ioc[.]one - OSINT Cyber Threat Intelligence Database

Tusk campaign uses infostealers and clippers for financial gain

Tags

cmtmf-attack-pattern:	Process Injection
country:	Russia
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Clipboard Data - T1414 Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Hardware - T1592.001 Hooking - T1617 Javascript - T1059.007 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Msiexec - T1218.007 Phishing - T1660 Phishing - T1566 Process Injection - T1631 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Social Media Accounts - T1585.001 Social Media Accounts - T1586.001 Software - T1592.002 Browser Extensions - T1176 Clipboard Data - T1115 Hooking - T1179 Process Injection - T1055 Rundll32 - T1085 Scheduled Task - T1053 Hooking

Show in Graph

Common Information

Type	Value
UUID	91429add-b9e9-404d-913c-adf21993a5fd
Fingerprint	a42538914dbf8389
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 15, 2024, noon
Added to db	Aug. 31, 2024, 8:10 a.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	Tusk: unraveling a complex infostealer campaign
Title	Tusk campaign uses infostealers and clippers for financial gain
Detected Hints/Tags/Attributes	86/4/85

Source URLs

	Redirection	Url
Details	Source	https://securelist.com/tusk-infostealers-campaign/113367/

URL Provider

Details	Provider	Source level domain
Details	securelist.com	securelist.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	223	✔	Securelist	https://securelist.com/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	Domain	3	peerme.io
Details	Domain	5	tidyme.io
Details	Domain	2	tidymeapp.io
Details	Domain	2	tidyme.app
Details	Domain	5	testload.pythonanywhere.com
Details	Domain	2	mx.bf442731a463.tidyme.io
Details	Domain	5	runeonlineworld.io
Details	Domain	5	voico.io
Details	Domain	2	astrosounsports.shop
Details	Domain	2	batverssaports.shop
Details	Domain	2	dintrinnssports.shop
Details	Domain	4	dustfightergame.com
Details	Domain	2	edvhukkkmvgcct.shop
Details	Domain	2	gurunsmilrsports.shop
Details	Domain	2	izxxd.top
Details	Domain	2	partyroyale.fun
Details	Domain	2	partyroyale.games
Details	Domain	2	partyroyaleplay.com
Details	Domain	2	partyroyaleplay.io
Details	Domain	2	refvhnhkkolmjbg.shop
Details	Domain	2	sinergijiasport.shop
Details	Domain	2	supme.io
Details	Domain	2	vinrevildsports.shop
Details	Domain	2	wuwelej.top
Details	Domain	2	riseonlineworld.com
Details	Domain	5	yous.ai
Details	Domain	2	1h343lkxf4pikjd.dad
Details	Domain	2	tydime.io
Details	File	2	tidyme.exe
Details	File	2	captcha.js
Details	File	153	config.json
Details	File	2	updateload.rar
Details	File	4	testload.py
Details	File	7	preload.js
Details	File	62	script.js
Details	File	47	api.php
Details	File	72	response.json
Details	File	2	updateload.exe
Details	File	2	bytes.exe
Details	File	2126	cmd.exe
Details	File	1260	explorer.exe
Details	File	4	runeonlineworld.exe
Details	File	269	msiexec.exe
Details	File	1018	rundll32.exe
Details	File	6	openwith.exe
Details	File	1	%appdata%\ad_security\ and creates a scheduled task named fj_load which will execute the file named madhcctrl.exe
Details	File	2	madhcctrl.exe
Details	File	2	madhcnet32.dll
Details	File	2	mvrsettings32.dll
Details	File	4	unrar.dll
Details	File	2	wickerwork.indd
Details	File	4	yous.ai
Details	File	2	voico.exe
Details	File	364	console.log
Details	md5	2	B42F971AC5AAA48CC2DA13B55436C277
Details	sha1	2	5bf729c6a67603e8340f31bac2083f2a4359c24b
Details	sha256	2	c990a578a32d545645b51c2d527d7a189a7e09ff7dc02cefc079225900f296ac
Details	sha256	2	f586b421f10b042b77f021463934cfeda13c00705987f4f4c20b91b5d76d476c
Details	sha256	2	69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699
Details	sha256	2	523d4eb71af86090d2d8a6766315a027fdec842041d668971bfbbbd1fe826722
Details	sha256	2	b7d3bc460a17e1b43c9ff09786e44ea4033710538bdb539400b55e5b80d0b338
Details	sha256	2	0891edb0cc1c0208af2e4bc65d6b5a7160642f89fd4b4dc321f79d2b5dfc2dcc
Details	sha256	2	db4328dfbf5180273f144858b90cb71c6d4706478cac65408a9d9df372a08fc3
Details	sha256	2	9d8547266c90cae7e2f5f5a81af27fb6bc6ade56a798b429cdb6588a89cec874
Details	sha256	2	7d42e121560bc79a2375a15168ac536872399bf80de08e5cc8b3f0240cdc693a
Details	sha256	2	ce0905a140d0f72775ea5895c01910e4a492f39c2e35edce9e9b8886a9821fb1
Details	sha256	2	4c33d4179fff5d7aa7e046e878cd80c0146b0b134ae0092ce7547607abc76a49
Details	sha256	2	ea748caf0ed2aac4008ccb9fd9761993f9583e3bc35783cfa42593e6ba3eb393
Details	sha256	2	934d882efd3c0f3f1efbc238ef87708f3879f5bb456d30af62f3368d58b6aa4c
Details	sha256	2	ae3cb6c6afba9a4aa5c85f66023c35338ca579b30326dd02918f9d55259503d5
Details	IPv4	2	79.133.180.213
Details	IPv4	2	46.8.238.240
Details	IPv4	2	77.91.77.200
Details	IPv4	2	23.94.225.177
Details	IPv4	2	89.169.52.59
Details	IPv4	2	81.19.137.7
Details	IPv4	5	194.116.217.148
Details	IPv4	2	85.28.47.139
Details	Url	2	https://www.dropbox.com/scl/fi/cw6jsbp981xy88tzk3obm/updateload.rar?rlkey=87g969em599vnoslcglyo97fa&st=1p7dopsl&dl=1
Details	Url	3	http://testload.pythonanywhere.com/getbytes/f
Details	Url	2	https://tidyme.io/api.php
Details	Url	2	http://testload.pythonanywhere.com/getbytes/m.
Details	Url	2	http://testload.pythonanywhere.com/getbytes/s
Details	Url	2	http://testload.pythonanywhere.com/getbytes/h
Details	Url	2	https://tydime.io/api.php