eSentire’s Threat Response Unit (TRU) has identified a campaign involving MintsLoader malware, which delivers payloads like Stealc through spam emails. This campaign primarily affects organizations in the Electricity, Oil & Gas, and Legal Services sectors in the US and Europe. The malware employs various evasion techniques and utilizes a Domain Generation Algorithm (DGA) to communicate with its command and control servers. Affected: eSentire, MintsLoader, Stealc
Keypoints :
- eSentire operates 24/7 Security Operations Centers (SOCs) with elite threat hunters.
- TRU identified an ongoing MintsLoader campaign delivering payloads like Stealc.
- MintsLoader is a PowerShell-based malware delivered via spam emails.
- It utilizes a Domain Generation Algorithm (DGA) for evading detection.
- Organizations in the Electricity, Oil & Gas, and Legal Services sectors are impacted.
- The malware checks for virtual machines to evade detection.
- Stealc is an information stealer targeting sensitive data from various applications.
- Recommendations include disabling certain scripts and employing email filtering.
MITRE Techniques :
- T1071.001 – Application Layer Protocol: The malware communicates with its C2 server using HTTP.
- T1203 – Exploitation for Client Execution: MintsLoader is delivered via malicious JScript files in spam emails.
- T1059.001 – PowerShell: The malware utilizes PowerShell commands to execute its payloads.
- T1070.001 – Indicator Removal on Host: The JScript file deletes itself after execution to evade analysis.
- T1040 – Network Sniffing: The malware exfiltrates data using HTTP POST requests to its C2 server.
Indicator of Compromise :
- [url] temp[.]sh
- [file hash] 138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa
- [file name] Fattura[0-9]{8}.js
- [others ioc] MintsLoader
- Check the article for all found IoCs.
Full Research: https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery