Pulse Detail — Threat Intelligence

PULSE NAME

Threat Tracking: Analysis of Lilith RAT ported to AutoIt Script

WHITE puNK-003 AlienVault 2024-08-23 Modified: 2024-09-22

IOCs

MEDIUM VOLUME

In April 2024, S2W's Threat Research and Intelligence Center TALON analyzed a malicious LNK file disguised as a list of tax evasion explanatory documents. The LNK file executed a PowerShell command to download and run an AutoIt script-based Lilith RAT malware from an attacker's server, which establishes a reverse shell on the infected system. Similarities between this campaign and KONNI group's tactics, such as command obfuscation and the use of AutoIt-ported malware, suggest the threat actor behind this attack could be linked to KONNI.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1053.005 T1539 T1204.002 T1555.003 T1041 T1059.001 T1547.001 T1571 T1518.001 T1564.003 T1059.003 T1105 T1564.001

MALWARE FAMILIES

Lilith RAT

Indicators of Compromise (46)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	19dc387bffdc0a22f640bd38af320db4	—	2024-08-23
FileHash-MD5	3334d2605c0df26536058f73a43cb074	—	2024-08-23
FileHash-MD5	3c81dc763a4f003ba6e33cd5b63068cd	—	2024-08-23
FileHash-MD5	4f865db4192afb5bbcdeb2e899ca97a4	—	2024-08-23
FileHash-MD5	5613ba2032bc1528991b583e17bad59a	—	2024-08-23
FileHash-MD5	6d6433c328f6cdce4a80efce3a29ea3e	—	2024-08-23
FileHash-MD5	6f5e4b45ca0d8c1128d27a15421eea38	—	2024-08-23
FileHash-MD5	7bb236041b91d4cd4fa129267cf109c3	—	2024-08-23
FileHash-MD5	9d6c79c0b395cceb83662aa3f7ed0123	—	2024-08-23
FileHash-MD5	a0483db3725f8a50078daee7fd10f9bb	—	2024-08-23
FileHash-MD5	c56b5f0201a3b3de53e561fe76912bfd	—	2024-08-23
FileHash-MD5	d357fc478765a22f403c699a812f29bd	—	2024-08-23
FileHash-MD5	d5809e5f848f228634aa45ffe4a5ece0	—	2024-08-23
FileHash-SHA1	1a8d8aa268d0475408f8a10c96d4cfee5e122011	—	2024-08-23
FileHash-SHA1	2a4062e10a5de813f5688221dbeb3f3ff33eb417	—	2024-08-23
FileHash-SHA1	5ca50ceacfb31cbb04d6820e4021d911fcd8a60b	—	2024-08-23
FileHash-SHA256	0329bb5b3a450b0a8f148a57e045bf6ed40eb49a62e026bd71b021a2efc40aed	—	2024-08-23
FileHash-SHA256	2189aa5be8a01bc29a314c3c3803c2b8131f49a84527c6b0a710b50df661575e	—	2024-08-23
FileHash-SHA256	237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d	—	2024-08-23
FileHash-SHA256	5bcfb56c4c884e3657bbfeacca37853113d640b77dff9af519c08c4b64ca029d	—	2024-08-23
FileHash-SHA256	5ea09247ad85915a8d1066d1825061cc8348e14c4e060e1eba840d5e56ab3e4d	—	2024-08-23
FileHash-SHA256	778e46f8f3641a92d34da68dffc168fdc936841c5ad3d8b44da62a7b2dfe2ee1	—	2024-08-23
FileHash-SHA256	77d05cc623f860ca2e6d47cdafc517aa0612de88291de7f2a3d95c5d04f1658a	—	2024-08-23
FileHash-SHA256	7c08b9178c05ab765a3d7754ac99f4ba1abddb226dbb6cc898bc692bba1898a1	—	2024-08-23
FileHash-SHA256	808425bc599cd60989c90978d179af1d4c72dd7abfe5e0518aca44b48af15725	—	2024-08-23
FileHash-SHA256	9e1a3653029b5378736ea1debba44cd81988de73b6d8689f9eba792e719da79a	—	2024-08-23
FileHash-SHA256	ba59f1ece68fa051400fd46467b0dc0a5294b8644c107646e75d225a45fff015	—	2024-08-23
FileHash-SHA256	c2cc785857c64fa1f8fbb2e359a2638f187cd77cd29ca6701e38d750e822faa4	—	2024-08-23
FileHash-SHA256	e63082cf4db94f06d583a6313e48353366b44ce07b7ffceacc5bc4db88bd8810	—	2024-08-23
URL	http://185.231.154.22:52720	—	2024-08-23
URL	http://62.113.118.157:57860	—	2024-08-23
URL	http://93.183.93.185:57860	—	2024-08-23
domain	bgfile.com	—	2024-08-23
domain	downwarding.com	—	2024-08-23
domain	jethropc.com	—	2024-08-23
domain	mq734121.info	—	2024-08-23
domain	oryzanine.com	—	2024-08-23
domain	phasechangesolutions.com	—	2024-08-23
domain	radionaranjalstereo.com	—	2024-08-23
domain	serviceset.net	—	2024-08-23
domain	sibbss.com	—	2024-08-23
domain	storkse.com	—	2024-08-23
domain	ttzcloud.com	—	2024-08-23
domain	werxtracts.com	—	2024-08-23
hostname	file.drive002.com	—	2024-08-23
hostname	www.cammirando.com	—	2024-08-23

References (1)

↗ https://medium.com/s2wblog/threat-tracking-analysis-of-punk-003s-lilith-rat-ported-to-autoit-script-30dd59e68213