Recently Intezer was investigating a file that we came across during alert triage. This particular file piqued our interest due to the interesting delivery chain, and the even more interesting payload, an intricate infostealer. Intezer has amazing code genetic analysis technology, showing us overlaps of code reuse between different files, malicious or not. We noticed [β¦]
In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.
In the part two blog, Rapid7 provides a technical analysis of the typo squatted malvertising, PowerShell scripts, RAR contents, and the IDAT Loader. IOC provided. π https://www.rapid7.com/blog/post/2024/04/10/stories-from-the-soc-part-2-msix-installer-utilizes-telegram-bot-to-execute-idat-loader/
In part one of our blog series, we discussed how a Rust based application was used to download and execute the IDAT Loader. In part two of this series, we will be providing analysis of how an MSIX installer led to the download and execution of the IDAT Loader.
Rapid7 published a blog post (first of a two-part blog series) on a case study of IDAT Loader malware being distributed via a FakeUpdates campaign. The final payload is a Brute Ratel C4 badger. Rapid7 describes the attack chain, provides a technical analysis of the IDAT Loader, and provides IOC, MITRE ATT&CK TTPs and known sandbox usernames and analysis tools π https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/
The Threat Codex
Not Simon