2/27/2022 0 Comments Nordvpn download 2.7.3During the investigation a new domain with the same builder page was brought online using the domain name dvirossmabitru, which at the time of writing, points to an IP address located in Hesse, Germany. This coincides with the dropper PE file date/time compilation date of 27 June 2020, which suggests that the malware, as well as the infrastructure to support it, has been built very recently. This domain was registered on 26 June 2020. Note that there are references to “NetHitBot” and “BTCHit”. This includes instructions for contacting the bot operator via Telegram, and selecting additional functions, in order to build and download the client component. As the HTTP request made was an unauthenticated request over port 80, a quick look at the source sub-domain revealed the following open directory listing hosting several malicious files.įigure 1: Malicious files hosted in an open directory listingĪs this sub-domain was open and accessible, a further lookup of the root domain revealed the following builder page shown below. At the time of analysis this domain was found to originate from an IP address in Moscow. When the downloader first starts it retrieves the system time, gets the users temp folder location, and then makes an outbound HTTP GET request to the domain downloadbtchitme. NET and has 28 out of 72 detections in VirusTotal at the time of writing. This report includes analysis of a recently discovered clipper malware targeting Windows, through which it delivers the Supreme botnet mining client and the Poullight information stealer. Although clipper malware isn’t necessarily a new threat, there have been limited public reports focused on clipper malware found in mobile applications. This stealthy technique is designed to silently trick the victim when making what appears to be a legitimate cryptocurrency transaction, which results in the attacker becoming the new recipient of that transaction. Clipper malware is designed to steal cryptocurrency from victims by replacing wallet addresses in the victim’s clipboard with wallet addresses that belong to the attacker.
0 Comments
Leave a Reply. |
AuthorDavid ArchivesCategories |