Weekly Threat Intelligence Report
Date: June 3, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
HYAS Threat Intelligence is currently tracking an active Remcos remote access trojan campaign that began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both of these domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.
Using telemetry within HYAS Insight threat intelligence platform we have been able to locate the global position of the threat actor within minutes of establishing one of the domains. Domain registration data and GPS data were correlated to identify the location of the device in Maiduguri, Nigeria.
Threat Actor Geolocation (2024/05/14 20:10:28 UTC)
11.839646 13.136012
Network communication to the domains should be prevented. Communication with the domains has automatically been prevented in HYAS Protect protective DNS.
This illustrates how a particular threat actor from Nigeria is establishing malicious infrastructure on servers at a Lithuanian ISP. Combined with additional data this could be used for more specific actor attribution. It’s not currently understood who the target of the campaign is.
Remcos, short for "Remote Control and Surveillance," is a type of malware that functions as a Remote Access Trojan (RAT). It is designed to give attackers complete control over an infected system, allowing them to perform a wide range of malicious activities.
Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.
Malware IOCs (MD5)
c656b31f3e988198a0d90d5e475b5b50
711093ddae8838384d4c0db8b5ccc0a9
2acd509e492f212f252113b8a572657c
c26c2acac8badfe751f8614f4ff978a0
f7c1d1b73b9eef88dd222cd31fac5308
91cbe2fb626a2f78f89e3218ab473e4b
Domains
taker202.ddns[.]net
taker202.duckdns[.]org
Actor IP
102.91.93.216
Actor Email
companybackup001@gmail[.]com
The threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications, combined with hosting on a Lithuanian ISP, underscores the complexity and global nature of modern cyber threats. This infrastructure setup not only obfuscates the true origin of the attack but also leverages international resources to evade localized law enforcement. This tactic is increasingly common, as threat actors exploit the decentralized nature of the internet to distribute their operations, making detection and takedown efforts more challenging. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.
The ability to correlate domain registration and GPS data in near real-time significantly enhances the capacity for quick response and mitigation. This capability is pivotal in the cybersecurity landscape, where speed and accuracy in threat detection can mean the difference between containment and a full-blown breach. The integration of various data sources, provides a more comprehensive view of threat activities, enabling security teams to act swiftly and decisively. This real-time tracking is crucial not only for immediate incident response but also for longer-term threat intelligence and strategic defense planning.
While the specific targets of the campaign remain unidentified, the detailed actor information, including email and IP addresses, provides a solid foundation for further investigation. This data could be cross-referenced with known threat actor profiles and historical attack patterns to potentially identify the individual or group behind the campaign. Enhanced attribution capabilities allow organizations to better understand the motivations and tactics of their adversaries, leading to more effective defensive measures. By building a comprehensive profile of the threat actor, cybersecurity teams can anticipate future attacks and tailor their defenses accordingly.
Read the previous report:
Threat Intel Report - May 20, 2024
Sign up for the free HYAS Insight Intel Feed
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Learn how a solo intelligence analyst can navigate code obfuscation using generative AI. Using Generative AI to Understand How an Obfuscated Script Works
Using Generative AI to Understand How an Obfuscated Script Works
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.