HYAS Blog

HYAS Threat Intel Report May 20 2024

Written by David Brunsdon | May 20, 2024

Weekly Threat Intelligence Report

Date: May 20, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Cyber Threat Intelligence Analysis

This week in the HYAS Insight threat intelligence platform, we found a concerning open directory hosting multiple pieces of malware. This discovery, coupled with historical passive DNS data linking the IP to a domain infamous from previous DNS tunneling campaigns suggests a significant and ongoing threat. Here is what we found:

Overview

An open directory located at http://194.37.97[.]162/ is hosting multiple pieces of malware. This IP is associated with M247 Dallas Infrastructure and is located in Grand Prairie, TX. Historical passive DNS data from 2023 links this IP to a claudfront.net domain, known for its involvement in DNS tunneling campaigns. This raises the possibility that the malware is being hosted from a compromised machine.

Malware Analysis

1. BecauseBranch.exe
MD5: f1152d572e1722ea2568eff98efc161f
Family: Risepro
Command & Control (C2): 37.120.237.196:50500
C2 ISP: M247 LTD Quebec Infrastructure
Activity: Recent C2 activity from April indicates the actor logged in locally to the box using the user agent string resembling a common browser configuration: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36.

2. UncleLt4.exe
Type: Generic Trojan/Backdoor
MD5: 76ffea4f11b3dcd48281600e289ef5e3
C2 Servers: retdirectyourman[.]eu; supfoundrysettlers[.]us; yourserenahelpcustom[.]uk
VirusTotal Analysis: The file shows several detections and details are available on VirusTotal.

Analysis

The malware being hosted on an open directory indicates a potential compromise of the hosting machine, making it part of a broader infrastructure used by threat actors.

BecauseBranch.exe (Risepro family) is likely being used to establish a persistent foothold in the victim's system, allowing for remote control and possibly data exfiltration. The local login activity to the C2 box indicates active management by the threat actor, increasing the threat level.

UncleLt4.exe appears to be a generic Trojan/backdoor with multiple C2 servers across various domains, indicating a robust and redundant infrastructure. This enhances its resilience against takedown efforts.

Mitigation Strategies

Immediate Actions:

  • Block access to the open directory IP (194.37.97[.]162) and associated C2 servers (37.120.237.196, retdirectyourman[.]eu, supfoundrysettlers[.]us, yourserenahelpcustom[.]uk) at the network perimeter.
  • Perform a comprehensive scan of the network to identify and isolate infected systems.

 

Endpoint Protection:

  • Ensure all endpoints have up-to-date antivirus and anti-malware solutions capable of detecting and mitigating Risepro family malware and generic Trojans.
  • Implement behavioral analysis tools to detect unusual login patterns and process executions.

 

Network Security:

  • Deploy Intrusion Detection and Prevention Systems (IDPS) to monitor for suspicious network activity, particularly DNS tunneling.
  • Utilize DNS filtering services to block access to malicious domains.

 

User Awareness and Training:

  • Educate users on the dangers of downloading and executing unknown files.
  • Provide training on recognizing phishing attempts and suspicious network activities.

 

Incident Response:

  • Develop and refine an incident response plan to handle malware infections and C2 communications swiftly.
  • Conduct regular drills to ensure readiness in mitigating similar threats.

 

Threat Intelligence Sharing:

  • Share indicators of compromise (IOCs) with relevant information sharing and analysis centers (ISACs) and industry peers.
  • Stay updated with threat intelligence feeds to monitor for emerging threats.

 

Actionable Intelligence

Indicators of Compromise (IOCs):
IP Addresses: 194.37.97[.]162, 37.120.237.196
Domains: retdirectyourman[.]eu, supfoundrysettlers[.]us, yourserenahelpcustom[.]uk
MD5 Hashes: f1152d572e1722ea2568eff98efc161f (BecauseBranch.exe), 76ffea4f11b3dcd48281600e289ef5e3 (UncleLt4.exe)

Detection Signatures:

  • Monitor for user agent strings matching: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
  • Look for network traffic directed to the aforementioned IPs and domains.

 

By implementing these strategies and leveraging the provided intelligence, organizations can better defend against and mitigate the impact of these malware threats.

Risepro Malware: A Deep Dive into Recent Discoveries

A recent emerging threat is the Risepro malware, identified through an open directory hosting malicious executables. This blog post delves into the specifics of this threat, detailing the indicators of compromise (IOCs), analysis of the malware samples, and strategic insights for cybersecurity professionals.

Open Directory Discovery

An open directory located at `http://194.37.97[.]162/`, hosted by M247 Dallas Infrastructure in Grand Prairie, TX, has been identified as a source of malware. This directory contains several malicious files, marking it as a critical point of interest for cybersecurity researchers. The open directory could be used as a source of malicious downloads in a phishing attack, for example.

Interestingly, passive DNS analysis from 2023 revealed an association with the domain `claudfront.net`, previously linked to DNS tunneling campaigns. This connection raises the possibility that the command and control (C2) infrastructure may be operated from compromised machines, further complicating threat attribution and mitigation efforts.

 

Malware Samples and Analysis

BecauseBranch.exe
MD5 Hash: f1152d572e1722ea2568eff98efc161f
Family: Risepro
C2 Server: 37.120.237.196:50500
C2 ISP: M247 LTD Quebec Infrastructure

Activity:
Recent attribution efforts in April indicate local login activities to the C2 box, suggesting direct involvement of the threat actor. The actor's user agent string is:

``` Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/123.0.0.0 Safari/537.36

``` This information is crucial for identifying and mitigating the threat within network environments.

UncleLt4.exe
Classification: Generic Trojan/Backdoor
MD5 Hash: 76ffea4f11b3dcd48281600e289ef5e3
C2 Servers: retdirectyourman[.]eu; supfoundrysettlers[.]us; yourserenahelpcustom[.]uk

A comprehensive analysis provides detailed information about this malware, indicating its nature as a backdoor and its ability to establish persistent connections to its C2 servers. This persistence mechanism is a common trait among advanced malware, aiming to maintain control over compromised systems.

Technical Analysis and Indicators of Compromise

BecauseBranch.exe and UncleLt4.exe both exhibit characteristics that highlight the sophistication of modern malware. From their use of multiple C2 servers to the deployment of generic trojan functionalities, these malware samples demonstrate the complexity of threats facing cybersecurity defenses today.

Strategic Insights and Recommendations

1. Network Monitoring: Implement robust network monitoring solutions to detect unusual traffic patterns and connections to known malicious IP addresses and domains.

2. Endpoint Security: Deploy advanced endpoint security solutions capable of identifying and quarantining malicious executables based on behavioral analysis and known IOCs.

3. Threat Intelligence Sharing: Participate in threat intelligence sharing communities to stay updated on emerging threats and leverage collective knowledge for enhanced defense mechanisms.

4. Regular Audits: Conduct regular security audits and vulnerability assessments to identify and remediate potential entry points for malware.

5. User Education: Educate users on the risks of downloading files from untrusted sources and the importance of following best security practices.

Conclusion

The discovery and analysis of Risepro malware samples like BecauseBranch.exe and UncleLt4.exe underscore the critical need for continuous vigilance and advanced threat detection capabilities. By staying informed about the latest threats and implementing comprehensive security measures, organizations can significantly reduce the risk of compromise and enhance their overall cybersecurity posture.

Read the previous report:
Threat Intel Report - May 6, 2024

Sign up for the free HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

Learn how a solo intelligence analyst can navigate code obfuscation using generative AI. Using Generative AI to Understand How an Obfuscated Script Works

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Examining Predatory Mercenary Malware