From IRC to Instant Messaging: The Rise of Malware Communication via Chat Platforms | Datadog Security Labs
Tags
cmtmf-attack-pattern: Masquerading
attack-pattern: Data Direct Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Software - T1592.002 Tool - T1588.002 Masquerading - T1036 Powershell - T1086 Masquerading
Show in Graph
Common Information
Type Value
UUID cc862b12-8440-4ae1-ae5f-c6f65dca988e
Fingerprint 15019c39ad36bf99
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 10, 2024, midnight
Added to db Aug. 31, 2024, 8:19 a.m.
Last updated Nov. 17, 2024, 6:53 p.m.
Headline From IRC to Instant Messaging: The Rise of Malware Communication via Chat Platforms
Title From IRC to Instant Messaging: The Rise of Malware Communication via Chat Platforms | Datadog Security Labs
Detected Hints/Tags/Attributes 68/2/28
Source URLs
Redirection Url
Details Source https://securitylabs.datadoghq.com/articles/from-irc-to-instant-messaging-the-rise-of-malware-communication-via-chat-platforms/
URL Provider
Details Provider Source level domain
Details datadoghq.com securitylabs.datadoghq.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 230 Datadog Security Labs https://securitylabs.datadoghq.com/rss/feed.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 71 
transfer.sh
Details Domain 145 
api.telegram.org
Details Domain 41 
discord.com
Details Domain 112 
cdn.discordapp.com
Details Domain 54 
subprocess.call
Details Domain 2 
exodus.zip
Details Domain 98 
requests.post
Details File 26 
windows.exe
Details File 1 
-exodus.zip
Details File 21 
exodus.wallet
Details File 9 
passphrase.json
Details File 1 
rr.ps1
Details File 2 
ppadrocsid.nd
Details sha1 1 
68747470733a2f2f646973636f72642e636f6d2f
Details sha256 1 
28182e76e4f4e684c08807af159ed5157ad1ea252efa46cfcc5d6feef64bb3c9
Details sha256 2 
45dc4518fbf43bf4611446159f72cdbc37641707bb924bd2a52644a3af5bab76
Details sha256 1 
05d09e5db6a3a784e8ff9df97e38e7a0c73d016d6dcaf74e106647a9cdaf2bd4
Details sha256 1 
59eda1c77195ca2bfc6309ca527448e852002734796f0f143577cda97e147c15
Details sha256 1 
fe6383138be7ff8e8cd3ff84bc5a0ac16439e345e09495b5a06a259f11fafab6
Details Url 1 
https://transfer.sh/l6tpcxqysw/setup_xmrigcc.sh
Details Url 1 
https://cdn.discordapp.com/attachments/1109115014054416495/1109465188433936425/windows.exe
Details Url 33 
https://api.telegram.org/bot
Details Url 3 
https://cdn.discordapp.com/attachments
Details Url 5 
https://api.telegram.org
Details Url 7 
https://discord.com
Details Yara rule 1 
rule Discord_Attachment_Suspicious_Activity {
	meta:
		description = "Detects potentially malicious activity involving Discord attachments, including executables and encoded URLs."
		author = "Modified by Andy Giron Datadog"
		original_authors = "Florian Roth (Nextron Systems)"
		date = "12/01/23"
	strings:
		$discord_url = "https://cdn.discordapp.com/attachments/" ascii wide
		$string_base64 = "Y2RuLmRpc2NvcmRhcHAuY29tL2F0dGFjaG1lbnRz" ascii wide
		$string_hex = "63646E2E646973636F72646170702E636F6D2F6174746163686F6E7473" ascii wide
		$reversed_str = "stnemhcatta/moc.ppadrocsid.ndc" ascii wide
	condition:
		filesize < 5000KB and (1 of them)
}
Details Yara rule 1 
rule Telegram_URL_Encodings {
	meta:
		description = "Detects various encoded forms of Telegram URLs, indicative of potential malicious activity."
		author = "Andy Giron Datadog"
		date = "12/01/23"
	strings:
		$telegram_url = "https://api.telegram.org/" ascii wide
		$string_base64 = "YXBpLnRlbGVncmFtLm9yZwo=" ascii wide
		$string_hex = "6170692E74656C656772616D2E6F72672F" ascii wide
		$reversed_str = "moc.margelet.ipa" ascii wide
	condition:
		1 of them
}
Details Yara rule 1 
rule Discord_URL_Encodings {
	meta:
		description = "Detects various encoded forms of Discord URLs, indicative of potential malicious activity."
		author = "Andy Giron Datadog"
		reference = "12/01/23"
		date = "12/01/23"
	strings:
		$discord_url = "https://discord.com/" ascii wide
		$string_base64 = "aHR0cHM6Ly9kaXNjb3JkLmNvbS8=" ascii wide
		$string_hex = "68747470733a2f2f646973636f72642e636f6d2f" ascii wide
		$reversed_str = "moc.drocsid//:sptth" ascii wide
	condition:
		1 of them
}