points for malware.
5. User Education: Educate users on the risks of downloading files from untrusted sources and the importance of following best security practices.
Conclusion
The discovery and analysis of Risepro malware samples like BecauseBranch.exe and UncleLt4.exe underscore the critical need for continuous vigilance and advanced threat detection capabilities. By staying informed about the latest threats and implementing comprehensive security measures, organizations can significantly reduce the risk of compromise and enhance their overall cybersecurity posture.
Read the previous report:
Threat Intel Report - May 6, 2024
Sign up for the free HYAS Insight Intel Feed
Disclaimer: This Threat Intelligence Report is provided βas isβ and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the reportβs completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Reportβs inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
Learn More About HYAS Insight
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Learn how a solo intelligence analyst can navigate code obfuscation using generative AI. Using Generative AI to Understand How an Obfuscated Script Works
More from HYAS Labs
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.
Examining Predatory Mercenary Malware
The post HYAS Threat Intel Report May 20 2024 appeared first on Security Boulevard.
