FOCUS MODE
EXTRACT IOC
Threat Research

Unveiling EncryptHub: Analysis of a Multi-Stage Malware Campaign

iocOne
Unveiling EncryptHub: Analysis of a Multi-Stage Malware Campaign
EncryptHub, a notable cybercriminal organization, has gained increasing attention from threat intelligence teams due to its operational security missteps. These lapses have allowed analysts to gain insights into their tactics and infrastructure. The report details EncryptHub’s multi-stage attack chains, trojanized application distribution strategies, and their evolving killchain, making them a significant threat in the cyber landscape. Affected: Cybersecurity sector, users of popular applications, organizations using VPN software, cryptocurrency holders

Keypoints :

  • EncryptHub is involved in multi-stage attacks using PowerShell scripts.
  • The group exploits vulnerable applications through trojanized software.
  • They focus on stealing credentials based on specific characteristics of victims.
  • EncryptHub is developing a remote access tool named “EncryptRAT”.
  • The group employs third-party distribution services for their malware.
  • Operational security flaws have provided unique insights into their methods.
  • They leverage popular vulnerabilities in their attack strategies.
  • The threat actor is expanding and evolving their malware delivery tactics.

MITRE Techniques :

  • T1608.004 – Drive-by Target: Leveraging trojanized software to exploit user trust.
  • T1210 – Exploitation of Remote Services: Targeting vulnerabilities in applications.
  • T1059.001 – PowerShell: Utilizing PowerShell for executing malicious scripts.
  • T1027 – Obfuscated Files or Information: Hiding malicious activities behind legitimate files.
  • T1562.001 – Impair Defenses: Bypassing security systems and generating false trust.
  • T1555.003 – Credentials from Password Stores: Targeting password managers and browsers for credential theft.
  • T1082 – System Information Discovery: Gathering system information for targeting purposes.
  • T1005 – Data from Local System: Collecting sensitive information from the victim’s machine.
  • T1567.002 – Exfiltration Over Web Service: Sending stolen data via web services.
  • T1041 – Exfiltration Over Command and Control Channel: Transmitting data through the command-and-control infrastructure.
  • T1071.001 – Application Layer Protocol: Leveraging HTTP/S for command and control communications.
  • T1219 – Remote Access Tools: Using tools for controlling infected systems.

Indicator of Compromise :

  • [MD5] 532f4c9c72f1c77531a55f7811371aa65f85fc3a768d792482cab3381cdd29b3 (connect.exe)
  • [MD5] 4af6e5a266577ccc2dca9fcbe2f56a9673947f6f3b5b9d1d7eb740613fce80d4 (reCAPCHA.exe)
  • [MD5] 1661e8f8758526f913e4400af8dbfa7587794ba9345f299fa50373c7140e5819 (buzztalk_weaponised.exe)
  • [MD5] f687fe9966f7a2cb6fdc344d62786958edc4a9d9b8389a0e2fea9907f90cfde2 (google-meets.exe)
  • [Domain] encrypthub[.]us

Full Story: https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/
Tags: LATERAL MOVEMENT, DARK WEB, LEARN, PAYLOAD, VPN, HUNTING, THREAT HUNTING, DEFENSE EVASION