{
	"id": "6bc04ba8-aa80-4a0d-8838-13a43bb87497",
	"created_at": "2026-04-06T00:10:14.546104Z",
	"updated_at": "2026-04-10T13:11:18.883158Z",
	"deleted_at": null,
	"sha1_hash": "8fd50a06c358dbaf0d718856547911b791df6725",
	"title": "C2 With It All: From Ransomware To Carding",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 704331,
	"plain_text": "C2 With It All: From Ransomware To Carding\r\nBy Warren Mercer\r\nPublished: 2019-11-04 · Archived: 2026-04-05 20:47:19 UTC\r\nBy Warren Mercer, Paul Rascagneres and Vitor Ventura.\r\nSummary Cisco Talos recently discovered a new server hosting a large stockpile of\r\nmalicious files. Our analysis of these files shows that these attackers were able to\r\nobtain a deep level of access to victims' infrastructure — all of which allowed us to\r\nidentify several targets of these attacks, including one American manufacturing\r\ncompany. Talos notified these targets of the attack.\r\nWe found a great variety of malicious files on this server, ranging from ransomware like the DoppelPaymer, to\r\ncredit card capture malware like the TinyPOS, as well as some loaders that execute code delivered directly from\r\nthe command and control (C2)\r\nThe data found on this server shows how malicious actors can diversify their activities to target different\r\norganizations and individuals, while still using the same infrastructure. The tools we studied paint a picture of an\r\nadversary that is resourceful and has a widespread infrastructure shared across different operations.\r\nTargets' profiles While performing our analysis, we identified at least two targets\r\nbased on screenshots and memory dumps.\r\nTarget No. 1: Based on screenshot The first target we identified is an aluminium and stainless\r\nsteel gratings company located in the U.S. This identification was made based on the screenshot\r\nfrom the HPE Data Protector management interface. The screenshot shows the domain name\r\n(which we have redacted), thus leading us to the company's name. This screenshot demonstrates\r\nthat the level of access the attackers had on the victims' infrastructure.\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 1 of 9\n\nScreenshot from HPE Data protector manager.\r\nThis screenshot contains some important information for the adversary. On one side, it shows which servers are\r\nbeing backed up on another shows which ones are important to the victim.\r\nThis, in conjunction with the ransomware located on the server, indicates the intent of deploying ransomware on\r\nthe infrastructure, showing a manual and targeted approach more advanced than the simple execution of malware.\r\nTarget No. 2: Based on the LSASS dump\r\nWe identified a second target due to a process dump we found on the server. The dumped process\r\nis responsible for managing credentials on Windows (lsass.exe). Using a tool like Mimikatz, it's\r\npossible to retrieve credentials from the process dump.\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 2 of 9\n\nThe content of the dump showed us the hostname and Windows domain of the system and the \"support\"\r\nusername. To perform the process dump, the attacker had high privileges on the system. This would help him to\r\nperform lateral movement. Which suggest a manual and targeted approach to this target.\r\nThe dump was uploaded on the server on Sept. 24, the same date as the login time stored in the memory dump.\r\nSamples\r\nDoppelPaymer samples\r\nThe majority of the Windows binaries available on the server are DoppelPaymer samples. This\r\nmalware is a ransomware, an evolution of Bitpaymer documented by Crowdstrike. We identified\r\nseven different binaries. The oldest one was uploaded on Oct. 5, with the most recent originating\r\nfrom Oct. 20. As previously documented, the ransomware needs to be executed with a key in\r\nargument. We identified how the key was put in argument by this actor. A WinRAR self-extracting archive (SFX) is used to extract the ransomware and execute the following command:\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 3 of 9\n\nPath=C:\\Users\\--redacted--\\DesktopSetup=C:\\Users\\--redacted--\\Desktop\\p1q135no.exe\r\nQWD5MRg95gUEfGVSvUGBY84h\r\nIn our example, the key is 'QWD5MRg95gUEfGVSvUGBY84h'. The hard-coded path proves the attackers either\r\nhad prior knowledge of the target's infrastructure prepared the package in the target infrastructure.\r\nThis variant uses alternate data streams to partially hide its data.\r\nThe remaining behavior and ransom note are consistent with the previous documented variant.\r\nTinyPOS sample\r\nOn the same server we also found a TinyPOS sample. This malware is installed using a batch file.\r\nThe batch file creates a scheduled task that will be executed every 6 hours and is executed has Local System.\r\nThe script deploys a scheduled task:\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 4 of 9\n\nThe PowerShell contains the TinyPOS code, which is defined as an array of bytes written with hexadecimal\r\nvalues. The PowerShell script creates an execution threat using the TinyPOS previously copied into memory.\r\nTinyPOS is a point-of-sale malware which is directly developed in assembly. This sample exfiltrates data to the\r\nC2 hardcoded in the sample: jduuyerm[.]website.\r\nThe data going out is obfuscated using XOR operations with a hardcoded key of 0xcaef3d8a. The malware\r\nexfiltrates the hostname and the local IP of the infected system. It searches and parses targeted processes memory\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 5 of 9\n\nto retrieve credit card information, which is usually stored in tracks 1 and 2 of the magnetic strip of the credit card.\r\nThe adversaries uploaded tinyPOS on Sept. 26.\r\nSvchost sample\r\nThis sample is a simple loader. The loader code is packed and obfuscated using\r\nXOR operations. The sample will load an offset of itself and perform XOR\r\noperations until the beginning of such offset matches the pattern 0x90909090.\r\nOnce the pattern is found, the decoding starts using the number of iterations needed to find the pattern as the XOR\r\nkey.\r\nThe packed code imports several functions among them are the winsock32 module functions, connect(), send()\r\nand recv(). Using these functions it contacts the hardcoded C2 sending message that starts with the byte 0x0C.\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 6 of 9\n\nAfterward, the loader will read 1,024 bytes from the server, until all data is read. The data received has a header of\r\n12 bytes. The message is obfuscated using a XOR operation, the key for this XOR is at the 0x4 offset of the\r\nmessage. Before the sample calls the received code it will check if the last byte of the obfuscated code is 0xC3.\r\nThis represents the opcode RET, which allows the loader to get the execution control back from the payload it\r\nreceives from the C2.\r\nAdditional binaries\r\nWe identified additional binaries on the server. The tools are used by the attacker\r\nto perform tasks on the compromised infrastructure. We identified:\r\nMimikatz: A tool to retrieve Windows credentials from the memory\r\nPsExec: A tool to remotely connect on Windows system. The attacker probably used it to pivot inside the\r\ninfrastructure by using the credential previously retrieved.\r\nProcdump: A tool to dump process. The attacker probably used it to dump the LSASS.exe process to then\r\nuse with Mimikatz.\r\nPotential infection vectors\r\nFake tech support\r\nThe TinyPOS C2 server is jduuyerm[.]website and the IP 185.254.188[.]11.\r\nThe IP resolved the following domains:\r\ntechsupport[.]org[.]ru from March 21, 2019 to Oct. 7, 2019\r\nwww.techsupport[.]org[.]ru from May 19, 2019 to Oct. 1, 2019\r\ntechsupportlap[.]icu from March 13, 2019 to April 2, 2019\r\ntechsupportnet[.]icu from March 12, 2019 to April 1, 2019\r\nTwo domains were available during the campaigns described in the article. The attacker likely was planning to\r\ncarry out fake tech support scam to attempt to compromise infrastructure. This would likely be carried out by\r\nasking employees to execute specific commands or attempting to download the malware provided by the attacker.\r\nVPN access\r\nFrom the April 16, 2019 through Aug.18, 2019, the IP resolved to\r\naefawexxr54xrtrt[.]softether[.]net. SoftEther is a powerful VPN platform that offers many\r\nfeatures, such as a dynamic DNS service that could allow an adversary to evade detection based\r\non ip addresses. SoftEther also prides itself on being able to \"punch\" through most firewalls due\r\nto only using HTTPS-based traffic. We haven't found any software that would allow the\r\nscreenshots found. In theory, if the actors can open a VPN back to their own server, they could\r\nthen RDP into the systems, bypassing all firewalls in between. Softether seems to be the perfect\r\nsolution for this.\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 7 of 9\n\nSoftEther says it is a VPN that \"has strong resistance against firewalls than ever [SIC].Built-in NAT-traversal\r\npenetrates your network admin's troublesome firewall for overprotection. You can setup your own VPN server\r\nbehind the firewall or NAT in your company, and you can reach to that VPN server in the corporate private\r\nnetwork from your home or mobile place, without any modification of firewall settings. Any deep-packet\r\ninspection firewalls cannot detect SoftEther VPN's transport packets as a VPN tunnel, because SoftEther VPN\r\nuses Ethernet over HTTPS for camouflage [SIC].\"\r\nIOCs\r\nNetwork\r\nJduuyerm[.]website\r\n185.254.188[.]11.\r\ntechsupport[.]org[.]ru\r\nwww.techsupport[.]org[.]ru\r\ntechsupportlap[.]icu\r\ntechsupportnet[.]icu\r\n185.212.128[.]189\r\naefawexxr54xrtrt[.]softether[.]net\r\nSamples\r\nd4be15adbbe135d172d5e0afcd191ae740df22de5d3beac98e188a3cf01a036b WSDB.bat\r\na78bacb79d5d229aa8d6c574d1d8386664918a520beebc655975b04a61da1308 WSDB.ps1\r\ne410b949d128ffb513af037355fe777b5b40799001a312843e405070308a3f36 WSDB.xml\r\n3de852ed3bd3579cd9875108e121ba6fd68a66f8f6948cce072e8013ad1955ea c32_217061.exe\r\nfa7c7db9d33e1f4193bfe460d1a61096d75315212042a62bb3a30b3077511610 c64_217061.exe\r\n0273d96cef6683e3fb205b8e841579b44bae16ff1e3ab57647b1a9d2947db5c7 file.exe\r\nbc919680471fd1b631e80c37e83aeb6877f13f4ed47ae22100cf4d60e27a93a4 mimikatz.exe\r\nb9a8710e55bb2d55bbeed9cebb83ac2f18f78818f0c05f18c96f766c8c47e2d9 no135.exe\r\nf658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555 p1q135no.sfx.exe\r\n16f413862efda3aba631d8a7ae2bfff6d84acd9f454a7adaa518c7a8a6f375a5 procdump64.exe\r\n89f8af1eb52f31b011982d7a1ecc1eed25af6c14bf5f317568a3450db5db7247 q108.exe\r\ndcb76dc106e586c6f8bfa82832a66f525a9addb5450912004e92dd578ff2a60a q121k.exe\r\n04d0824f70be3666d79b2a49b85cf6b60b566d7b8cc9efd31195644514fb0cb1 q135.exe\r\n08499612bcf7ccb250438ce8f6eed616511e27c762d66132fef93296007984ac q137k.exe\r\n0273d96cef6683e3fb205b8e841579b44bae16ff1e3ab57647b1a9d2947db5c7 svchost.exe\r\n619f0c489beac9a792b9b42fa6529b3faf4329692fb52d17123ef69733868845 zap32.exe\r\n98a4f69eff1f91f63fb74420ee4c16be508aa203d04f66e98b1dcb554def61ee zap64.exe\r\nb1e883222f3205db59ff812c6f6097291df12b1784c9e64eef674ab3a173c07a q159.exe\r\nCoverage\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 8 of 9\n\nWays our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware detailed in this\r\npost. Below is a screenshot showing how AMP can protect customers from this threat. Try AMP for free here.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nSource: https://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nhttps://blog.talosintelligence.com/2019/11/c2-with-it-all.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/11/c2-with-it-all.html"
	],
	"report_names": [
		"c2-with-it-all.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fd50a06c358dbaf0d718856547911b791df6725.pdf",
		"text": "https://archive.orkl.eu/8fd50a06c358dbaf0d718856547911b791df6725.txt",
		"img": "https://archive.orkl.eu/8fd50a06c358dbaf0d718856547911b791df6725.jpg"
	}
}