Last updated at Thu, 16 May 2024 17:38:34 GMT
Executive Summary
Rapid7 has observed an ongoing campaign to distribute trojanized installers for WinSCP and PuTTY via malicious ads on commonly used search engines, where clicking on the ad leads to typo squatted domains. In at least one observed case, the infection has led to the attempted deployment of ransomware. The analysis conducted by Rapid7 features updates to past research, including a variety of new indicators of compromise, a YARA rule to help identify malicious DLLs, and some observed changes to the malware’s functionality. Rapid7 has observed the campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions. Successful execution of the malware then provides the threat actor with an elevated foothold and impedes analysis by blurring the intentions of subsequent administrative actions.
Overview
Beginning in early March 2024, Rapid7 observed the distribution of trojanized installers for the open source utilities WinSCP and PuTTy. WinSCP is a file transfer client, PuTTY a secure shell (SSH) client. The infection chain typically begins after a user searches for a phrase such as download winscp or download putty, on a search engine like Microsoft’s Bing. The search results include an ad for the software the user clicks on, which ultimately redirects them to either a clone of the legitimate website, in the case of WinSCP, or a simple download page in the case of PuTTY. In both cases, a link to download a zip archive containing the trojan from a secondary domain was embedded on the web page.
The infection begins after the user has downloaded and extracted the contents of the zip archive and executed setup.exe, which is a renamed copy of pythonw.exe, the legitimate Python hidden console window executable.
Upon execution, setup.exe loads the malicious DLL python311.dll. As seen in Figure 2, the copy of the legitimate python311 DLL which setup.exe is intended to load has actually been renamed to python311x.dll. This technique is known as DLL side-loading, where a malicious DLL can be loaded into a legitimate, signed, executable by mimicking partial functionality and the name of the original library. The process of side-loading the DLL is also facilitated by hijacking the DLL search order, where attempts are made to load DLLs contained within the same directory first, before checking other directories on the system where a legitimate copy might be present. Rapid7 has also observed the Python 3.11 library being targeted in prior malware campaigns, such as the novel IDAT loader, discovered by Rapid7 during August of 2023.
The primary payload contained within python311.dll is a compressed archive encrypted and included within the DLL’s resource section. During execution, this archive is unpacked to execute two child processes.
First, the malware executes the unpacked copy of the legitimate WinSCP installer, seen in Figure 3 as WinSCP-6.1.1-Setup.exe. Then, the malicious Python script systemd.py is executed via pythonw.exe after being unpacked into the staging directory %LOCALAPPDATA%Oracle along with numerous Python dependencies. Following the successful execution of both processes, setup.exe then terminates.
The script systemd.py, executed via pythonw.exe, decrypts and executes a second Python script then performs decryption and reflective DLL injection of a Sliver beacon. Reflective DLL injection is the process of loading a library into a process directly from memory instead of from disk. In several cases, Rapid7 observed the threat actor take quick action upon successful contact with the Sliver beacon, downloading additional payloads, including Cobalt Strike beacons. The access is then used to establish persistence via scheduled tasks and newly created services after pivoting via SMB. In a recent incident, Rapid7 observed the threat actor attempt to exfiltrate data using the backup utility Restic, and then deploy ransomware, an attempt which was ultimately blocked during execution.
The related techniques, tactics, and procedures (TTP) observed by Rapid7 are reminiscent of past BlackCat/ALPHV campaigns as reported by Trend Micro last year. This campaign, referred to as Nitrogen by Malwarebytes, and eSentire, has previously been reported to use similar methods.
Technical Analysis
To take a more in depth look at the malware delivery and functionality, we analyzed a malware sample recently observed being delivered to users looking for a PuTTY installer.
Initial Access
The source of the infection was a malicious ad served to the user after their search for download putty. When the user clicked on the ad, which are typically pushed to the top of the search results for visibility, they were redirected to a typo-squatted domain at the URL hxxps://puttty[.]org/osn.php. The landing page includes a download button for PuTTY, as well as two legitimate links to download a Bitvise SSH server/client. However, when the download link is clicked by the user it calls the embedded function loadlink(), which redirects the user to hxxps://puttty[.]org/dwnl.php, which then finally redirects the user to the most recent host of the malicious zip archive to serve the download. At the time of writing, puttty[.]org and the relevant URLs were still active, serving the zip archive putty-0.80-installer.zip from the likely compromised WordPress domain areauni[.]com.
Rapid7 observed the base domain, puttty[.]org was also serving a cloned version of a PuTTY help article available at BlueHost, where the download link provided is actually for the official distributor of the software. This relatively benign page is most likely conditionally served as a way to reduce suspicion as noted by Malwarebytes.
In comparison, the typo-squatted WinSCP domains conditionally redirected visits to Rick Astley’s Never Gonna Give You Up. Classic.
Execution
Upon extracting the zip archive putty-0.80-installer.zip, the user is once again presented with setup.exe, a renamed copy of pythonw.exe, to entice the user to initiate the infection by launching the executable.
Once executed, setup.exe will side-load the malicious DLL python311.dll. The DLL python311.dll then loads a renamed copy of the legitimate DLL, python3.dll, from the same directory after dynamically resolving the necessary functions from kernel32.dll by string match. Future requests for exported functions made by setup.exe can then be forwarded to python3.dll by python311.dll. This technique is commonly used when side-loading malware, so legitimate requests are proxied, which avoids unexpected behavior and improves stability of the payload delivery.
Following the successful sideloading procedure, the malware then performs pre-unpacking setup by dynamically resolving additional functions from ntdll.dll. The malware still uses functionality similar to the publicly available AntiHook and KrakenMask libraries to facilitate setup and execution, as previously noted by eSentire, which provides additional evasion capabilities. AntiHook contains functionality to enumerate the loaded modules of a process, searching each one for hooks, and remaps a clean, unhooked version of the module’s text section, if hooks are found. KrakenMask contains functionality to spoof the return address of function calls, to evade stack traces, and functionality to encrypt the processes virtual memory at rest to evade memory scanners.
The library ntdll.dll contains functions which make up the Windows Native API (NTAPI), which is generally the closest a process executed in user mode can get to utilizing functionality from the operating system’s kernel. By resolving NTAPI functions for use, malware can bypass detection applied to more commonly used user mode functions (WINAPI) and access lower level functionality that is otherwise unavailable. Several of the NTAPI function pointers resolved by the malware can be used for evasion techniques such as Event Tracing for Windows (ETW) tampering and bypass of the Anti-Malware Scan Interface (AMSI) as has been observed in prior Nitrogen campaign samples. Some of the functions are dynamically resolved from ntdll.dll are found using concatenation of stack strings to form the full name of the target API just before resolution is attempted, likely to help evade detection.
| Resolved ntdll.dll functions |
|---|
| EtwEventWrite |
| EtwEventWriteFull |
| EtwNotificationRegister |
| EtwEventRegister |
Table 1. Functions the malware dynamically resolves from ntdll.dll.
| Other observed function strings |
|---|
| WldpQueryDynamicCodeTrust (wldp.dll) |
| AmsiScanBuffer (amsi.dll) |
Table 2. Other evasion related WINAPI function strings observed in the malware
With setup complete, an encrypted resource stored within the resource section of python311.dll is retrieved using common resource WINAPI calls, including FindResourceA, LoadResource, SizeOfResource, and FreeResource.
The resource is then decrypted in memory using an AES-256 hex key and initialization vector (IV) that are stored in the data section in plain text. The resulting file is a zip archive which contains three compressed files, including a legitimate MSI installation package for PuTTY and another compressed archive named installer_data.zip.
To execute the PuTTY installer, the malware first creates a copy of the MSI file in the hard-coded directory C:UsersPublicDownloads via a call to fopen and then decompresses and writes the retrieved MSI package content with multiple successive calls to fwrite and other CRT library file io functions, followed by fclose. The full output path is assembled by concatenating the target directory with the desired file name, which is retrieved from original_installer.txt. The contents of original_installer.txt are identical to the name of the MSI package observed in the resource, for this sample: putty-64bit-0.78-installer.msi.
The MSI package is then executed by a call to CreateProcessW with the command line msiexec.exe ALLUSERS=1 /i C:UsersPublicDownloadsputty-64bit-0.78-installer.msi. So, before the execution of the next malware payload the user is provided with the software they were originally looking for. This functionality is commonly seen with trojans to avoid suspicion by the end user, as the user only sees the legitimate installation window pop up after initial execution. However, the version numbers between the executed MSI package, putty-64bit-0.78-installer.msi, and the initially downloaded zip archive, putty-64bit-0.80-installer.zip, don’t match — a potential indicator.
The same procedure is then repeated to copy the decompressed contents of the folder Oracle contained within the zip archive installer_data.zip to the staging directory created at %LOCALAPPDATA%Oracle. After the unpacking process is complete, another call by the malware to CreateProcessW executes the next payload with the command line %LOCALAPPDATA%Oraclepythonw.exe %LOCALAPPDATA%Oraclesystemd.py. With its purpose completed, the loader then clears memory and passes back control to setup.exe, which promptly terminates, leaving the pythonw.exe process running in the background.
The Python script systemd.py contains multiple junk classes, which in turn contain numerous junk function definitions to pad out the core script. Ultimately, the script decrypts the file %LOCALAPPDATA%Oracledata.aes, which is a Sliver beacon DLL (original name: BALANCED_NAPKIN.dll), performs local injection of the Sliver DLL, and then calls the export StartW. The contents of main and other included functionality within the script appears to have been mostly copied from the publicly available Github repo for PythonMemoryModule.
Rapid7 has replicated the unpacking process of the beacon DLL in a python extraction script that is now publicly available along with a yara rule to detect the malicious DLL.
Mitigations
Rapid7 recommends verifying the download source of freely available software. Check that the hash of the downloaded file(s) match those provided by the official distributor and that they contain a valid and relevant signature. The DLLs that are side-loaded by malware are often unsigned, and are often present in the same location as the legitimately signed and renamed original, to which requests are forwarded. Bookmark the official distribution domains for the download of future updates.
DNS requests for permutations of known domains can also be proactively blocked or the requests can be redirected to a DNS sinkhole. For example, by using the publicly available tool DNSTwist we can identify several additional suspicious domains that match the observed ASNs and country codes observed for many of the C2 IPv4 addresses observed to be contacted by the malware as well as known malware hosts/facilitators.
| Domain | IPv4 | ASN |
|---|---|---|
| wnscp[.]net | 91.92.253[.]80 | AS394711:LIMENET |
| puttyy[.]org | 82.221.136[.]24 | AS50613:Advania Island ehf |
| puutty[.]org | 82.221.129[.]39 | AS50613:Advania Island ehf |
| putyy[.]org | 82.221.136[.]1 | AS50613:Advania Island ehf |
Table 3. More suspicious domains found via DNSTwist.
Rapid7 observed impacted users are disproportionately members of information technology (IT) teams who are more likely to download installers for utilities like PuTTY and WinSCP for updates or setup. When the account of an IT member is compromised, the threat actor gains a foothold with elevated privileges which impedes analysis by blending in their actions with that of the administrator(s), stressing the importance of verifying the source of files before download, and their contents before execution.
MITRE ATT&CK Techniques
| Tactic | Technique | Procedure |
|---|---|---|
| Resource Development | T1583.008: Acquire Infrastructure: Malvertising | The threat actor uses ads to promote malware delivery via popular search engines. |
| Initial Access | T1189: Drive-by Compromise | The user clicks on a malicious ad populated from a typical search engine query for a software utility and is ultimately redirected to a page hosting malware. |
| Execution | T1106: Native API | The malware dynamically resolves and executes functions from ntdll.dll at runtime. |
| Execution | T1204.002: User Execution: Malicious File | The user downloads and executes setup.exe (renamed pythonw.exe), which side-loads and executes the malicious DLL python311.dll. |
| Execution | T1059.006: Command and Scripting Interpreter: Python | The malware executes a python script to load and execute a Sliver beacon. |
| Persistence | T1543.003: Create or Modify System Process: Windows Service | The threat actor creates a service to execute a C2 beacon. The threat actor loads a vulnerable driver to facilitate disabling antivirus software and other defenses present. |
| Persistence | T1053.005: Scheduled Task/Job: Scheduled Task | The threat actor creates a scheduled task to execute a C2 beacon. |
| Defense Evasion | T1140: Deobfuscate/Decode Files or Information | The malware uses various string manipulation and obfuscation techniques. |
| Defense Evasion | T1222.001: File and Directory Permissions Modification: Windows File and Directory Permissions Modification | The malware calls chmod to change file permissions prior to execution. |
| Defense Evasion | T1574.001: Hijack Execution Flow: DLL Search Order Hijacking | The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe from the same directory. |
| Defense Evasion | T1574.002: Hijack Execution Flow: DLL Side-Loading | The malware contained in python311.dll is loaded by a renamed copy of pythonw.exe and proxies requests to a renamed copy of the legitimate DLL. |
| Defense Evasion | T1027.002: Obfuscated Files or Information: Software Packing | The final payload executed by the malware is unpacked through several layers of compression, encryption, and file formats. |
| Defense Evasion | T1027.013: Obfuscated Files or Information: Encrypted/Encoded File | The malware also stores other file dependencies with several layers of obfuscation |
| Defense Evasion | T1055.001: Process Injection: Dynamic-link Library Injection | The malware loads a Sliver beacon DLL via python script. |
| Lateral Movement | T1570: Lateral Tool Transfer | The threat actor uses SMB via Cobalt Strike to pivot post compromise |
| Exfiltration | T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage | The threat actor attempts to exfiltrate data to a backup using Restic. |
| Impact | T1486: Data Encrypted for Impact | The threat actor attempts the deployment of ransomware after exfiltrating data. |
Rapid7 Detections
For Rapid7 MDR and InsightIDR customers, the following detection rules are currently deployed and alerting against malware campaigns like the one described in this blog:
| Detections |
|---|
| Suspicious Process – Sliver C2 Interactive Shell Execution via PowerShell |
| Suspicious Process – Python Start Processes in Staging Directories |
| Attacker Technique – Renamed PythonW.exe Executed From Non-Standard Folder |
| Suspicious Service: Service Installed With Command Line using Python |
| Network Discovery – Nltest Enumerate Domain Controllers |
| Attacker Technique – Potential Process Hollowing To DLLHost |
| Suspicious Process – Gpupdate.exe Execution With No Arguments |
| Suspicious Process Access – LSASS Memory Dump Using MiniDumpWriteDump Function |
Indicators of Compromise
Network Based Indicators (NBIs)
| Domain/IPv4 Address | Notes |
|---|---|
| wnscp[.]net | Typo-squatted domain, found via DNSTwist |
| puttyy[.]org | Typo-squatted domain, found via DNSTwist |
| puutty[.]org | Typo-squatted domain, found via DNSTwist |
| putyy[.]org | Typo-squatted domain, found via DNSTwist |
| vvinscp[.]net | Typo-squatted domain |
| winnscp[.]net | Typo-squatted domain |
| puttty[.]org | Typo-squatted domain |
| areauni[.]com | Malicious zip archive host, likely compromised domain |
| mkt[.]geostrategy-ec[.]com | Malicious zip archive host, likely compromised domain |
| fkm-system[.]com | Malicious zip archive host, likely compromised domain |
| 185.82.219[.]92 | C2 address |
| 91.92.242[.]183 | C2 address |
| 91.92.244[.]41 | C2 address |
| 91.92.249[.]106 | C2 address |
| 91.92.249[.]155 | C2 address |
| 91.92.252[.]238 | C2 address |
| 91.92.255[.]71 | C2 address |
| 91.92.255[.]77 | C2 address |
| 94.156.65[.]115 | C2 address |
| 94.156.65[.]98 | C2 address |
| 94.156.67[.]185 | C2 address |
| 94.156.67[.]188 | C2 address |
| 94.156.67[.]83 | C2 address |
| 94.158.244[.]32 | C2 address |
Host Based Indicators (HBIs)
| File | SHA256 | Notes |
|---|---|---|
| DellAPC.exe | 8b1946e3e88cff3bee6b8a2ef761513fb82a1c81f97a27f959c08d08e4c75324 | Dropped by the threat actor post compromise |
| DellCTSW2.exe | N/A | Dropped by the threat actor post compromise |
| DellCTSWin.exe | 2ee435033d0e2027598fc6b35d8d6cbca32380eb4c059ba0806b9cfb1b4275cc | Dropped by the threat actor post compromise |
| DellPPem.exe | 4b618892c9a397b2b831917264aaf0511ac1b7e4d5e56f177217902daab74a36 | Dropped by the threat actor post compromise |
| DellPRT.exe | 725aa783a0cd17df603fbe6b11b5a41c9fbfd6fc9e4f2e468c328999e5716faa | Dropped by the threat actor post compromise |
| KeePassDR.exe | c9042a7ed34847fee538c213300374c70c76436ee506273b35282c86a11d9e6a | Dropped by the threat actor post compromise |
| NVDisplay.Contain64.exe | 35161a508dfaf8e04bb6de6bc793a3840a05f2c04bbbbf8c2237abebe8e670aa | Dropped by the threat actor post compromise |
| NVDisplay.Container64.exe | 8bc39017b1ea59386f74d7c7822063b3b00315dd317f55ddc6634bde897c45c1 | Dropped by the threat actor post compromise |
| NVDisplay.exe | bbdf350c6ae2438bf14fc6dc82bb54030abf9da0c948c485e297330e08850575 | Dropped by the threat actor post compromise |
| OktaServiceAgent.exe | 28e5ee69447cea77eee2942c04009735a199771ba64f6bce4965d674515d7322 | Dropped by the threat actor post compromise |
| OktaServiceAgent.exe | f36e9dec2e7c574c07f3c01bbbb2e8a6294e85863f4d6552cccb71d9b73688ad | Dropped by the threat actor post compromise |
| PDMVault.exe | 242b2c948181f8c2543163c961775393220d128ecb38a82fa62b80893f209cab | Dropped by the threat actor post compromise |
| PDMVault.exe | 9be715df88024582eeabdb0a621477e04e2cf5f57895fa6420334609138463b9 | Dropped by the threat actor post compromise |
| PDMVaultConf.exe | 8b0d04f65a6a5a3c8fb111e72a1a176b7415903664bc37f0a9015b85d3fc0aa7 | Dropped by the threat actor post compromise |
| PDMVaultL.exe | 169ef0e828c3cd35128b0e8d8ca91fbf54120d9a2facf9eb8b57ea88542bc427 | Dropped by the threat actor post compromise |
| PDMVaultLP.exe | N/A | Dropped by the threat actor post compromise |
| PDMVaultSec.exe | 61214a7b14d6ffb4d27e53e507374aabcbea21b4dc574936b39bec951220e7ea | Dropped by the threat actor post compromise |
| PDMVaultSecs.exe | 51af3d778b5a408b725fcf11d762b0f141a9c1404a8097675668f64e10d44d64 | Dropped by the threat actor post compromise |
| PDMVaultTest.exe | 96ea33a5f305015fdd84bea48a9e266c0516379ae33321a1db16bc6fabad5679 | Dropped by the threat actor post compromise |
| ServerController.exe | 02330e168d4478a4cd2006dd3a856979f125fd30f5ed24ee70a41e03e4c0d2f8 | Dropped by the threat actor post compromise |
| SgrmBroker.exe | 8834ec9b0778a08750156632b8e74b9b31134675a95332d1d38f982510c79acb | Dropped by the threat actor post compromise |
| VMImportHost.exe | c8a982e2be4324800f69141b5be814701bcc4167b39b3e47ed8908623a13eb10 | Dropped by the threat actor post compromise |
| VMImportHost2.exe | 47ec3a1ece8b30e66afd6bb510835bb072bbccc8ea19a557c59ccdf46fe83032 | Dropped by the threat actor post compromise |
| VMImportHost3.exe | 9bd3c7eff51c5746c21cef536971cc65d25e3646533631344728e8061a0624cb | Dropped by the threat actor post compromise |
| VMSAdmin.exe | f89720497b810afc9666f212e8f03787d72598573b41bc943cd59ce1c620a861 | Dropped by the threat actor post compromise |
| VMSAdminUtil.exe | ca05485a1ec408e2f429e2e377cc5af2bee37587a2eb91dc86e8e48211ffc49e | Dropped by the threat actor post compromise |
| VMSAdminUtilityUp.exe | 972ca168f7a8cddd77157e7163b196d1267fe2b338b93dabacc4a681e3d46b57 | Dropped by the threat actor post compromise |
| VMSBackupConfig.exe | 1576f71ac41c4fc93c8717338fbc2ba48374894345c33bdf831b16d0d06df23d | Dropped by the threat actor post compromise |
| VMSBackupUpdate.exe | a5dfc9c326b1303cc1323c286ecd9751684fb1cd509527e2f959fb79e5a792c2 | Dropped by the threat actor post compromise |
| dp_agent.exe | 13B2E749EB1E45CE999427A12BB78CBEBC87C415685315C77CDFB7F64CB9AAB0 | Dropped by the threat actor post compromise |
| local.exe | bd4abc70de30e036a188fc9df7b499a19a0b49d5baefc99844dfdec6e70faf75 | Dropped by the threat actor post compromise |
| lr_agent.exe | d95f6dec32b4ebed2c45ecc05215e76bf2f520f86ad6b5c5da1326083ba72e89 | Dropped by the threat actor post compromise |
| ntfrss.exe | f36089675a652d7447f45c604e062c2a58771ec54778f6e06b2332d1f60b1999 | Dropped by the threat actor post compromise |
| op_agent.exe | 17e0005fd046e524c1681304493f0c51695ba3f24362a61b58bd2968aa1bd01a | Dropped by the threat actor post compromise |
| pp.txt | N/A | Notable naming scheme |
| pr_agent.exe | d27f9c0d761e5e1de1a741569e743d6747734d3cdaf964a9e8ca01ce662fac90 | Dropped by the threat actor post compromise |
| python311.dll | CD7D59105B0D0B947923DD9ED371B9CFC2C2AA98F29B2AFBDCD3392AD26BDE94 | Malicious DLL sideloaded by setup.exe. Compiled 2024-03-05. Original name: python311_WinSCP.dll. |
| python311.dll | 02D8E4E5F74D38C8E1C9AD893E0CEC1CC19AA08A43ECC87AC043FA825382A583 | Malicious DLL sideloaded by setup.exe. Compiled 2024-04-03. Original name: python311_WinSCP.dll. |
| python311.dll | 500574522DBCDE5E6C89803C3DCA7F857F73E0868FD7F8D2F437F3CC31CE9E8D | Malicious DLL sideloaded by setup.exe. Compiled 2024-04-10. Original name: python311_Putty.dll. |
| -redacted-.exe | a1cb8761dd8e624d6872960e1443c85664e9fbf24d3e208c3584df49bbdb2d9c | Ransomware, named after the impacted domain. |
| readme.txt | N/A | Ransom note |
| resticORIG.exe | 33f6acd3dfeda1aadf0227271937c1e5479c2dba24b4dca5f3deccc83e6a2f04 | Exfil tool dropped by the threat actor |
| rr__agent.exe | d94ed93042d240e4eaac8b1b397abe60c6c50a5ff11e62180a85be8aa0b0cc4a | Dropped by the threat actor post compromise |
| truesight.sys | bfc2ef3b404294fe2fa05a8b71c7f786b58519175b7202a69fe30f45e607ff1c | AV/EDR killer, used to facilitate the execution of ransomware. |
| veeam.backups.shell.exe | 7d53122d6b7cff81e1c5fcdb3523ccef1dbd46c93020a0de65bc475760faff7d | Dropped by the threat actor post compromise |
| vmtools.exe | ED501E49B9418FCFAF56A2EFF7ADCF85A648BDEE2C42BB09DB8C11F024667BFA | Dropped by the threat actor post compromise |
| vmtoolsda.exe | 12AFBEC79948007E87FDF9E311736160797F245857A45C040966E8E029CA97B3 | Dropped by the threat actor post compromise |
| vmtoolsdr.exe | 989A8E6A01AA20E298B1FFAE83B50CEF3E08F6B64A8F022288DC8D5729301674 | Dropped by the threat actor post compromise |
| vmtoolsds.exe | 0AA248300A9F6C498F5305AE3CB871E9EC78AE62E6D51C05C4D6DD069622F442 | Dropped by the threat actor post compromise |
| vmtoolsdt.exe | DF0213E4B784A7E7E3B4C799862DB6EA60E34D8E22EB5E72A980A8C2E9B36177 | Dropped by the threat actor post compromise |
| DellPP.exe | 51D898DE0C300CAE7A57C806D652809D19BEB3E52422A7D8E4CB1539A1E2485D | Dropped by the threat actor post compromise |
| DellPP2.exe | 8827B6FA639AFE037BB2C3F092CCB12D49B642CE5CEC496706651EBCB23D5B9E | Dropped by threat actor post compromise |
| data.aes | F18367D88F19C555F19E3A40B17DE66D4A6F761684A5EF4CDD3D9931A6655490 | Encrypted Sliver beacon |
| data.aes | C33975AA4AB4CDF015422608962BD04C893F27BD270CF3F30958981541CDFEAD | |
| Encrypted Sliver beacon | ||
| data.aes | 868CD4974E1F3AC7EF843DA8040536CB04F96A2C5779265A69DF58E87DC03029 | Encrypted Sliver beacon |
| systemd.py | 69583C4A9BF96E0EDAFCF1AC4362C51D6FF71BBA0F568625AE65A1E378F15C65 | Sliver beacon loader |
| systemd.py | 03D18441C04F12270AAB3E55F68284DCD84721D1E56B32F8D8B732A52A654D2D | Sliver beacon loader |
| systemd.py | CF82366E319B6736A7EE94CCA827790E9FDEDFACE98601F0499ABEE61F613D5D | Sliver beacon loader |
Source: https://www.rapid7.com/blog/post/2024/05/13/ongoing-malvertising-campaign-leads-to-ransomware/