Cyclops: a likely replacement for BellaCiao
Tags
Common Information
| Type | Value |
|---|---|
| UUID | b8af5e5a-f48a-4ad6-aa27-3b40f23f612a |
| Fingerprint | adc1a7912477a7d4 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Aug. 14, 2024, 11:14 a.m. |
| Added to db | Aug. 31, 2024, 10:52 a.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | Cyclops: a likely replacement for BellaCiao |
| Title | Cyclops: a likely replacement for BellaCiao |
| Detected Hints/Tags/Attributes | 82/2/39 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/ |
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 422 | ✔ | Inside The Lab - HarfangLab | https://harfanglab.io/insidethelab/feed | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | lialb.autoupdate.uk |
|
| Details | Domain | 1 | iuxyf.lialb.autoupdate.uk |
|
| Details | Domain | 1 | autoupdate.uk |
|
| Details | Domain | 1 | mail-updateservice.info |
|
| Details | Domain | 1 | ns2.autoupdate.uk |
|
| Details | Domain | 1 | ns2.mail-updateservice.info |
|
| Details | Domain | 3 | maill-support.com |
|
| Details | Domain | 1 | twittsupport.com |
|
| Details | Domain | 1 | msn-service.co |
|
| Details | Domain | 1 | ns2.freeheadlines.top |
|
| Details | Domain | 1 | ns2.servicechecker.top |
|
| Details | Domain | 1 | servicechecker.top |
|
| Details | Domain | 1 | servicesupdate.info |
|
| Details | Domain | 1 | mail-update.info |
|
| Details | Domain | 1 | mailupdate.info |
|
| Details | Domain | 1 | freeheadlines.top |
|
| Details | Domain | 1 | servicepackupdate.info |
|
| Details | Domain | 1 | systemupdate.info |
|
| Details | Domain | 5 | harfanglab.io |
|
| Details | File | 21 | sqlserver.exe |
|
| Details | File | 26 | os.exe |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 306 | services.exe |
|
| Details | File | 3 | 5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf |
|
| Details | sha256 | 1 | fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 |
|
| Details | IPv4 | 1 | 88.80.145.126 |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 1 | 127.0.30.3 |
|
| Details | IPv4 | 1 | 88.80.145.93 |
|
| Details | IPv4 | 1 | 88.80.145.122 |
|
| Details | IPv4 | 1 | 88.80.145.137 |
|
| Details | IPv4 | 1 | 88.80.145.132 |
|
| Details | Threat Actor Identifier - APT | 194 | APT35 |
|
| Details | Url | 1 | https://127.0.0.1:55561/api/v3/update|cyclops |
|
| Details | Url | 1 | https://harfanglab.io/insidethelab |
|
| Details | Url | 3 | https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware |
|
| Details | Url | 2 | https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf |
|
| Details | Url | 1 | https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs |
|
| Details | Yara rule | 1 | rule charmingkitten_cyclops {
meta:
description = "Detects Cyclops Golang Malware"
references = "TRR240801"
hash = "fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69"
date = "2024-08-05"
author = "HarfangLab"
context = "file"
strings:
$go = " Go build ID: \""
$a1 = "dep\tback-service\t(devel)" ascii fullword
$a2 = "/brain-loader-enc.gox00"
$a3 = "back-service/go-mux/api"
$a4 = "/JD-M42KItJncJfqb38qh/"
condition:
filesize > 2MB and filesize < 20MB and (uint16(0) == 0x5A4D) and $go and (2 of ($a*))
} |