[ad_1]
Lastly, we’ll analyze the 2 threads. The C&C communication thread frequently makes a GET request to <C&C area>/<C&C path>?id=<9digit quantity>&stat=<setting hash>. The setting hash is computed as an MD5 hash of string created by concatenating the next 5 values:
Worth 1 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyMachineGuid))Worth 2 = to_uppercase(crc32(HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProductName))Worth 3 = to_uppercase(crc32(consumer identify))Worth 4 = to_uppercase(crc32(pc identify))Worth 5 = concatenate Value1 Value2 Value3 Value4
It’d obtain a response within the following format:
!lexec;<url to obtain>restartdelproc
The idleness monitoring thread screens pressed keys and choosing or dragging actions. If the consumer is idle for a couple of minute, it sends a sidl(begin idle) request with the time when the consumer turned idle:
<C&C area>/<C&C path>?id=<9digit quantity>&stat=<setting hash>&sidl=<time>
The size of idleness is then frequently submitted in a cidl (rely of idle) parameter:
<C&C area>/<C&C path>?id=<9digit quantity>&stat=<setting hash>&cidl=<variety of seconds>
When the consumer turns into energetic once more, the malware sends an eidl (finish of idle) request:
<C&C area>/<C&C path>?id=<9digit quantity>&stat=<setting hash>&eidl=<time>&cidl=<variety of seconds>
The idleness monitoring thread permits the malware operator to decide on the right time when the sufferer will not be current so as to keep unnoticed.
SpyAgent normally downloads different malware to carry out extra duties resembling stealing necessary information.
We observed utilizing SpyAgent downloading the next commodity stealers:
RedLine Stealer
Ducky stealer
AZOrult
Cypress Stealer
Clipper (a clipboard replacer that replaces numerous cryptocurrency addresses with these managed by the malicious actor)
We additionally observed different RATS getting used within the marketing campaign, resembling:
Remcos RAT
NanoCore
njRAT
AsyncRAT
The menace actor behind this malware appears to have an easy monetary motivation and usually goals to steal credentials and cryptocurrency wallets whereas additionally changing cryptocurrency addresses shared through clipboard.
Thankfully, defending oneself in opposition to these assaults can be simple. Given the malicious actor’s use of conventional social engineering strategies resembling pretend web sites, malicious ads, and spurious social media posts, customers ought to apply due diligence and keep away from choosing any suspicious hyperlinks or visiting doubtful web sites. We additionally encourage customers to carry out safety greatest practices resembling bookmarking trusted websites and working towards warning when visiting new web sites, particularly these which can be vulnerable to being abused for social engineering assaults.
The IOCs used on this evaluation could be discovered right here.
[ad_2]