Pulse Detail — Threat Intelligence

PULSE NAME

VayGren and Mr.Burns: Strong Ties in Finance

WHITE VasyGrek AlienVault 2024-07-10 Modified: 2024-08-09

223

IOCs

HIGH VOLUME

F.A.C.C.T experts analyzed the tools and connections of cybercriminals attacking Russian accountants. An analysis of the infection chain of the VasyGrek attacker, his forum activity and connection with the malware developer Mr.Burns is presented. The history of Mr.Burns, starting in 2010, is given, as well as a description of the current version of the BurnsRAT malware, sold on forums and used in attacks on Russian companies.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1113 T1033 T1036.005 T1204.002 T1573.001 T1543.003 T1497.001 T1566.002 T1566.001 T1574.001 T1082 T1005 T1219 T1555.003 T1217 T1083 T1036.004 T1055.002 T1552.001 T1041 T1547.001 T1574 T1571 T1095 T1518.001 T1059.003 T1070.004 T1027.002 T1071.001 T1105 T1569.002

MALWARE FAMILIES

BurnsRAT PureCrypter PureLogs MetaStealer WarzoneRAT - S0670 Ave Maria RedLine Stealer RMS TeamViewer

Indicators of Compromise (4 / 223 total)

All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain email hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
hostname	1c.pdf.com	—	2024-07-10
hostname	2024.pdf.com	—	2024-07-10
hostname	doc20032024.pdf.com	—	2024-07-10
hostname	oplata.pdf.com	—	2024-07-10

References (1)

↗ https://www.facct.ru/blog/vasygrek-and-mr-burns/