ioc[.]one - OSINT Cyber Threat Intelligence Database

xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control

Tags

country:	Kuwait
maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Email Account - T1087.003 Ip Addresses - T1590.005 Powershell - T1059.001 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Sharepoint - T1213.002 Web Shell - T1505.003 Web Services - T1583.006 Web Services - T1584.006 Tool - T1588.002 Powershell - T1086 Scheduled Task - T1053 Web Shell - T1100

Show in Graph

Common Information

Type	Value
UUID	abf8d8ea-b10a-475f-99be-76f983887e7a
Fingerprint	c4fc8db70b5ef995
Analysis status	DONE
Considered CTI value	2
Text language
Published	Nov. 9, 2020, 8 a.m.
Added to db	Sept. 11, 2022, 12:39 p.m.
Last updated	Nov. 15, 2024, 9:31 p.m.
Headline	xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control
Title	xHunt Campaign: Newly Discovered Backdoors Using Deleted Email Drafts and DNS Tunneling for Command and Control
Detected Hints/Tags/Attributes	73/3/45

Source URLs

	Redirection	Url
Details	Source	https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/

URL Provider

Details	Provider	Source level domain
Details	paloaltonetworks.com	unit42.paloaltonetworks.com

Attributes

Details	Type	#Events	Value
Details	Domain	1	hotsoft.icu
Details	Domain	1	uplearn.top
Details	Domain	1	lidarcc.icu
Details	Domain	1	deman1.icu
Details	Domain	1	jp5717266vd.lidarcc.icu
Details	Domain	1	jhxv4927266.hotsoft.icu
Details	Domain	1	jp4e37266ib.hotsoft.icu
Details	Domain	1	jz2d4gs7266.deman1.icu
Details	Domain	1	jp4457266xr.hotsoft.icu
Details	Domain	1	jm7266456va.hotsoft.icu
Details	Domain	1	jhnk5377266.uplearn.top
Details	Domain	1	jt7266cf4b8.lidarcc.icu
Details	Domain	1	jp5497266qv.uplearn.top
Details	Domain	1	jt7266iw4f1.lidarcc.icu
Details	Domain	1	jm7266502ha.lidarcc.icu
Details	Domain	1	ot7266ng502.hotsoft.icu
Details	Domain	1	sharepoint-web.com
Details	Domain	2	ns1.alforatsystem.com
Details	Domain	1	ns1.hotsoft.icu
Details	Domain	1	ns2.hotsoft.icu
Details	Domain	1	ns1.uplearn.top
Details	Domain	1	ns2.uplearn.top
Details	Domain	1	ns1.lidarcc.icu
Details	Domain	1	ns2.lidarcc.icu
Details	Domain	1	ns1.deman1.icu
Details	Domain	1	ns2.deman1.icu
Details	Domain	1	ns2.alforatsystem.com
Details	Domain	2	alforatsystem.com
Details	Domain	4	firewallsupports.com
Details	Domain	4	pasta58.com
Details	File	128	w3wp.exe
Details	File	1	splwow64.ps1
Details	File	1	officeintegrator.ps1
Details	File	1	c:\users\public\libraries\officeintegrator.ps1
Details	File	1	c:\windows\splwow64.ps1
Details	File	1	xpsrchvw.ps1
Details	File	1	c:\windows\temp\xpsrchvw.ps1
Details	File	5	backdoor.ps1
Details	File	1	syncres.ps1
Details	sha256	1	a4a0ec94dd681c030d66e879ff475ca76668acc46545bbaff49b20e17683f99c
Details	sha256	1	407e5fe4f6977dd27bc0050b2ee8f04b398e9bd28edd9d4604b782a945f8120f
Details	sha256	1	c18985a949cada3b41919c2da274e0ffa6e2c8c9fb45bade55c1e3b6ee9e1393
Details	sha256	1	6c13084f213416089beec7d49f0ef40fea3d28207047385dda4599517b56e127
Details	sha256	1	efaa5a87afbb18fc63dbf4527ca34b6d376f14414aa1e7eb962485c45bf38372
Details	IPv4	1	198.98.48.181