Tusk Infostealers Campaign
N
Nahum Deavila 6 months ago
143 views
59 nodes
: Russian-speaking cybercriminals use phishing to trick users into providing sensitive information such as credentials, which can then be sold on the dark web or used to gain unauthorized access to gaming accounts and cryptocurrency wallets. : Subcampaigns mimic legitimate projects by slightly modifying names and branding to increase credibility and deceive victims. : Cloud storage service abused to host initial downloader malware for all active subcampaigns. : Downloader responsible for sending additional malware samples to victim machines, hosted on Dropbox. : Victims download and execute malicious downloader from Dropbox disguised as legitimate software. : Infostealer malware delivered as second stage payload to steal credentials and system information. : Infostealer malware delivered as second stage payload to steal credentials and system information. : Cryptocurrency theft tool that monitors and replaces cryptocurrency wallet addresses in clipboard. : Malicious domain mimicking peerme.io platform for DAO creation and management on MultiversX blockchain. : Electron application downloader with CAPTCHA check to evade automated analysis, downloads second stage payloads from Dropbox. : CAPTCHA check implemented to prevent execution by automated dynamic analysis tools and sandboxes. : Dropbox URL hosting password-protected RAR archive containing second stage malware payloads. : URL serving byte array payload that is decoded, padded with 750000000 bytes, and executed. : Base64 decoding of configuration URLs and password extraction for RAR archive containing malware payloads. : C2 server receiving logging messages in Russian from TidyMe.exe downloader via HTTP POST requests. : HTTP POST requests used to send logging messages to C2 server with status updates in Russian language. : HijackLoader payload that performs process injection into cmd.exe and explorer.exe, delivering StealC infostealer as final stage. : Modular loader with UAC evasion, process injection techniques, and inline API hook evasion capabilities. : Shellcode injection chain starting with cmd.exe, then explorer.exe to evade detection and execute final StealC payload. : Windows command processor used as injection target for malicious shellcode. : Windows Explorer process used as final injection target for StealC infostealer payload. : Malware deletes itself after injecting shellcode into cmd.exe to remove forensic evidence. : StealC infostealer collects comprehensive system information including HWID, OS details, network info, installed applications, and process list. : Collection of network information including IP address and country location. : StealC captures screenshots of infected system as part of information collection. : StealC requests configuration from C2 to collect browser credentials, plugin data, and wallet information. : IP address hosting multiple malicious campaign domains, identified through DNS MX records analysis. : Malicious domain mimicking riseonlineworld.com MMO game website, hosting RuneOnlineWorld.exe downloader. : Electron application downloader mimicking game launcher, with login page that processes and exfiltrates credentials to C2. : Login page captures username and password entered by victim and sends to C2 server. : HijackLoader variant that injects code into cmd.exe and explorer.exe, downloads additional DLL and MSI files, delivering Danabot and StealC infostealers. : Windows Installer used to execute malicious MSI files downloaded by injected explorer.exe process. : Windows utility used to execute malicious DLL files downloaded by injected explorer.exe process. : Execution of malicious MSI files using Windows Installer to deploy additional malware stages. : Execution of malicious DLL files using rundll32.exe to deploy additional malware stages. : HijackLoader variant that injects through cmd.exe, explorer.exe, and OpenWith.exe, downloads six files to %APPDATA%\AD_Security\ and creates scheduled task for persistence. : Legitimate Windows process used as injection target for multi-stage malware payload. : Creation of scheduled task named FJ_load to execute madHcCtrl.exe at user logon for persistence. : Legitimate executable that loads malicious madHcNet32.dll, executed by scheduled task FJ_load at logon. : Malicious DLL loaded by madHcCtrl.exe that uses HijackLoader to inject GO-based clipper malware into explorer.exe. : Cryptocurrency clipper malware written in GO that monitors clipboard and replaces cryptocurrency wallet addresses with attacker-controlled addresses. : Monitoring clipboard for cryptocurrency wallet addresses and replacing them with attacker-controlled addresses. : Replacement of legitimate cryptocurrency wallet addresses in clipboard with attacker-controlled addresses to redirect funds. : Malicious domain mimicking yous.ai AI translation project, hosting Voico.exe downloader. : Electron application downloader with registration form that logs credentials to console.log() instead of sending to C2. : StealC C2 server receiving stolen credentials and system information from infected systems. : StealC C2 server used in Voico campaign for receiving stolen data. : Server hosting madHcCtrl files downloaded by bytes.exe payload. : Updated infrastructure domain hosting newer version of downloader with additional anti-analysis techniques. : Updated infrastructure domain used after threat actors changed their infrastructure. : PythonAnywhere URL hosting additional malware samples not related to current active subcampaigns. : PythonAnywhere URL hosting additional malware samples not related to current active subcampaigns. : PythonAnywhere URL used in active subcampaigns to host malware samples. : C2 server IP address used in Tusk campaign operations. : C2 server IP address used in Tusk campaign operations. : C2 server IP address used in Tusk campaign operations. : C2 server IP address used in Tusk campaign operations. : Stolen credentials, system information, browser data, and cryptocurrency wallet information exfiltrated to C2 servers. : Cryptocurrency theft through clipboard manipulation redirecting transactions to attacker-controlled wallets, and potential draining of gaming accounts and crypto wallets using stolen credentials