Blog

Inside the SOC

Uncover New Malicious Email Payloads in Google Translate

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
03
Nov 2022
03
Nov 2022
Discover how threat actors are concealing malicious email payloads within Google Translate domains. Learn how Darktrace responds to these attacks effectively.

Darktrace recently detected a new technique used by threat actors to deliver malicious email payloads. The malicious link was observed hidden within a legitimate domain, namely Google Translate services. To understand its abusive capabilities, it is important to first understand a benign case of how these links are created.  

Google often provides a ‘Translate this page’ option for sites written in a different language to the default browser language.

Figure 1: A google search result for an international company E.g ‘Crédit Agricole’ gives the option to translate the page from French to English.
Figure 2: When clicked, the browser displays a link with a translate[.]goog domain, and the original domain, credit-agricole[.]fr, becomes the link’s subdomain.

When this feature is exploited by threat actors it can be particularly dangerous, as legacy security products that rely on ‘known’ or ‘safe’ domain-based detection are likely to register these emails as safe and provide no protective actions. If a recipient were to click on the malicious link, they could risk losing their credentials or even compromising their machine. 

 In contrast, Darktrace/Email has been able to consistently identify and action emails from such campaigns. This blog will discuss one of these events.

The Campaign 

The apparent motive in this attack was to harvest credentials and/or deploy malware on the recipient’s device. Credential harvesting can lead to the sale of credentials on the dark web, or the attacker may choose to leverage those credentials in subsequent attacks. Both harvesting credentials and deploying malware have severe potential ramifications, including but not limited to sensitive company data leaks and financial loss. 

During this attack, the threat actor sent similar emails to a group of recipients in a short space of time. The recipients were not normally associated with each other and Darktrace swiftly identified them as unsolicited bulk mail. The new technique that was leveraged included using Google’s translate services to share malicious links using legitimate seeming domains. The malicious host was visible within the subdomain ‘636416-selcdn-ru[.]translate[.]goog’.  

When clicked, the link displays a google translate page stating, “Can’t translate this page”. There is then a hyperlink, “Go to original page”, that brings the user to the malicious host- 636416[.]selcdn[.]ru. Finally, the host displays a fake webmail portal login. If a user engages, the attacker can harvest their credentials to either sell or use in subsequent attacks.

Figure 3- The Google Translate page that is displayed once clicking on the full link within the email. The hyperlink at the bottom of the image is where the user is redirected by clicking “Go to original page”. It is there that the fake webmail portal login is then displayed. 

Darktrace Coverage 

As the malicious emails contained links to ‘safe’ Google Translate domains, most email security products would not characterize the links as suspicious. However, Darktrace/Email levies hundreds of metrics to identify whether emails belong in a recipient’s inbox. In this case Darktrace highlighted anomalies including rare subdomains, links containing unknown redirects, emails from spoofed freemail accounts and senders that had sent a relatively large number of emails within a short time frame. Furthermore, the attacker had never sent any previous emails to the organization prior to this email campaign. 

On top of providing visibility, the RESPOND function of Darktrace/Email took action autonomously and instantaneously without any human confirmation required. These actions included locking links and holding malicious emails. 

Figure 4- Darktrace/Email overview tab shows the Anomaly Indicators section as well as the History, Association, and Validation information of this sender.

Figure 5 - The Darktrace RESPOND/Email model tab displays all models that triggered on the email and the associated actions. The most severe delivery action supersedes the others, so here the email was held. 

Concluding Thoughts 

Threat actors are continuously updating the way they deliver malicious payloads within emails. While this particular email campaign utilized Google Translate domains to hide malicious links, subsequent attacks may well be seen leveraging other legitimate domains. Companies are only as strong as their weakest link; a single compromised internal email account can be used to send phishing emails to internal recipients, collect sensitive company information, inject malware onto the device, and more. Security tools must evolve to focus on anomalies within the email, rather than relying on rules or signatures of previously seen attacks. Furthermore, email tools must be able to autonomously respond as soon as the malicious emails enter the company’s environment. Only with these precautions will the risks associated with malicious emails be mitigated. 

Thanks to Steven Haworth and Steven Sosa for their contributions.

Appendices 

Relevant Darktrace Model Detections

·      Association / Anomalous Association

·      Association / New Sender

·      Association / Unknown Sender

·      Association / Unlikely Recipient Association

·      High Antigena Anomaly [part of the RESPOND functionality]

·      Link / Low Link Association

·      Link / Low Link Association and Unknown Sender

·      Link / New Correspondent Classified Link

·      Link / New Unknown Redirect

·      Link / Open Redirect

·      Link / Visually Prominent Link

·      Spam / Unsolicited Bulk Mail

·      Spoof / Spoofed Freemail

·      Unusual / New Sender Wide Distribution

·      Unusual / Sender Surge

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Rachel Resnekov
Cyber Analyst
Book a 1-1 meeting with one of our experts
share this article
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

More in this series

No items found.

Blog

No items found.

How 1.27 Centimeters Opened My Eyes to Continuous Threat and Exposure Management

Default blog imageDefault blog image
23
Jul 2024

Introduction

Fifteen years ago, I never realized that one point twenty-seven centimeters was the difference between keeping my family safe and having an intruder break into our home.

Yet that is exactly what happened. We came home one night and did not know intruders were already in our basement; and the only reason we were alerted to their presence was when they attempted to move to the upper levels after we had gone to sleep, and the main floor motion sensors triggered an alarm.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

Fortunately, they fled. Some stolen electronics and a broken door were all the damage we suffered – and we realized how lucky we were as things could have ended up a lot worse.

The culprit of the successful breach? Screws measuring 1.27 centimeters (that’s a half-inch if you’re not on the metric system yet) that held the glass windows of our basement French doors. Despite having door opening sensors and glass breakage sensors, we missed that the glass panel could be forcefully kicked out – and land – onto the carpeted floor.  No door was opened. No glass was broken (we used to have cats that roamed the basement, so motion sensors were not an option when we first moved in). The screws were not long enough to better secure the framing of the window.

Continuous Threat and Exposure Management

What does this have to do with CTEM, or Continuous Threat and Exposure Management? Well, once our situation changed and our cats were no longer with us; we a) did not reassess our detection capabilities and b) still did not realize we had a vulnerability exposure that could lead to a breach.

I fell into the same trap many organizations fall into where point in time assessments can create a false sense of security. Instead, CTEM offers a cyclical approach to assessing risk that involves five stages:  

Scope: To adopt a CTEM approach, organizations should first identify key business programs. There should be an understanding for each program what the impact to the business would be if something were to occur. An organization can, and most likely will, have multiple scopes defined as part of the CTEM process. For example, your customer relationship management (CRM) project may encompass a Saas solution such as SalesForce, tie-ins with selling partners, supply chain vendors, and multiple user groups (sales, finance, etc.).

Discover: Next, identification of systems, applications, and SaaS subscriptions that support the business program should be accounted for and documented. As you build out risk profiles for these assets, I believe it is also important to identify associated users (end-users, administrators, etc.), especially since user error / account takeover is a favored attack vector.

Prioritization: Proper prioritization is essential to a solid CTEM program. I go into more detail about Risk-Based Vulnerability Management (RBVM) later; but for now, prioritization deals with measuring the potential impact based on factors such as: prevalence of an exploit, lack of controls, program / asset criticality, and available mitigations.

Validation: This stage helps identify if an adversary could launch a successful attack. Red team exercises and breach simulation solutions are often utilized to exercise the organization’s ability to halt an attack before damage is done. Validation should go beyond the initial stage of the attack and explore available methods to reach the adversary’s mission objective.

Mobilization: Identified responses to breach attempts should be categorized into automated or manual processes. Automated response solutions such as Security Orchestration, Automation, and Response (SOAR) can be integral in ensuring actions are taken with appropriate authorization, remediation / response times are rapid, and procedures are executed without human error.

A properly managed CTEM program will help ensure survivability and rapid recovery when an attack occurs as well as minimizing the risk of an attack being successful. This also helps organizations move towards a more proactive security posture.

Implementing a Risk-Based Vulnerability Management Program

Now don’t get me wrong. I thought I had done a pretty good job covering the bases when we first moved in. I walked the alarm company “expert” through every room of the house, and we discussed every possible entry point. I ensured that every avenue of access was covered by two types of sensors. I asked questions about how an intruder was most likely to attempt to gain entry and ensured we had addressed the exposure.

I relied on the expertise of someone that while they worked for an alarm company, was not actually trained and experienced in criminal break-ins. At the end of this paper, I will list the recommendations made by a friend of ours that was a Deputy Chief of Police. Hint: It was eye-opening.

Risk-Based Vulnerability Management (RBVM) is an approach that helps organizations not boil the ocean (try to address every possible vulnerability that may exist) and avoid becoming myopically focused that you miss an attack path that is relevant.

Without expending the entire blog on all the details of CTEM and RBVM, let’s touch on the main components.

Vulnerability Scanning

Vulnerability Scanners can help you identify all the vulnerabilities that exist in your organization but are generally a point in time view. Update systems or applications, change configuration settings, deploy new systems or applications and the scan data may be meaningless – not to mention new vulnerabilities are discovered all the time.

CVE, or Common Vulnerabilities and Exposures, is a compilation of all known vulnerabilities. I emphasize known because adversaries love finding zero-days (and for how I describe zero-days, check out my LinkedIn posting: Race to the Bottom).

CVSS, or Common Vulnerability Scoring System, is a method to define the severity of the vulnerability. Scoring can be determined by things like complexity and skill to utilize the vulnerability, privileges required, what type of attack path is needed, and if user interaction is required to trigger the vulnerability.

CVE and CVSS however, do not address context of the vulnerability in an organization’s environment. A small number of vulnerabilities will account for the most risk in an organization. Remember, adversaries don’t care about risk scores…. If it gets them in, they will use it.

EPSS, or Exploit Prediction Scoring System, estimates whether a vulnerability is likely to be utilized by adversaries and provides an indication of the threat level to the organization.

Another nuance is ensuring you understand how the scanner is gathering and reporting vulnerabilities. One of my favorite questions to ask candidates I’ve interviewed is “How can two scanners interrogate the same system, where nothing changed in the system, both scanners executed flawlessly and knew to scan for the specific vulnerability…. yet one reports vulnerable and the other reports not vulnerable?” I had this occur, and the answer was that one scanner interrogated the running service, and based on how it responded could determine if the vulnerable version was running. The other scanner authenticated into the system and checked patch level installed – but the service/system had not been restarted. The configured state was NOT vulnerable, but the running state WAS vulnerable. This happens a lot after Microsoft Super Tuesday patches go out and users login and think “I’ve got work to do; I will reboot later”.

External Attack Surface Management (EASM)

Simply put, you can have a vulnerability, but if there is no path to exploiting the vulnerability, then the risk should be lowered. Even a high severity vulnerability is not a risk if it cannot be exploited, whereas a low-risk vulnerability (like 1.27cm screws) can provide a path to success for the adversary. EASM solutions were built to provide that context: Vulnerability + Exposure. BTW – I would not neglect Internal Attack Surface Management for potential Insider Threat risks.

Breach and Attack Simulation (BAS)

YARN | On my mark, rotate launch keys to "launch." | WarGames | Video gifs  by quotes | 24d1705c | 紗

It’s one thing to list vulnerabilities, another thing to say there are exposed systems with those vulnerabilities that could lead to an attack. But executing an attack simulation that shows you what the potential outcome(s) are if an attack occurred? This is what BAS solutions were built to assist with, and not only show attack paths ripe for exploitation, but also exercise SOC / IR teams in nearly real-world situations. Table-top exercises are good for verifying processes, but live-fire exercises are imperative to ensure your teams respond quickly and precisely when the real deal occurs (don’t make me whip out the beginning of Wargames on you, I’ve already used that movie twice before!).  

Risk-Based Context

I’ve often wondered why it’s 2024, I’ve been doing this for 30+ years, and breaches are still inevitable and security teams still struggle with many of the same issues they faced when I first got into this career.

I believe not addressing an RBVM approach could be one of those reasons. It’s not a priority if you have a vulnerability on a system that is not exposed for exploitation. It’s not a priority if a vulnerability has been mitigated by other compensating controls. Focusing solely on vulnerability scoring without regard to whether the vulnerability poses a real and credible threat to your organization diverts focus away from vulnerabilities that matter (this is the same mantra you will hear me evangelizing around SOCs expending time on alerts that do not matter).

When assessing context, I think of it in the following manner:

How Can Darktrace Help with your CTEM?

The Darktrace ActiveAI Security Platform is designed with CTEM in mind. Using patented AI capabilities at its core, components of the platform work in harmony to provide actionable intelligence to risks facing the organization.

PREVENT/ASM utilizes AI to help understand scope and what makes externally facing assets yours while providing associated risks and trends on the risk types identified. These findings are communicated to DETECT and RESPOND to harden critical paths.

Prevent/End-to-End (E2E) delivers attack path modeling for discovery and prioritization of high-value targets across all assets in your program’s scope, providing continuous visibility into relevant risks the organization faces.  E2E also utilizes AI-generated social engineering generated content for Breach & Attack Emulation scenarios involving Phishing / Spear-Phishing attack vectors.

Darktrace threat detection and autonomous response utilizes unsupervised machine learning at its core to identify anomalous activity, and if malicious events are occurring, enforce Pattern of Life allowing business operations to continue while stopping the breach from progressing.  This provides unprecedented speed of response to emerging threats.

So, ensure you’re addressing vulnerabilities in the proper context, because you never know when 1.27cm will ruin your day.

Appendix A: Deter Burglars from Breaking into Your Home

Another question I have asked candidates centers around what security controls they would implement to keep an advanced adversary away from a highly classified project; and shockingly, very few would mention any physical security controls or use of air-gapped networks. So, as promised, here are some recommendations from our Deputy Chief of Police friend on better securing your home, because we must protect ourselves, our information on our home and work computers, especially for remote staff:

32 in. x 80 in. Rustic Knotty Alder 2-Panel Square Top Left-Hand/Inswing  Grey Stain Wood Prehung Front Door
  1. Solid (no glass) doors that open outward for rear / side entryways – a kicked door will press against the framing providing stability. Hinges should not be exposed to the outside.  

STASUN LED Flood Light Outdoor, 150W 15000lm Outdoor Area Lighting, IP66  Waterproof Exterior Floodlight Commercial Security Light, 3000K Warm White,  3 ...
  1. Motion activated exterior flood lights – illumination is the enemy of thieves.  

Mortise Lock Set Screws (2 Screws Per Pack)
  1. Replace door hardware lockset screws with minimum 4-inch (that’s 10.16 centimeters) screws on all doors including interior ones – this should ensure screws firmly attach to trimmer and king studs in door frame and will add additional valuable seconds for the intruder to break through

home security Memes & GIFs - Imgflip
Dog Food Bowl
  1. Get a dog – a big dog. (I’ve amended this to include putting out fake dog bowls to make it look like you have a big dog!)  

SPT Interior/Exterior Simulated Security Camera
  1. Exterior video cameras – record and alert on activity around the house
LARSON Platinum Secure Glass Full-view Aluminum Storm Door With Quickfit  Handle | Retractable Screen Door Lowes | universoprofesional.com
  1. Tempered Safety Glass Storm Doors – whack at it for hours with a baseball bat and they still can’t get in
Should You Install Fake Home Security Yard Signs? – Forbes Home
  1. Alarm system warning signs for windows and doors
LG Electronics Recalls Free-Standing 86-Inch Smart Televisions and Stands  Due to Serious Tip-Over and Entrapment Hazards (Recall Alert) | CPSC.gov
  1. Pictures of valuables along with serial numbers (this won’t stop a break-in but could help in recovery of stolen items).

  1. Finally, an alarm system combining motion sensors with door/window sensors.
Continue reading
About the author
John Bradshaw
Sr. Director, Technical Marketing

Blog

Inside the SOC

Jupyter Ascending: Darktrace’s Investigation of the Adaptive Jupyter Information Stealer

Default blog imageDefault blog image
18
Jul 2024

What is Malware as a Service (MaaS)?

Malware as a Service (MaaS) is a model where cybercriminals develop and sell or lease malware to other attackers.

This approach allows individuals or groups with limited technical skills to launch sophisticated cyberattacks by purchasing or renting malware tools and services. MaaS is often provided through online marketplaces on the dark web, where sellers offer various types of malware, including ransomware, spyware, and trojans, along with support services such as updates and customer support.

The Growing MaaS Marketplace

The Malware-as-a-Service (MaaS) marketplace is rapidly expanding, with new strains of malware being regularly introduced and attracting waves of new and previous attackers. The low barrier for entry, combined with the subscription-like accessibility and lucrative business model, has made MaaS a prevalent tool for cybercriminals. As a result, MaaS has become a significant concern for organizations and their security teams, necessitating heightened vigilance and advanced defense strategies.

Examples of Malware as a Service

  • Ransomware as a Service (RaaS): Providers offer ransomware kits that allow users to launch ransomware attacks and share the ransom payments with the service provider.
  • Phishing as a Service: Services that provide phishing kits, including templates and email lists, to facilitate phishing campaigns.
  • Botnet as a Service: Renting out botnets to perform distributed denial-of-service (DDoS) attacks or other malicious activities.
  • Information Stealer: Information stealers are a type of malware specifically designed to collect sensitive data from infected systems, such as login credentials, credit card numbers, personal identification information, and other valuable data.

How does information stealer malware work?

Information stealers are an often-discussed type MaaS tool used to harvest personal and proprietary information such as administrative credentials, banking information, and cryptocurrency wallet details. This information is then exfiltrated from target networks via command-and-control (C2) communication, allowing threat actors to monetize the data. Information stealers have also increasingly been used as an initial access vector for high impact breaches including ransomware attacks, employing both double and triple extortion tactics.

After investigating several prominent information stealers in recent years, the Darktrace Threat Research team launched an investigation into indicators of compromise (IoCs) associated with another variant in late 2023, namely the Jupyter information stealer.

What is Jupyter information stealer and how does it work?

The Jupyter information stealer (also known as Yellow Cockatoo, SolarMarker, and Polazert) was first observed in the wild in late 2020. Multiple variants have since become part of the wider threat landscape, however, towards the end of 2023 a new variant was observed. This latest variant achieved greater stealth and updated its delivery method, targeting browser extensions such as Edge, Firefox, and Chrome via search engine optimization (SEO) poisoning and malvertising. This then redirects users to download malicious files that typically impersonate legitimate software, and finally initiates the infection and the attack chain for Jupyter [3][4]. In recently noted cases, users download malicious executables for Jupyter via installer packages created using InnoSetup – an open-source compiler used to create installation packages in the Windows OS.

The latest release of Jupyter reportedly takes advantage of signed digital certificates to add credibility to downloaded executables, further supplementing its already existing tactics, techniques and procedures (TTPs) for detection evasion and sophistication [4]. Jupyter does this while still maintaining features observed in other iterations, such as dropping files into the %TEMP% folder of a system and using PowerShell to decrypt and load content into memory [4]. Another reported feature includes backdoor functionality such as:

  • C2 infrastructure
  • Ability to download and execute malware
  • Execution of PowerShell scripts and commands
  • Injecting shellcode into legitimate windows applications

Darktrace Coverage of Jupyter information stealer

In September 2023, Darktrace’s Threat Research team first investigated Jupyter and discovered multiple IoCs and TTPs associated with the info-stealer across the customer base. Across most investigated networks during this time, Darktrace observed the following activity:

  • HTTP POST requests over destination port 80 to rare external IP addresses (some of these connections were also made via port 8089 and 8090 with no prior hostname lookup).
  • HTTP POST requests specifically to the root directory of a rare external endpoint.
  • Data streams being sent to unusual external endpoints
  • Anomalous PowerShell execution was observed on numerous affected networks.

Taking a further look at the activity patterns detected, Darktrace identified a series of HTTP POST requests within one customer’s environment on December 7, 2023. The HTTP POST requests were made to the root directory of an external IP address, namely 146.70.71[.]135, which had never previously been observed on the network. This IP address was later reported to be malicious and associated with Jupyter (SolarMarker) by open-source intelligence (OSINT) [5].

Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.
Figure 1: Device Event Log indicating several connections from the source device to the rare external IP address 146.70.71[.]135 over port 80.

This activity triggered the Darktrace / NETWORK model, ‘Anomalous Connection / Posting HTTP to IP Without Hostname’. This model alerts for devices that have been seen posting data out of the network to rare external endpoints without a hostname. Further investigation into the offending device revealed a significant increase in external data transfers around the time Darktrace alerted the activity.

This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.
Figure 2: This External Data Transfer graph demonstrates a spike in external data transfer from the internal device indicated at the top of the graph on December 7, 2023, with a time lapse shown of one week prior.

Packet capture (PCAP) analysis of this activity also demonstrates possible external data transfer, with the device observed making a POST request to the root directory of the malicious endpoint, 146.70.71[.]135.

PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.
Figure 3: PCAP of a HTTP POST request showing streams of data being sent to the endpoint, 146.70.71[.]135.

In other cases investigated by the Darktrace Threat Research team, connections to the rare external endpoint 67.43.235[.]218 were detected on port 8089 and 8090. This endpoint was also linked to Jupyter information stealer by OSINT sources [6].

Darktrace recognized that such suspicious connections represented unusual activity and raised several model alerts on multiple customer environments, including ‘Compromise / Large Number of Suspicious Successful Connections’ and ‘Anomalous Connection / Multiple Connections to New External TCP Port’.

In one instance, a device that was observed performing many suspicious connections to 67.43.235[.]218 was later observed making suspicious HTTP POST connections to other malicious IP addresses. This included 2.58.14[.]246, 91.206.178[.]109, and 78.135.73[.]176, all of which had been linked to Jupyter information stealer by OSINT sources [7] [8] [9].

Darktrace further observed activity likely indicative of data streams being exfiltrated to Jupyter information stealer C2 endpoints.

Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.
Figure 4: Graph displaying the significant increase in the number of HTTP POST requests with No Get made by an affected device, likely indicative of Jupyter information stealer C2 activity.

In several cases, Darktrace was able to leverage customer integrations with other security vendors to add additional context to its own model alerts. For example, numerous customers who had integrated Darktrace with Microsoft Defender received security integration alerts that enriched Darktrace’s model alerts with additional intelligence, linking suspicious activity to Jupyter information stealer actors.

The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).
Figure 5: The security integration model alerts ‘Security Integration / Low Severity Integration Detection’ and (right image) ‘Security Integration / High Severity Integration Detection’, linking suspicious activity observed by Darktrace with Jupyter information stealer (SolarMarker).

Conclusion

The MaaS ecosystems continue to dominate the current threat landscape and the increasing sophistication of MaaS variants, featuring advanced defense evasion techniques, poses significant risks once deployed on target networks.

Leveraging anomaly-based detections is crucial for staying ahead of evolving MaaS threats like Jupyter information stealer. By adopting AI-driven security tools like Darktrace / NETWORK, organizations can more quickly identify and effectively detect and respond to potential threats as soon as they emerge. This is especially crucial given the rise of stealthy information stealing malware strains like Jupyter which cannot only harvest and steal sensitive data, but also serve as a gateway to potentially disruptive ransomware attacks.

Credit to Nahisha Nobregas (Senior Cyber Analyst), Vivek Rajan (Cyber Analyst)

References

1.     https://www.paloaltonetworks.com/cyberpedia/what-is-multi-extortion-ransomware

2.     https://flashpoint.io/blog/evolution-stealer-malware/

3.     https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html

4.     https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/Jupyter%20Infostealer%20WEB.pdf

5.     https://www.virustotal.com/gui/ip-address/146.70.71.135

6.     https://www.virustotal.com/gui/ip-address/67.43.235.218/community

7.     https://www.virustotal.com/gui/ip-address/2.58.14.246/community

8.     https://www.virustotal.com/gui/ip-address/91.206.178.109/community

9.     https://www.virustotal.com/gui/ip-address/78.135.73.176/community

Appendices

Darktrace Model Detections

  • Anomalous Connection / Posting HTTP to IP Without Hostname
  • Compromise / HTTP Beaconing to Rare Destination
  • Unusual Activity / Unusual External Data to New Endpoints
  • Compromise / Slow Beaconing Activity To External Rare
  • Compromise / Large Number of Suspicious Successful Connections
  • Anomalous Connection / Multiple Failed Connections to Rare Endpoint
  • Compromise / Excessive Posts to Root
  • Compromise / Sustained SSL or HTTP Increase
  • Security Integration / High Severity Integration Detection
  • Security Integration / Low Severity Integration Detection
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • Unusual Activity / Unusual External Data Transfer

AI Analyst Incidents:

  • Unusual Repeated Connections
  • Possible HTTP Command and Control to Multiple Endpoints
  • Possible HTTP Command and Control

List of IoCs

Indicators – Type – Description

146.70.71[.]135

IP Address

Jupyter info-stealer C2 Endpoint

91.206.178[.]109

IP Address

Jupyter info-stealer C2 Endpoint

146.70.92[.]153

IP Address

Jupyter info-stealer C2 Endpoint

2.58.14[.]246

IP Address

Jupyter info-stealer C2 Endpoint

78.135.73[.]176

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]105

IP Address

Jupyter info-stealer C2 Endpoint

185.243.115[.]88

IP Address

Jupyter info-stealer C2 Endpoint

146.70.80[.]66

IP Address

Jupyter info-stealer C2 Endpoint

23.29.115[.]186

IP Address

Jupyter info-stealer C2 Endpoint

67.43.235[.]218

IP Address

Jupyter info-stealer C2 Endpoint

217.138.215[.]85

IP Address

Jupyter info-stealer C2 Endpoint

193.29.104[.]25

IP Address

Jupyter info-stealer C2 Endpoint

Continue reading
About the author
Nahisha Nobregas
SOC Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.