Weekly Threat Intelligence Report
Date: May 20, 2024
Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS
This week in the HYAS Insight threat intelligence platform, we found a concerning open directory hosting multiple pieces of malware. This discovery, coupled with historical passive DNS data linking the IP to a domain infamous from previous DNS tunneling campaigns suggests a significant and ongoing threat. Here is what we found:
An open directory located at http://194.37.97[.]162/ is hosting multiple pieces of malware. This IP is associated with M247 Dallas Infrastructure and is located in Grand Prairie, TX. Historical passive DNS data from 2023 links this IP to a claudfront.net domain, known for its involvement in DNS tunneling campaigns. This raises the possibility that the malware is being hosted from a compromised machine.
1. BecauseBranch.exe
MD5: f1152d572e1722ea2568eff98efc161f
Family: Risepro
Command & Control (C2): 37.120.237.196:50500
C2 ISP: M247 LTD Quebec Infrastructure
Activity: Recent C2 activity from April indicates the actor logged in locally to the box using the user agent string resembling a common browser configuration: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36.
2. UncleLt4.exe
Type: Generic Trojan/Backdoor
MD5: 76ffea4f11b3dcd48281600e289ef5e3
C2 Servers: retdirectyourman[.]eu; supfoundrysettlers[.]us; yourserenahelpcustom[.]uk
VirusTotal Analysis: The file shows several detections and details are available on VirusTotal.
The malware being hosted on an open directory indicates a potential compromise of the hosting machine, making it part of a broader infrastructure used by threat actors.
BecauseBranch.exe (Risepro family) is likely being used to establish a persistent foothold in the victim’s system, allowing for remote control and possibly data exfiltration. The local login activity to the C2 box indicates active management by the threat actor, increasing the threat level.
UncleLt4.exe appears to be a generic Trojan/backdoor with multiple C2 servers across various domains, indicating a robust and redundant infrastructure. This enhances its resilience against takedown efforts.
Immediate Actions:
Endpoint Protection:
Network Security:
User Awareness and Training:
Incident Response:
Threat Intelligence Sharing:
Indicators of Compromise (IOCs):
IP Addresses: 194.37.97[.]162, 37.120.237.196
Domains: retdirectyourman[.]eu, supfoundrysettlers[.]us, yourserenahelpcustom[.]uk
MD5 Hashes: f1152d572e1722ea2568eff98efc161f (BecauseBranch.exe), 76ffea4f11b3dcd48281600e289ef5e3 (UncleLt4.exe)
Detection Signatures:
By implementing these strategies and leveraging the provided intelligence, organizations can better defend against and mitigate the impact of these malware threats.
A recent emerging threat is the Risepro malware, identified through an open directory hosting malicious executables. This blog post delves into the specifics of this threat, detailing the indicators of compromise (IOCs), analysis of the malware samples, and strategic insights for cybersecurity professionals.
An open directory located at `http://194.37.97[.]162/`, hosted by M247 Dallas Infrastructure in Grand Prairie, TX, has been identified as a source of malware. This directory contains several malicious files, marking it as a critical point of interest for cybersecurity researchers. The open directory could be used as a source of malicious downloads in a phishing attack, for example.
Interestingly, passive DNS analysis from 2023 revealed an association with the domain `claudfront.net`, previously linked to DNS tunneling campaigns. This connection raises the possibility that the command and control (C2) infrastructure may be operated from compromised machines, further complicating threat attribution and mitigation efforts.
BecauseBranch.exe
MD5 Hash: f1152d572e1722ea2568eff98efc161f
Family: Risepro
C2 Server: 37.120.237.196:50500
C2 ISP: M247 LTD Quebec Infrastructure
Activity:
Recent attribution efforts in April indicate local login activities to the C2 box, suggesting direct involvement of the threat actor. The actor’s user agent string is:
“` Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/123.0.0.0 Safari/537.36
“` This information is crucial for identifying and mitigating the threat within network environments.
UncleLt4.exe
Classification: Generic Trojan/Backdoor
MD5 Hash: 76ffea4f11b3dcd48281600e289ef5e3
C2 Servers: retdirectyourman[.]eu; supfoundrysettlers[.]us; yourserenahelpcustom[.]uk
A comprehensive analysis provides detailed information about this malware, indicating its nature as a backdoor and its ability to establish persistent connections to its C2 servers. This persistence mechanism is a common trait among advanced malware, aiming to maintain control over compromised systems.
BecauseBranch.exe and UncleLt4.exe both exhibit characteristics that highlight the sophistication of modern malware. From their use of multiple C2 servers to the deployment of generic trojan functionalities, these malware samples demonstrate the complexity of threats facing cybersecurity defenses today.
1. Network Monitoring: Implement robust network monitoring solutions to detect unusual traffic patterns and connections to known malicious IP addresses and domains.
2. Endpoint Security: Deploy advanced endpoint security solutions capable of identifying and quarantining malicious executables based on behavioral analysis and known IOCs.
3. Threat Intelligence Sharing: Participate in threat intelligence sharing communities to stay updated on emerging threats and leverage collective knowledge for enhanced defense mechanisms.
4. Regular Audits: Conduct regular security audits and vulnerability assessments to identify and remediate potential entry points for malware.
5. User Education: Educate users on the risks of downloading files from untrusted sources and the importance of following best security practices.
The discovery and analysis of Risepro malware samples like BecauseBranch.exe and UncleLt4.exe underscore the critical need for continuous vigilance and advanced threat detection capabilities. By staying informed about the latest threats and implementing comprehensive security measures, organizations can significantly reduce the risk of compromise and enhance their overall cybersecurity posture.
Read the previous report:
Threat Intel Report – May 6, 2024
Sign up for the free HYAS Insight Intel Feed
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report’s information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Learn how a solo intelligence analyst can navigate code obfuscation using generative AI. Using Generative AI to Understand How an Obfuscated Script Works
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.
Examining Predatory Mercenary Malware
*** This is a Security Bloggers Network syndicated blog from HYAS Blog authored by David Brunsdon. Read the original post at: https://www.hyas.com/blog/hyas-threat-intel-report-may-202024