SparkRAT ➡️ ChromeSetup.msi ➡️ FUD 🔥

msftconnecttest .xyz ⤵️
Creation Date: 2024-12-02 ⤵️
After more than a year, this domain still has a detection rate of 1/93 🤯

Pointing to ⤵️
154.31.222.217:443 ➡️ DControl

Chinese? 🇨🇳
lang="zh-cn"

Malware sample:
https://bazaar.abuse.ch/sample/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c/

Proofpoint recently identified a fake RMM (Remote Monitoring and Management Tool) called #TrustConnect and #DocConnect🔎💻 Pivoting the threat in our collection reveals that the threat actors spread the same malware under additional names, including:

➡️SoftConnect
➡️HardConnect
➡️AxisControl

It also seems that the threat actor was previously playing around with the legitimate RMM #ScreenConnect (aka ConnectWise) before switching to their own fake RMM 🛠️

What also stands out: the majority of the botnet C2s were hosted at Contabo GmbH 🇩🇪

We track the threat on our platforms as #FakeRMM ⤵️

IOCs on ThreatFox:
🦊 https://threatfox.abuse.ch/browse/tag/FakeRMM/

Malware samples:
📄 https://bazaar.abuse.ch/browse/tag/FakeRMM/

Rogue #ScreenConnect RMM 🕵️‍♂️

Botnet C2:
📡 no.windowupdateservice .com
📡 relay.windowupdateservice .com
📡193.26.115.51:8041

Payload delivery URL:
🌐 https://urlhaus.abuse.ch/url/3782937/

Malware sample 📄:
https://bazaar.abuse.ch/sample/77dc5435a2572a8d608e6285da887fd9aa3b16f8a9ea8c0520908990ae44015c/

More ScreenConnect RMM IOCs ⤵️
https://threatfox.abuse.ch/browse/tag/ScreenConnect/

Yet another RAT in town: RemoteX 🖥️

🪲 Dropped by Amadey
📃 Written in Golang
💻 Uses HKCU\...\CurrentVersion\Run\RemoteX for persitence (lame 🚽)
🌐 Uses WebSocket for C2 communication
🕵️‍♂️ Unauthenticated RAT admin panel 🤡

Botnet C2:
📡 109.107.168.147:80 (Partner Hosting LTD 🇬🇧)

Malware sample ⤵️
https://bazaar.abuse.ch/sample/d631655ad3ef9e7c854c86ae399a9c830bef784c6a51468d192f65a79bbb7c8b/

Xillen Stealer 🎣, heavily dropped by Amadey 🔥

Botnet C2:
https://goldenring[.]live/api/logs/check

"Invisible. Undetectedable. Unstopable." 🤡

👉 https://github.com/BengaminButton/XillenStealer

Samples ⤵️
https://bazaar.abuse.ch/browse/signature/XillenStealer/

Additional IOCs on ThreatFox 🦊
https://threatfox.abuse.ch/browse/tag/XillenStealer/

Brazilian banker 🇧🇷

GHOST panel 🧐

007consultoriafinanceira .net ➡️ GoDaddy 🇺🇸
83.229.17.124:80 ➡️ Clouvider 🇺🇸

Payload delivery URL 🌐:
https://urlhaus.abuse.ch/url/3759148/

Malware sample (MSI) ⚙️:
https://bazaar.abuse.ch/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/

Malspam sent from Microsoft Outlook that is spreading #LogMeIn GoToResolve RMM, enabling threat actors to access the victim's machine from remote 💻🔍🕵️

IOCs:
📡 adwestmailcenter .com ➡️ Landing page
📡 insightme .im ➡️ fake PDF download

Payload hosted on Cloudflare R2 bucket, but already got nuked due to an abuse report from URLhaus 🙌
https://urlhaus.abuse.ch/url/3751500/

LogMeIn #GoToResolve payload 📄
https://bazaar.abuse.ch/sample/77e22f4e1af7758d6f7284f32a92539ea36a527fa89c8c6765f10a3f98a8d13e/

CHICXULUB IMPACT 💥

Botnet C2 URLs:
📡 https://turbokent .name/api/initialize
📡 https://turbokent .name/api/status

Sponsoring domain registrar: NICENIC 🇭🇰

Malware sample 📄:
https://bazaar.abuse.ch/sample/c32e1db396e6b64846792f05c776c5b52f34834b0500bc18f982927e07ca3eeb/