Pulse Detail — Threat Intelligence

PULSE NAME

Campaign uses infostealers and clippers for financial gain

WHITE AlienVault 2024-08-16 Modified: 2024-09-15

IOCs

HIGH VOLUME

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and StealC, as well as clippers. In addition to distributing malware, the campaigns trick victims into providing credentials and linking cryptocurrency wallets to drain funds. The analysis covers three active sub-campaigns involving multistage malware, process injection, and various evasion techniques.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1592 T1564 T1106 T1140 T1195 T1055 T1218 T1179 T1059 T1497 T1204 T1554 T1559 T1573 T1134 T1105

MALWARE FAMILIES

Danabot StealC

Indicators of Compromise (53)

All BitcoinAddress URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
BitcoinAddress	1DSWHiAW1iSFYVb86WQQUPn57iQ6W1DjGo	—	2024-08-16
BitcoinAddress	bc1qqkvgqtpwq6g59xgwr2sccvmudejfxwyl8g9xg0	—	2024-08-16
URL	https://tydime.io/api.php'	—	2024-08-16
domain	1h343lkxf4pikjd.dad	—	2024-08-16
domain	astrosounsports.shop	—	2024-08-16
domain	batverssaports.shop	—	2024-08-16
domain	dintrinnssports.shop	—	2024-08-16
domain	dustfightergame.com	—	2024-08-16
domain	edvhukkkmvgcct.shop	—	2024-08-16
domain	gurunsmilrsports.shop	—	2024-08-16
domain	izxxd.top	—	2024-08-16
domain	partyroyale.fun	—	2024-08-16
domain	partyroyale.games	—	2024-08-16
domain	partyroyaleplay.com	—	2024-08-16
domain	partyroyaleplay.io	—	2024-08-16
domain	peerme.io	—	2024-08-16
domain	refvhnhkkolmjbg.shop	—	2024-08-16
domain	runeonlineworld.io	—	2024-08-16
domain	sinergijiasport.shop	—	2024-08-16
domain	supme.io	—	2024-08-16
domain	tidyme.io	—	2024-08-16
domain	tidymeapp.io	—	2024-08-16
domain	tydime.io	—	2024-08-16
domain	vinrevildsports.shop	—	2024-08-16
domain	voico.io	—	2024-08-16
domain	wuwelej.top	—	2024-08-16
domain	yous.ai	—	2024-08-16
hostname	dc-mx.bf442731a463.tidyme.io	—	2024-08-16
FileHash-MD5	51708c7bc2614f3fa98614c49ea17c34	MD5 of bafa7dbe2a5df97c8574824abd2ae78ffa0991f916e72debc9fc65e593ec2ee8	2024-08-16
FileHash-MD5	53389c573687c3162b8f75dd73168c08	MD5 of 142b8d0080db24246615059e4badf439f68c2b219c68c7ac7f4d2fc81f5bb9c2	2024-08-16
FileHash-SHA1	19d399bd72ad9dfb80cc4952e025c448849533ab	SHA1 of 142b8d0080db24246615059e4badf439f68c2b219c68c7ac7f4d2fc81f5bb9c2	2024-08-16
FileHash-SHA1	3e0c1d1408d817a64a219b2c52b39f50dc3e8f7a	SHA1 of bafa7dbe2a5df97c8574824abd2ae78ffa0991f916e72debc9fc65e593ec2ee8	2024-08-16
FileHash-SHA256	0d877b9163241e6d2df2779d54b9eda8abc909f022f5f74f084203134d5866e2	—	2024-08-16
FileHash-SHA256	142b8d0080db24246615059e4badf439f68c2b219c68c7ac7f4d2fc81f5bb9c2	—	2024-08-16
FileHash-SHA256	1f3aa94fb9279137db157fc529a8b7e6067cbd1fe3eb13c6249f7c8b4562958a	—	2024-08-16
FileHash-SHA256	3e80405991c6fc66f90435472210e1479b646ead3a92bd3f28fba3dd9d640266	—	2024-08-16
FileHash-SHA256	523d4eb71af86090d2d8a6766315a027fdec842041d668971bfbbbd1fe826722	—	2024-08-16
FileHash-SHA256	5535bf554c8314b500fb9f00d5bdea0ade884cb7c74536bdaafa501361232e73	—	2024-08-16
FileHash-SHA256	592052016d9621eb369038007ab13b19632b7353fafb65bd39268796d5237c8c	—	2024-08-16
FileHash-SHA256	5e31073312aa132a5c138e3c978ee1f3802a786c23cdf3965bee0d556b360932	—	2024-08-16
FileHash-SHA256	609129a9188ca3d16832594d44d746d7434e67a99c6dd20c1785aface9ed117d	—	2024-08-16
FileHash-SHA256	6b30a6026b7cc60a3cce4db9ae2461af86c3a0ec81d29c3397cfad69b7878754	—	2024-08-16
FileHash-SHA256	6cc3e6b74d2018ce3d86e6e9df2846a14cc980e8f95779b3ce4e83bb1ccd72bd	—	2024-08-16
FileHash-SHA256	7587be1d73dd90015c6200921d320ff0edcec19d7465b64d8ab8d12767c0f328	—	2024-08-16
FileHash-SHA256	7b94558257ff060e0b30d08b3f51b0df6a46458fd5a726f41a48ec5f5675dd8b	—	2024-08-16
FileHash-SHA256	7fbc872542b61d592eff2aa402d9310dafdb01f550226588e2d95050bac434fc	—	2024-08-16
FileHash-SHA256	8265d6a8eb6c308a7b41cf60ba12f4a7e4616f6acf2736ee42aadcff336659e3	—	2024-08-16
FileHash-SHA256	b4b929362fb797f99f00b3e94b4bed796ae664a31a4dc5f507672687ad44322e	—	2024-08-16
FileHash-SHA256	bafa7dbe2a5df97c8574824abd2ae78ffa0991f916e72debc9fc65e593ec2ee8	—	2024-08-16
FileHash-SHA256	d69a93df6cab86b34c970896181bb1b618317e29ca8b5586364256a1d02b7cca	—	2024-08-16
FileHash-SHA256	db4328dfbf5180273f144858b90cb71c6d4706478cac65408a9d9df372a08fc3	—	2024-08-16
FileHash-SHA256	f586b421f10b042b77f021463934cfeda13c00705987f4f4c20b91b5d76d476c	—	2024-08-16
FileHash-SHA256	f71bb213ae7abe03e416c650185971c8470c9ab5670e1b2c516d903bc783715b	—	2024-08-16

References (1)

↗ https://securelist.com/tusk-infostealers-campaign/113367/