Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics
Tags
cmtmf-attack-pattern: Boot Or Logon Autostart Execution Command And Scripting Interpreter Masquerading Obfuscated Files Or Information Process Injection Scheduled Task/Job
country: India
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Boot Or Logon Autostart Execution - T1547 Command And Scripting Interpreter - T1623 Command Obfuscation - T1027.010 Credentials - T1589.001 Encrypted Channel - T1521 Encrypted Channel - T1573 Exfiltration Over C2 Channel - T1646 Ingress Tool Transfer - T1544 Input Capture - T1417 Javascript - T1059.007 Keylogging - T1056.001 Keylogging - T1417.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Obfuscated Files Or Information - T1406 Non-Standard Port - T1509 Non-Standard Port - T1571 Phishing - T1660 Phishing - T1566 Portable Executable Injection - T1055.002 Powershell - T1059.001 Process Injection - T1631 Python - T1059.006 Registry Run Keys / Startup Folder - T1547.001 Scheduled Task - T1053.005 Scheduled Task/Job - T1603 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Software - T1592.002 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Symmetric Cryptography - T1521.001 Symmetric Cryptography - T1573.001 Tool - T1588.002 Automated Collection - T1119 Clipboard Data - T1115 Command-Line Interface - T1059 Connection Proxy - T1090 Exfiltration Over Command And Control Channel - T1041 Remote File Copy - T1105 Input Capture - T1056 Masquerading - T1036 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Injection - T1055 Registry Run Keys / Start Folder - T1060 Scheduled Task - T1053 Screen Capture - T1113 Spearphishing Attachment - T1193 User Execution - T1204 Automated Collection Masquerading Screen Capture Spearphishing Attachment User Execution
Show in Graph
Common Information
Type Value
UUID 707efc15-f2a2-4f58-9e98-348e4dc275ab
Fingerprint 85050e7b83b71285
Analysis status DONE
Considered CTI value 2
Text language
Published June 23, 2023, 9:48 p.m.
Added to db Oct. 24, 2023, 1:19 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline Securonix Threat Labs Security Advisory: Detecting New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities to Drop Multiple RAT Payloads With Security Analytics
Title Securonix Threat Labs Security Advisory: New MULTI#STORM Attack Campaign Involving Python-based Loader Masquerading as OneDrive Utilities Dropping Multiple RAT Payloads Using Security Analytics
Detected Hints/Tags/Attributes 132/4/100
Source URLs
Redirection Url
Details Source https://www.securonix.com/securonix-threat-labs-security-advisory-multistorm-leverages-python-based-loader-as-onedrive-utilities-to-drop-rat-payloads/
URL Provider
Details Provider Source level domain
Details securonix.com www.securonix.com
Attributes
Details Type #Events CTI Value
Details Domain 17 
request.zip
Details Domain 14 
files.zip
Details Domain 4127 
github.com
Details Domain 2 
dominion46.ddns.net
Details Domain 41 
ddns.net
Details Domain 31 
onedrive.live.com
Details Domain 4 
blog.sevagas.com
Details Domain 1 
www.alertra.com
Details Domain 16 
www.codeproject.com
Details Domain 2 
zero2auto.com
Details File 17 
request.zip
Details File 7 
request.js
Details File 2126 
cmd.exe
Details File 1208 
powershell.exe
Details File 1 
c:\users\public\libraries\files.pdf
Details File 3 
files.pdf
Details File 1 
spread.pdf
Details File 6 
news.exe
Details File 1 
c:\users\public\libraries\onedrive.ico
Details File 1 
c:\users\public\libraries\onedrive.url
Details File 81 
werfault.exe
Details File 1 
c:\users\public\libraries\files.zip
Details File 1 
c:\users\public\libraries runs c:\users\public\libraries\check.bat
Details File 5 
storm.exe
Details File 30 
s.exe
Details File 1 
c:\users\public\libraries\s.exe
Details File 15 
files.zip
Details File 14 
check.bat
Details File 10 
kdeco.bat
Details File 10 
easinvoker.exe
Details File 12 
netutils.dll
Details File 1 
ekeco.bat
Details File 1 
c:\users\public\\libraries\onedrive update.url
Details File 1 
c:\users\public\libraries\storm.exe
Details File 1 
onedrive.url
Details File 1 
update.url
Details File 2 
c:\\users\\vitali kremez\\documents\\midgetporn\\workspace\\msgbox.exe
Details File 3 
programs.bat
Details File 1 
wmiprsrv.exe
Details File 1 
%windir%\system32\sdclt.exe
Details File 22 
find.exe
Details File 23 
vaultcli.dll
Details File 41 
softokn3.dll
Details File 51 
msvcp140.dll
Details File 51 
mozglue.dll
Details File 69 
vcruntime140.dll
Details File 44 
freebl3.dll
Details File 71 
nss3.dll
Details File 1 
euyjrxpgo6ua.bat
Details File 1 
quas.exe
Details File 1 
c:\users\public\libraries\quas.exe
Details File 4 
configsecuritypolicy.exe
Details File 1260 
explorer.exe
Details md5 13 
9375CFF0413111d3B88A00104B2A6676
Details sha256 1 
8674817912be90a09c5a0840cd2dff2606027fe8843eb868929fc33935f5511e
Details sha256 1 
3783acc6600b0555dec5ee8d3cc4d59e07b5078dd33082c5da279a240e7c0e79
Details sha256 1 
18c876a24913ee8fc89a146ec6a6350cdc4f081ac93c0477ff8fc054cc507b75
Details sha256 1 
31960a45b069d62e951729e519e14de9d7af29cb4bb4fb8fead627174a07b425
Details sha256 1 
02212f763b2d19e96651613d88338c933ddfd18be4cb7e721b2fb57f55887d64
Details sha256 1 
5a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2
Details sha256 1 
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
Details sha256 1 
37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
Details sha256 1 
f9130b4fc7052138a0e4dbaaec385ef5fae57522b5d61cb887b0327965ccc02a
Details sha256 1 
0e799b2f64cd9d10a4dfed1109394ac7b4ccc317a3c17a95d4b3565943213257
Details sha256 1 
455ed920d79f9270e8e236f14b13ed4e8db8dd493d4dabb05756c867547d8bc7
Details sha256 1 
9c14375fbbce08bcf3dc7f2f1100316b2fb745fa2c510f5503e07db57499bfc8
Details sha256 1 
b452a2ba481e881d10a9741a452a3f092dfb87ba42d530484d7c3b475e04da11
Details sha256 1 
ab0212f8790678e3f76ed90fba5a455ac23fbb935cf99cabc2515a1d7277676f
Details sha256 1 
4a834b03e7faffef929a2932d8e5a1839190df4d5282cef35da4019fe84b19a5
Details sha256 1 
11408368f4c25509c24017b9b68b19ce5278681f6f12ce7db992d3c6124b0a23
Details IPv4 79 
1.2.3.4
Details IPv4 2 
134.19.179.147
Details MITRE ATT&CK Techniques 409 
T1566
Details MITRE ATT&CK Techniques 310 
T1566.001
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 93 
T1059.007
Details MITRE ATT&CK Techniques 25 
T1027.010
Details MITRE ATT&CK Techniques 40 
T1055.002
Details MITRE ATT&CK Techniques 380 
T1547.001
Details MITRE ATT&CK Techniques 275 
T1053.005
Details MITRE ATT&CK Techniques 130 
T1573.001
Details MITRE ATT&CK Techniques 492 
T1105
Details MITRE ATT&CK Techniques 115 
T1571
Details MITRE ATT&CK Techniques 422 
T1041
Details MITRE ATT&CK Techniques 118 
T1056.001
Details MITRE ATT&CK Techniques 219 
T1113
Details MITRE ATT&CK Techniques 82 
T1115
Details Url 1 
https://onedrive.live.com/download?cid=d09bfd4ebda21a3d&resid=d09bfd4ebda21a3d
Details Url 1 
https://onedrive.live.com/download?cid=4a89e2a4ea0448c0&resid=4a89e2a4ea0448c0
Details Url 1 
https://github.com/syohex/java-simple-mine-sweeper
Details Url 1 
https://lo3kcg.bl.files.1drv.com/y4mtaff_tqm7vafhxoasptwoq0m5qmxcnd8fhdfvhvkoxyaa1h-ocjsybip-r0imvck8uh6wp-ffsps6l-ap6utlpsy11crz_p_hfmxti4yymzbqvklx-v4nqlrn2ty0-ilirzicabtwbooanm9u97qpmtgunxhc9ab_4vfnvcmiwfeami9lwl35d8eb7uif7tcjto_0xyaatlemjaxw9zalw/request.zip?download&psid=1
Details Url 1 
https://www.bleepingcomputer.com/news/security/bypassing-windows-10-uac-with-mock-folders-and-dll-hijacking
Details Url 1 
https://blog.sevagas.com/?yet
Details Url 1 
https://social.technet.microsoft.com/forums/ie/en-us/c95a72de-f7ba-4258-b179-da0ca4d9ca84/increasing-simultaneous-network-connections-to-10-for-various-applications?forum=ieitprocurrentver
Details Url 1 
https://www.alertra.com/blog/decrypting-browser-passwords-other-secrets
Details Url 2 
https://www.codeproject.com/articles/1167943/the-secrets-of-internet-explorer-credentials
Details Url 1 
https://www.codeproject.com/articles/1167954/the-secrets-of-firefox-credentials
Details Url 1 
https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage
Details Windows Registry Key 1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive