# THREAT ANALYSIS REPORT: SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems **[cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems](https://www.cybereason.com/blog/threat-analysis-report-socgholish-and-zloader-from-fake-updates-and-installers-to-owning-your-systems)** Written By Cybereason Global SOC Team April 25, 2022 | 14 minute read ----- The [Cybereason Global Security Operations Center (GSOC) Team issues Cybereason Threat Analysis](https://www.cybereason.com/blog/authors/cybereason-global-soc-team) reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. This Threat Analysis report provides insight into three selected attacks, which involve the SocGholish and Zloader malware masquerading as legitimate software updates and installers of popular applications. We present the deployment of the malware on compromised systems and the activities of the malware operators, including an activity timeline. ## Key Points **Masquerading malware: Infections with SocGholish start by end-users executing JavaScript** scripts with filenames that relate to known browsers and browser updates, such as _Opera.Update.js and Firefox.js. Infections with Zloader start by end-users executing a fake installer_ of a popular application, such as TeamViewer. **Intensive reconnaissance and data exfiltration: SocGholish operators conduct intensive** reconnaissance activities and redirect the output of executed commands to files with the filename extension .tmp for exfiltration. **Detected and prevented: The** [Cybereason XDR Platform effectively detects and prevents](https://www.cybereason.com/platform#graphic) infections with SocGholish and Zloader. **Cybereason Managed Detection and Response (MDR): The Cybereason GSOC team has a** zero-tolerance policy towards attacks involving SocGholish and Zloader, and categorizes such [attacks as critical, high-severity incidents. The Cybereason GSOC MDR team issues a](https://www.cybereason.com/services/managed-detection-response-mdr) comprehensive report to customers when such an incident occurs. The report provides an in-depth overview of the incident, which helps to understand the scope of the compromise and the impact on the customer’s environment. The report also provides attribution information whenever possible, as well as recommendations for threat mitigation and isolation. ## Introduction [SocGholish is an attack framework that malicious actors have used since at least 2020. The term Soc](https://www.menlosecurity.com/blog/increase-in-attack-socgholish/) refers to the use of social engineering to deploy malware on systems. SocGholish operators host a malicious website that implements a drive-by-download mechanism, such as JavaScript code or uniform resource locator (URL) redirections, to trigger the download of an archive file that contains malware. The website displays content that might lure end-users, such as critical browser updates. To infect the system, an end-user has to first manually decompress the archive file and then execute the malware by double-clicking. An infection with SocGholish may result in the deployment of the Cobalt Strike framework and ransomware. Zloader is a malware primarily designed to steal credentials and sensitive data, but it also has backdoor capabilities and it can act as a malware loader to deliver further malware on compromised systems. For example, in the past, Zloader has distributed the destructive Egregor and Ryuk ransomware. [First discovered in 2016, Zloader is under continuous development with more recent versions featuring](https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns) detection evasion capabilities, such as disabling Windows Defender and using living-off-the-land executables to conduct malicious activities. In the past, malicious actors have distributed the Zloader malware as malicious attachments to emails. ----- In the period between December 2021 and the time of writing, the Cybereason MDR team has observed an increase in the number of attacks involving SocGholish and Zloader. In the attacks involving Zloader, malicious actors had distributed Zloader to systems through malicious websites that have the malware [masquerading as an installer of popular applications, such as TeamViewer.](https://www.crowdstrike.com/blog/falcon-overwatch-uncovers-ongoing-night-spider-zloader-campaign/) The figure below depicts the number of SocGholish-related sample submissions to VirusTotal between November 2021 and March 2022. The global trend of increase in the number of infections with SocGholish starting in December 2021 aligns with the increase in the number of infections with SocGholish that the Cybereason MDR has observed: _Number of SocGholish-related sample submissions to VirusTotal between November 2021 and March_ _2022_ This report provides a unique insight into real infections with SocGholish and Zloader that the Cybereason MDR team has recently observed. We present the deployment of the malware on compromised systems and the activities of the malware operators in three selected attacks. For the attacks that involve SocGholish, this report documents the timelines of the malware operator’s activities and provides an overview of the common tactics and techniques in SocGholish infections. ## Analysis ### SocGholish **Infection** The flowchart below depicts a typical system infection with the SocGholish framework: ----- _Infection with the SocGholish framework_ SocGholish operators host a malicious website that implements a drive-by-download mechanism. Previous research shows that the SocGholish operators use a legitimate website and host another, malicious website in its context, for example, in an inline frame (iframe) object. The legitimate website [displays content to which end-users may be lured, such as critical browser updates. The malicious](https://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/) website may implement, for example, JavaScript code, or conduct URL redirections to trigger the download of an archive file that stores a malicious JavaScript script. To infect the system, an end-user has to first manually decompress the JavaScript script, for example, by [using the Windows built-in archive utility or third-party utilities such as WinRAR, and then execute the](https://www.win-rar.com/start.html?&L=0) script. If the Microsoft Windows Script Host (WSH) mechanism is not disabled on the system, WSH executes the script using the wscript or the [cscript utility and the WSH JavaScript/JScript execution](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff920171(v=ws.11)) engine: _An end-user_ _decompresses and executes a JavaScript script that SocGholish operators distribute (as seen in the_ _Cybereason XDR Platform)_ The figure below depicts a typical JavaScript script (Chrome.Update.d37fc6.js) that a malicious website with a browser update theme has been distributing to end-users: ----- _Content of the_ _Chrome.Update.d37fc6.js script (excerpt)_ We emphasize that the Chrome.Update.d37fc6.js script is representative of many other scripts that malicious websites with browser update themes have been distributing to end-users: The scripts have filenames that relate to known browsers and browser updates, such as _Opera.Update.a99283.js and Firefox.js._ The scripts establish connections to attacker-controlled endpoints, for example, by using ActiveX XMLHTTP objects, and issue POST requests to download and execute further content using the _eval JavaScript function. In the SocGholish infections that we have analyzed, the JavaScript scripts_ download and execute content after issuing a POST request to a resource named pixel.png. The scripts communicate with the endpoints with the following IP addresses: _87.249.50[.]201, located in Russia (known associated host domain names: xen.hill-family[.]us,_ _apps.weightlossihp[.]com, and upstream.fishslayerjigco[.]com)._ ----- _91.219.236[.]202, located in Hungary (known associated host domain names:_ _host.integrativehealthpartners[.]com, platform.windsorbongvape[.]ca,_ _widget.windsorbongvape[.]com)._ The JavaScript code of the scripts is obfuscated by using random variable names and string manipulation, such as string reversal and encoding. For example, the script authors have obfuscated the host domain names of the attacker-controlled endpoints by reversing them and placing the individual string characters at the odd index positions in the obfuscated string: _An obfuscated host domain name in Chrome.Update.d37fc6.js and the domain name’s deobfuscated_ _form_ **Post Infection: First Attack** The flowchart below depicts an overview of the activities that SocGholish operators have conducted on an infected system: _SocGholish: An attack overview (1)_ ----- As we have seen in the Infection Section, the wscript.exe utility first executed a JavaScript script named _Chrome.Update.fd1967.js that resided in an archive file. Soon after the script executed and until_ approximately 57 minutes later, wscript.exe conducted information gathering activities and stored the gathered information in the files radF9A4F.tmp and rad994D1.tmp, placed in the end-user’s AppData folder, for potential future exfiltration: _whoami /all >> "C:\Users\\AppData\Local\Temp\radF9A4F.tmp_ _"systeminfo|findstr Registered&nltest /dclist:&nltest /domain_trusts&cmdkey /list&net group "Domain_ _Admins" /domain&net group "Enterprise Admins" /domain&net localgroup Administrators /domain&net_ _localgroup Administrators" >>"C:\Users\\AppData\Local\Temp\rad994D1.tmp"_ Approximately one hour and 27 minutes later, wscript.exe first renamed a file with the .tmp file extension, _rad63F7D.tmp, to ef32e4cf.js and then executed the JavaScript script ef32e4cf.js using the wscript.exe_ utility. Approximately 9 minutes later, the wscript.exe instance that had executed the ef32e4cf.js script obtained user and filesystem information by executing the following commands: _whoami /all >> "C:\Users\\AppData\Local\Temp\rad2AC3D.tmp"_ _dir C:\programdata\ >> "C:\Users\\AppData\Local\Temp\radB9CD4.tmp"_ _wscript.exe also renamed a file with the .tmp file extension, radCC48D.tmp, to the Windows dynamic-link_ library (DLL) file wimgapi.dll and then executed the DLL through the WIMDeleteImageMounts entry point by capturing the output in the C:\Users\\AppData\Local\Temp\rad5FAF1.tmp file. wscript.exe also copied the rundll32.exe executable to the wim.exe file in the %ProgramData%\wim folder: _wscript.exe executes wimgapi.dll (as seen in the Cybereason XDR Platform)_ During the execution of the wscript.exe instances that had executed the Chrome.Update.fd1967.js and the ef32e4cf.js scripts, the wscript.exe instances communicated with the attacker-controlled endpoint with an IP address of 91.219.236[.]202 (domain name: _0bfd796f.host.integrativehealthpartners[.]com), located in Hungary._ Approximately 12 minutes after the wimgapi.dll DLL was executed, the DLL injected code into the following legitimate Windows processes: werfault.exe, explorer.exe, outlook.exe, svchost.exe, and _taskhostw.exe._ Over a period of 8 hours and 30 minutes: ----- _[wimgapi.dll injected the SharpView Tool into an instance of the werfault.exe process. SharpView](https://github.com/tevora-threat/SharpView)_ can conduct reconnaissance activities and gather information about Active Directory (AD) deployments: _wimgapi.dll injects the SharpView tool into an instance of the werfault.exe process (as seen in the_ _Cybereason XDR Platform)_ _wimgapi.dll injected code into outlook.exe. The code gathered AD-related information by executing_ the command net group "domain admins" /domain: _The code that_ _outlook.exe hosts conducts reconnaissance activities (as seen in the Cybereason XDR Platform)_ _wimgapi.dll injected malicious code into svchost.exe. The code conducted targeted reconnaissance_ activities by executing the whoami, ping, nltest, and net commands using target-specific configurations, such as hostnames and usernames. ----- _wimgapi.dll injected code into taskhostw.exe. The code searched for the cpassword field in Group_ Policy files stored in the Policies folder in shared system volume folders (SYSVOL) by executing the command findstr /s /i /m "cpassword" \\\sysvol\\Policies\*.*, where _ is the domain name of an AD domain controller. In AD infrastructures, the SYSVOL_ foldersare present on domain controllers and the domain controllers share the folders with domain members to deliver domain configuration data, such as policy settings. The cpassword field stores a valid credential required to configure certain Group Policy preference settings at domain members - settings that system users can change. In certain Windows versions, the cpassword field stores the password in an Advanced Encryption Standard (AES) encrypted form that malicious actors can decrypt using a publicly disclosed encryption key. In addition to the activities above, the code that ran in explorer.exe, outlook.exe, svchost.exe, and _taskhostw.exe executed instances of the werfault.exe process and injected the following tools into the_ instances: _[SharpView and](https://github.com/tevora-threat/SharpView)_ _[Rubeus, a tool for attacking Kerberos deployments.](https://github.com/GhostPack/Rubeus)_ _[Stracciatella: a tool for executing PowerShell commands with detection evasion capabilities.](https://github.com/mgeeky/Stracciatella)_ _[Seatbelt: a tool that enumerates the security posture of systems.](https://github.com/GhostPack/Seatbelt)_ _[PowerShellRunner: a tool that is capable of executing PowerShell commands using Windows](https://github.com/dievus/PowerShellRunner)_ Defender evasive techniques. _[SharpChromium: a tool for stealing browser data, such as cookies, saved logins, and browsing](https://github.com/djhohnstein/SharpChromium)_ history. Approximately 7 hours after wimgapi.dll DLL was executed, over a period of approximately 24 minutes, the operators conducted further reconnaissance activities by executing the commands ipconfig and _nltest. The operators also searched for the cpassword field in Group Policy files stored in the Policies_ folder in SYSVOL folders by executing the command findstr /s /i /m "cpassword" \\\sysvol\ _\Policies\*.*, where is the domain name of an AD domain controller._ In addition to searching for the cpassword field, the operators copied the files Centrifydc_settings.xml, _Groups.xml, and ScheduledTasks.xml from shared SYSVOL folders to the ProgramData folder. These_ files may contain cpassword fields, which store passwords that the malicious actors can decrypt, as well as additional settings data that is relevant from an information-gathering perspective. Approximately 23 hours after wimgapi.dll was executed, the %ProgramData%\wim\wim.exe executable, that is, rundll32.exe, executed the wimgapi.dll DLL through the WIMDeleteImageMounts entry point again to conduct further reconnaissance activities by executing the net and ping commands. During their operation, the wimgapi.dll DLL as well as the injected code into svchost.exe and _taskhostw.exe transferred over 30 MB of data to an endpoint with the IP address 5.53.125[.]173 (domain_ name: sikescomposites[.]com), which is located in Russia. **Post Infection: Second Attack** The flowchart below depicts an overview of the activities that SocGholish operators have conducted on an infected system: ----- _SocGholish: An attack overview (2)_ As we have seen in the Infection section, the wscript.exe utility first executed a JavaScript script named _Chrome.Update.2022d8.js that resided in an archive file. Soon after the script was executed and until_ approximately 10 minutes later, wscript.exe gathered current user information and stored the gathered information in the file radFFBA5.tmp, placed in the user’s AppData folder, for potential future exfiltration: _whoami /all >> "C:\Users\\AppData\Local\Temp\radFFBA5.tmp_ _wscript.exe gathers current user information as seen (in the Cybereason XDR Platform)_ Approximately 3 days and 10 minutes after wscript.exe gathered user information, wscript.exe enumerated the services that ran on the compromised machine using a PowerShell command that invoked Windows Management Instrumentation (WMI) functionalities and stored the output in the file _radD4878.tmp:_ ----- _wscript.exe enumerates services (as seen in the Cybereason XDR Platform)_ Approximately 3 days and 1 hour after wscript.exe gathered user information, wscript.exe gathered ADrelated information, including credentials, by executing the following commands: systeminfo|findstr _Registered; nltest /dclist:; nltest /domain_trusts; cmdkey /list; net group "Domain Admins" /domain; net_ _group "Enterprise Admins" /domain; net localgroup Administrators /domain; and net localgroup_ _Administrators/:_ _wscript.exe gathers AD-related information (as seen in the Cybereason XDR Platform)_ Approximately 3 days and 2 hours after wscript.exe gathered user information, wscript.exe first renamed a file with the .tmp file extension, rad0C41E.tmp, to vgauthservice.exe and then executed _vgauthservice.exe._ During the execution of wscript.exe, wscript.exe communicated with the attacker-controlled endpoint with an IP address of 87.249.50[.]201 (domain name: [random hexadecimal value].xen.hill-family[.]us), located in Russia. ----- Approximately 1 hour after vgauthservice.exe was executed, over a period of approximately 4 hours, _vgauthservice.exe created11 werfault.exe processes and injected code into them, such as the_ [TruffleSnout tool. TruffleSnout is a tool for gathering AD-related information to support offensive](https://github.com/dsnezhkov/TruffleSnout) operations: _vgauthservice.exe creates werfault.exe processes and injects code into them (in the Cybereason XDR_ _Platform)_ During its operation, the vgauthservice.exe process transferred over 9 MB of data to an endpoint with the IP address 77.223.98[.]12 over TCP port 443 (domain name: pastorq[.]com), which is located in Russia. **Summary** The table below summarizes the activities that are most prevalent across all infections with SocGholish that the Cybereason MDR team has observed: Archive file and JavaScript script Intensive reconnaissance Output redirection Injection of code into _werfault.exe_ Two attackercontrolled endpoints per infection To infect the system, an end-user has to download an archive file that stores a malicious JavaScript script. The script has a filename that relates to known browsers and browser updates, such as Opera.Update.a99283.js and Firefox.js. The end-user then has to manually decompress and execute the JavaScript script to infect the system. SocGholish operators conduct intensive reconnaissance activities and gather ADrelated information by executing the commands whoami, systeminfo, nltest, net, and _cmdkey._ The SocGholish operators redirect the output of executed commands to files with the filename extension .tmp, placed in the end-user’s AppData folder, for potential future exfiltration, such as C:\Users\\AppData\Local\Temp\radF9A4F.tmp. Infections with SocGholish involve an injection of code into multiple instances of the _werfault.exe process. The injected code typically implements tools with offensive_ capabilities. Over the course of an infection with SocGholish, the infected system communicates with two separate attacker-controlled endpoints, located in Hungary and/or Russia. ----- ### Zloader The Cybereason MDR team observed malicious actors distributing Zloader to systems through malicious websites that have masqueraded the malware as an installer of popular applications, such as TeamViewer. When an end-user downloads and executes a malicious software installer that delivers Zloader – an executable in Microsoft Installer (msi) format, for example, TeamViewer.msi – the installer writes a Windows executable file named internal.exe on the hard disk and executes it. _internal.exe establishes a connection to an attacker-controlled endpoint to download further malware, a_ script called launch.bat. launch.bat downloads a Windows Batch (.bat) script from the attacker-controlled endpoint clouds222[.]com – flash.bat, which conducts the following activities: _flash.bat evaluates whether the malware executes with administrative privileges by executing the_ command %SYSTEMROOT%\system32\cacls.exe %SYSTEMROOT%\system32\config\system. If the malware does not execute with administrative privileges, the malware executes a VisualBasic script (.vbs) named getadmin.vbs. The getadmin.vbs script attempts to elevate the malware’s privileges. _flash.bat establishes connection to the attacker-controlled endpoint clouds222[.]com to download_ three files – apiicontrast.dll (in Windows Portable Executable format), appContast.dll (in Windows Portable Executable format), and flashupdate.ps1 (a PowerShell script) – and executes _flashupdate.ps1._ _flash.bat deletes the file that implements the flash.bat script from the filesystem._ _flashupdate.ps1 executes the command wmic.exe_ _computersystem get domain to determine whether it_ executes in an Active Directory (AD) environment. If flashupdate.ps1 does not execute in an AD environment, the script downloads a GNU Privacy Guard (gpg)-encrypted file that implements Zloader (filename: zoom.dll). Otherwise, the script downloads gpgencrypted files that implement a CobaltStrike module and an Atera remote access component [(filenames: zoom1.msi and zoom2.dll). The PowerShell script then downloads the gpg4win tool for](https://www.gpg4win.org/) decryption purposes and runs a Windows Batch script named ais.bat. _[ais.bat downloads the NSudo tool (executable: adminpriv.exe) from the attacker-controlled endpoint](https://github.com/M2Team/NSudo)_ _commandaadmin[.]com and uses the tool to conduct a variety of activities with administrative privileges,_ such as disabling the Windows Defender security solution. _ais.bat also executes the apiicontrast.dll and appContast.dll files. Note that apiicontrast.dll and_ _[appContast.dll are digitally signed by Microsoft and are therefore masquerading as legitimate files – the](https://research.checkpoint.com/2022/can-you-trust-a-files-digital-signature-new-zloader-campaign-exploits-microsofts-signature-verification-putting-users-at-risk/)_ [vulnerability CVE-2013-3900 allows for malicious actors to append malicious script content to the digital](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900) signature section of legitimate Windows Portable Executable files without invalidating the digital signature. _apiicontrast.dll and appContast.dll store malicious scripts that execute when the mshta.exe Windows_ utility executes apiicontrast.dll and appContast.dll as follows: _cmd /c C:\Windows\System32\mshta.exe C:\Users\\AppData\Roaming\appContast.dll_ _cmd /c C:\Windows\System32\mshta.exe C:\Users\AppData\Roaming\apiicontrast.dll_ ----- The malicious script in appContast.dll modifies Windows Defender settings, such as excluding processes from Windows Defender scans. The table below lists the commands that the malicious script in _appContast.dll executes:_ _powershell.exe -Command Add-MpPreference -ExclusionExtension '.exe'_ _powershell.exe -Command Add-MpPreference -ExclusionProcess '*.dll'_ _powershell.exe -Command Add-MpPreference -ExclusionProcess '*.exe'_ _powershell.exe -Command Add-MpPreference -ExclusionProcess '.dll'_ _powershell.exe -Command Add-MpPreference -ExclusionProcess '.exe'_ _powershell.exe -Command Add-MpPreference -ExclusionProcess 'explorer.exe'_ _powershell.exe -Command Set-MpPreference -DisableBehaviorMonitoring $true_ _powershell.exe -Command Set-MpPreference -Disable IOAVProtection $true_ _powershell.exe -Command Set-MpPreference -DisableIntrusionPreventionSystem $true_ _powershell.exe -Command Set-MpPreference -DisablePrivacyMode $true_ _powershell.exe -Command Set-MpPreference -DisableRealTimeMonitoring $true_ _powershell.exe -Command Set-MpPreference -DisableScriptScanning $true_ _powershell.exe -Command Set-MpPreference -EnableControlledFolderAccess Disabled_ _powershell.exe -Command Set-MpPreference -HighThreatDefaultAction 6 -Force_ _powershell.exe -Command Set-MpPreference -LowThreatDefaultAction 6_ _powershell.exe -Command Set-MpPreference -MAPSReporting 0_ _powershell.exe -Command Set-MpPreference -ModerateThreatDefaultAction 6_ _powershell.exe -Command Set-MpPreference -PUAProtection disable_ _powershell.exe -Command Set-MpPreference -ScanScheduleDay 8_ ----- _powershell.exe -Command Set-MpPreference -SevereThreatDefaultAction 6_ _powershell.exe -Command Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true_ _powershell.exe -Command Set-MpPreference -SubmitSamplesConsent 2_ _powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -_ _ExclusionPath 'C:\Users\'_ _powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -_ _ExclusionPath 'C:\Users\\*'_ _powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -_ _ExclusionPath 'C:\Users\\AppData\Roaming'_ _powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -_ _ExclusionPath 'C:\Users\\AppData\Roaming*'_ _powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -_ _ExclusionPath 'C:\Users\\AppData\Roaming\*'_ _powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -_ _ExclusionPath 'C:\Windows\System32\WindowsPowerShell\'_ _powershell.exe -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -_ _ExclusionPath 'C:\Windows\System32\WindowsPowerShell\*'_ _Commands that modify Windows Defender settings_ After a sleeping phase, the malicious script in apiicontrast.dll decrypts the gpg-encrypted files _zoom1.msi, zoom.dll, and/or zoom2.dll (i.e., a Cobalt Strike module, an Atera remote access_ component, and the Zloader malware) using gpg4win, and executes the executables: ----- _The malicious script in apiicontrast.dll decrypts and executes zoom1.msi, zoom.dll, and zoom2.dll (as_ _seen in the Cybereason XDR Platform)_ ## Detection and Prevention ### Cybereason XDR Platform The [Cybereason XDR Platform is able to detect and prevent infections with SocGholish and Zloader](https://www.cybereason.com/platform) using multi-layer protection that detects and blocks malware with threat intelligence, machine learning, and Next-Gen Antivirus (NGAV) capabilities: ----- _The_ _Cybereason XDR Platform labels as suspicious the execution of a malicious SocGholish JavaScript_ _script using the wscript utility_ _The_ _Cybereason XDR Platform detects SocGholish injecting code into werfault.exe instances_ ----- _The_ _Cybereason XDR Platform detects the deployment of the Zloader malware_ ## Cybereason GSOC MDR The Cybereason GSOC recommends the following: Enable the Anti-Malware feature on the Cybereason NGAV and enable the Detect and Prevent modes of this feature. Securely handle files downloaded from the Internet and email messages that originate from external sources. Threat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom hunting queries for detecting specific threats - to find out more about threat hunting and Managed Detection and Response with the Cybereason Defense Platform, contact a Cybereason Defender here. [For Cybereason customers: More details available on the NEST including custom threat](https://nest.cybereason.com/knowledgebase/5782001) hunting queries for detecting this threat. Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. [Schedule a demo today to learn how your organization can benefit from an operation-](https://www.cybereason.com/request-a-demo) centric approach to security. ## Indicators of Compromise ----- **Executables** SHA-1 hash: _3918a9ebe88ba272718a14c02eae148eaafbe51b_ SHA-1 hash: _db6e1a1dbb0e351c44b49db79b8bad3321d673a1_ SHA-1 hash: _57d0c737686cf01bd6aa0ef206d3f81aee93cbbd_ SHA-1 hash: _0cdaee46f8d898c253ba3427256d430de3ff7791_ SHA-1 hash: _3e481043bc981eae8f0b977477024abb6e1e132e_ SHA-1 hash: _a187d9c0b4bdb4d0b5c1d2bdbcb65090dcee5d8c_ SHA-1 hash: _41e99216782434354a16015c33dcd6550bff0a35_ SHA-1 hash: _7150a4c32f401a7d924083094c3c3796a392556f_ **Domains** _.xen.hill-family[.]us_ _apps.weightlossihp[.]com_ _upstream.fishslayerjigco[.]com_ _.host.integrativehealthpartners[.]com_ _platform.windsorbongvape[.]ca_ _widget.windsorbongvape[.]com_ _sikescomposites[.]com_ _pastorq[.]com_ _clouds222[.]com_ _commandaadmin[.]com_ ----- **IP addresses** _87.249.50[.]201_ _91.219.236[.]202_ _77.223.98[.]12_ _5.53.125[.]173_ _178.21.11[.]77_ _193.124.18[.]128_ ## MITRE ATT&CK Techniques **Initial Access** **Execution** **Defense** **Evasion** **Discovery** **Collection** **Exfiltration** Remote [System](https://attack.mitre.org/techniques/T1018/) Discovery System [Owner/User](https://attack.mitre.org/techniques/T1033/) Discovery Process Discovery System [Information](https://attack.mitre.org/techniques/T1082/) Discovery Account Discovery Drive-by Compromise Phishing: [Spearphishing](https://attack.mitre.org/techniques/T1566/002/) Link User [Execution:](https://attack.mitre.org/techniques/T1204/001/) Malicious Link User [Execution:](https://attack.mitre.org/techniques/T1204/002/) Malicious File Command and Scripting Interpreter: PowerShell Command and Scripting Interpreter: Windows Command Shell Command and Scripting Interpreter: JavaScript Masquerading: Masquerade Task or Service Masquerading: Match [Legitimate](https://attack.mitre.org/techniques/T1036/005/) Name or Location Process Injection Signed Binary Proxy Execution: Rundll32 Reflective Code Loading **Credential** **Access** Credentials from Password [Stores:](https://attack.mitre.org/techniques/T1555/003/) Credentials from Web Browsers Steal or Forge Kerberos Tickets Steal Web [Session](https://attack.mitre.org/techniques/T1539/) Cookie Unsecured Credentials: Credentials In Files Data from [Local](https://attack.mitre.org/techniques/T1005/) System Exfiltration Over Alternative Protocol ----- Windows [Management](https://attack.mitre.org/techniques/T1047/) Instrumentation ## About the Researchers Domain [Trust](https://attack.mitre.org/techniques/T1482/) Discovery Group [Policy](https://attack.mitre.org/techniques/T1615/) Discovery **Aleksandar Milenkoski, Senior Malware and Threat Analyst, Cybereason** **Global SOC** Aleksandar Milenkoski is a Senior Malware and Threat Analyst with the Cybereason Global SOC team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. For his research activities, he has been awarded by SPEC (Standard Performance Evaluation Corporation), the Bavarian Foundation for Science, and the University of Würzburg, Germany. Prior to Cybereason, his work focussed on research in intrusion detection and reverse engineering security mechanisms of the Windows operating system. **Loïc Castel, Senior Security Analyst, Cybereason Global SOC** Loïc Castel is a Senior Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a security auditor in well-known organizations such as ANSSI (French National Agency for the Security of Information Systems) and as Lead Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research. ----- **Yonatan Gidnian, Senior Security Analyst and Threat Hunter, Cybereason** **Global SOC** Yonatan Gidnian is a Senior Security Analyst and Threat Hunter with the Cybereason Global SOC team. Yonatan analyses critical incidents and hunts for novel threats in order to build new detections. He began his career in the Israeli Air Force where he was responsible for protecting and maintaining critical infrastructures. Yonatan is passionate about malware analysis, digital forensics, and incident response. About the Author **Cybereason Global SOC Team** The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves. ----- [All Posts by Cybereason Global SOC Team](https://www.cybereason.com/blog/authors/cybereason-global-soc-team) -----