Blog
/

Threat Finds

/
March 20, 2019

The Invisible Threat: How AI Catches the Ursnif Trojan

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
20
Mar 2019
The cyber AI approach successfully detected the Ursnif infections even though the new variant of this malware was unknown to security vendors at the time.

Over the past few months, I’ve analyzed some of the world’s stealthiest trojan attacks like Emotet, which employ deception to bypass traditional security tools that rely on rules and signatures. Guest contributor Keith Siepel also explained how cyber AI defenses managed to catch a zero-day trojan on his firm’s network for which no such rules or signatures yet exist. Indeed, with the incidence of banking trojans having increased by 239% among our customer base last year, it appears that this kind of subterfuge is the new normal.

However, one particularly sophisticated trojan, Ursnif, takes deception a step further evidence of which we are still seeing emerge. Rather than writing executable files that contain malicious code, some of its variants instead exploit vulnerabilities inherent to a user’s own applications, essentially turning the victim’s computer against them. The result of this increasingly common technique is that — once the victim has been tricked into clicking a malicious link or duped into opening an attachment via a phishing email — Ursnif begins to ‘live off the land’, blending into the victim’s environment. And by exploiting Microsoft Office and Windows features, such as document macros, PsExec, and PowerShell scripts, Ursnif can execute commands directly from the computer’s RAM.

One of the most prevalent and destructive strains of the Gozi banking malware, Ursnif was recently placed at the center of a new campaign that saw it dramatically expand its functionality. Originally created to infect hosts with spyware in order to steal sensitive banking information and user credentials, it can now also deploy advanced ransomware like GandCrab. These new functions are aided by the elusive trojan’s aforementioned file-less capabilities, which render it invisible to many security tools and allow it to hide in plain sight within legitimate, albeit corrupted applications. Shining a light on Ursnif therefore requires AI tools that can learn to spot when these applications act abnormally:

Cyber AI detects Ursnif on multiple client networks

First campaign: February 4, 2019

Darktrace detected the initial Ursnif compromise on a customer’s network when it caught several devices connecting to a highly unusual endpoint and subsequently downloading masqueraded files, causing Darktrace’s “Anomalous File / Masqueraded File Transfer” model to breach. Such files are often masqueraded as other file types not only to bypass traditional security measures but also to deceive users — for instance, with the intention of tricking a user into executing a file received in a malicious email by disguising it as a document.

As it happens, this Ursnif variant was a zero-day at the time Darktrace detected it, meaning that its files were unknown to antivirus vendors. But while the never-before-seen files bypassed the customer’s endpoint tools, Darktrace AI leveraged its understanding of the unique ‘pattern of life’ for every user and device in the customer’s network to flag these file downloads as threatening anomalies — without relying on signatures.

A sample of the masqueraded files initially downloaded:

File: xtex13.gas
File MIME type: application/x-dosexec
Size: 549.38 KB
Connection UID: C8SlueG1mT7VdcJ00

File: zyteb17.gas
File MIME type: application/x-dosexec
SHA-1 hash: 4ed60393575d6b47bd82eeb03629bdcb8876a73f
Size: 276.48 KB

File: File: adnaz2.gas
File MIME type: application/x-dosexec
Size: 380.93 KB
Connection UID: CmPOzP1AC4tzuuuW00

A sample of the endpoints detected:

kieacsangelita[.]city · 209.141.60[.]214
muikarellep[.]band · 46.29.167[.]73
cjasminedison[.]com · 185.120.58[.]13

Following the initial suspicious downloads, the compromised devices were further observed making regular connections to multiple rare destinations not previously seen on the affected network in a pattern of beaconing connectivity. In some cases, Darktrace marked these external destinations as suspicious when it recognized the hostnames they queried as algorithm-generated domains. High volumes of DNS requests for such domains is a common characteristic of malware infections, which use this tactic to maintain communication with C2 servers in spite of domain black-listing. In other cases, the endpoints were deemed suspicious because of their use of self-signed SSL certificates, which cyber-criminals often use because they do not require verification by a trusted authority.

In fact, the large volume of anomalous connections commonly triggered a number of Darktrace’s behavioral models, including:

Compromise / DGA Beacon
Anomalous Connection / Suspicious Self-Signed SSL
Compromise / High Volume of Connections with Beacon Score
Compromise / Beaconing Activity To Rare External Endpoint

Beaconing is a method of communication frequently seen when a compromised device attempts to relay information to its control infrastructure in order to receive further instructions. This behavior is characterized by persistent external connections to one or multiple endpoints, a pattern that was repeatedly observed for those devices that had previously downloaded malicious files from the endpoints later associated with the Ursnif campaign. While beaconing behavior to unusual destinations is not necessarily always indicative of infection, Darktrace AI concluded that, in combination with the suspicious file downloads, this type of activity represented a clear indication of compromise.

Figure 1: A device event log that shows the device had connected to internal mail servers shortly before downloading the malicious files.

Lateral movement and file-less capabilities

In the wake of the initial compromise, Darktrace AI also detected Ursnif’s lateral movement and file-less capabilities in real time. In the case of one infected device, an “Anomalous Connection / High Volume of New Service Control” model breach was triggered following the aforementioned suspicious activities. The device in question was flagged after making anomalous SMB connections to at least 47 other internal devices, and after accessing file shares which it had not previously connected. Subsequently, the device was observed writing to the other devices’ service control pipe – a channel used for the remote control of services. The anomalous use of these remote-control channels represent compelling examples of how Ursnif leverages its file-less capabilities to facilitate lateral movement.

Figure 2: Volume of SMB writes made to the service control pipe on internal devices by one of the infected devices, as shown on the Darktrace UI.

Although network administrators often use remote control channels for legitimate purposes, Darktrace AI considered this particular usage highly suspicious, particularly as both devices had previously breached a number of behavioral models as a result of infection.

Second campaign: March 18, 2019

A second Ursnif campaign was detected just this week. At the time of detection, no OSINT was available for the C2 servers nor the malware samples.

On a US manufacturer’s network, the initial malware download took place from: xqzuua1594[.]com/loq91/10x.php?l=mow1.jad hosted on IP 94.154.10[.]62.
Every single malware download is unique. This is indicating auto-patching or a malware factory working in the background.
Darktrace immediately identified this as another Anomalous File / Masqueraded File Transfer.

Directly after this, initial C2 was observed with the following parameters:

HTTP GET to: vwdlpknpsierra[.]email
Destination IP: 162.248.225[.]14
URI: /images/CKicJCsNNNfaJwX6CJ/0Ohp3OUfj/pI_2FszUK7ybqh33Qdwz/bOUeatCG2Qfks5DTzzO/H6SeiL8YozEYXKfornjfVt/hBgfcPVPCOf1H/2qo12IGl/L3B18ld4ZSx37TbdTUpALih/A5dl8FVHel/jMPIKnQfd/H.avi
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko

What’s interesting here is that the C2 server provides a Sufee Admin login page:

This C2 appears to have bad operational security (OPSEC) as browsing random URIs on the server reveals some of the dashboard’s contents:

The initial C2 communication was followed by sustained TCP beaconing to ksylviauudaren[.]band on 185.180.198[.]245 over port 443 with SSL encryption using a self-signed certificate. Darktrace highlighted this C2 behavior as Compromise / Sustained TCP Beaconing Activity To Rare Endpoint and Anomalous Connection / Repeated Rare External SSL Self-Signed IP.

As of the writing of this article, the domain ksylviauudaren[.]band was still not recognized in OSINT as malicious – highlighting again Darktrace’s independence of signatures and rules to catch previously unknown threats.

Conclusion

The cyber AI approach successfully detected the Ursnif infections even though the new variant of this malware was unknown to security vendors at the time. Moreover, it even managed to catch Ursnif’s file-less capabilities for lateral movement through its modelling of expected patterns of connectivity. In terms of the wider security context, the ease with which cyber AI flagged such sophisticated malware — malware which takes action by corrupting a computer’s own applications — further demonstrates that AI anomaly detection is the only way to navigate a threat landscape increasingly populated by near-invisible trojans.

IoCs

kieacsangelita[.]city · 209.141.60[.]214
muikarellep[.]band · 46.29.167[.]73
cjasminedison[.]com · 185.120.58[.]13
xqzuua1594[.]com · 94.154.10.[6]2
vwdlpknpsierra[.]email · 162.248.225[.]14
ksylviauudaren[.]band · 185.180.198[.]245

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Max Heinemeyer
Chief Product Officer

Max is a cyber security expert with over a decade of experience in the field, specializing in a wide range of areas such as Penetration Testing, Red-Teaming, SIEM and SOC consulting and hunting Advanced Persistent Threat (APT) groups. At Darktrace, Max is closely involved with Darktrace’s strategic customers & prospects. He works with the R&D team at Darktrace, shaping research into new AI innovations and their various defensive and offensive applications. Max’s insights are regularly featured in international media outlets such as the BBC, Forbes and WIRED. Max holds an MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.

Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

December 19, 2024

/
No items found.

Darktrace Recognized in the Gartner® Magic Quadrant™ for Email Security Platforms

Default blog imageDefault blog image

Darktrace has been recognized in the first ever Gartner Magic Quadrant for Email Security Platforms (ESP).  As a Challenger, we have been recognized based on our Ability to Execute and Completeness of Vision.

The Gartner Magic Quadrant for Email Security is designed to help organizations evaluate which email security solutions might be the best fit for their needs by providing a visual representation of the market vendors and the strengths and cautions of different vendors. We encourage our customers to read the full report to get the complete picture.

Darktrace / EMAIL has a unique AI approach to identifying threats, including NLP and behavioral analysis, instead of traditional security measures like signatures and sandboxing – providing protection against advanced attacks like Business Email Compromise (BEC) and spear phishing. We believe our AI-first approach delivers high-quality solutions that our customers trust, allowing them to stay ahead of sophisticated threats that other tools miss.  

We’re proud of Darktrace’s rapid growth, geographic scale, and ability to execute effectively in the email security market, which reflect our commitment to delivering high-quality, reliable solutions that meet the evolving needs of our customers.

What do we believe makes Darktrace the fastest growing email security solution on the market?

An AI-first approach to innovation: Catching the threats others miss

As one of the founders of the ICES category, Darktrace has a long history of innovation, backed by over 200 patents. While other email security solutions are only just starting to apply machine learning (ML) techniques to outdated methods like signature analysis, reputation lists, and sandboxing, Darktrace has redefined the approach to email threat detection with its pioneering AI-driven anomaly detection engine.

Traditional ESPs often miss advanced threats because they rely on rules and signatures that focus on payloads and blindly trust known sources. This approach requires constant updates and frequently fails to detect threats like Business Email Compromise and Spear Phishing. In contrast, Darktrace / EMAIL uses advanced anomaly detection to identify the most sophisticated threats by focusing on unusual patterns and behaviors. This innovative approach has consistently delivered superior detection, stopping on average 58% of the threats that other solutions in the security stack miss.1

But our AI-first approach doesn’t stop at the inbox. At Darktrace, we transcend the limitations of traditional email security by leveraging a platform that unifies insights across multiple domains, providing robust protection against multi-domain threats. Our award-winning solutions defend the most popular attack vectors, including email, messaging, network, and identity protection. By combining signals from all domains, we establish unique behavioral profiles for each device and user, significantly enhancing detection precision.  

This pioneering approach has led to introducing industry-first advancements like QR code analysis and automated incident investigations, alongside game-changing functionality including:

  • Microsoft Teams security with advanced messaging analysis: The ability to identify critical early phishing and insider threats across both email and Microsoft Teams messaging.  
  • AI analyst narratives for improved end user reporting: that reduces phishing investigations by 60% by exposing unique narratives that provide the context of each received email and give feedback to each employee as they interact with their mail.2
  • Mailbox Security Assistant: to perform advanced behavioral browser analysis and stop malicious links within webpages, detecting and remediating 70% more malicious phishing links than traditional tools.3  
  • AI based, autonomous data loss prevention: to immediately secure your organization from misdirected emails, insider threats, and data loss—both classified and unclassified- without any administrative overhead.

Customer trust that fuels exponential growth

With almost 5,000 customers in under 5 years, we've doubled the growth rate of other vendors in the email security market. Our rapid market penetration, fueled by customer satisfaction and pioneering technology, showcases our revolutionary approach and sets new industry standards. 

Darktrace’s exceptional customer retention is fueled by an unparalleled customer experience, extensive regional support, dedicated account teams, and cutting-edge scalable technology. We pride ourselves on having a global network with local expertise, consisting of 110 worldwide offices which provide local language and technical support to offer multilingual, in-house assistance to our customer base.

Check it out – Darktrace / EMAIL has the highest percentage of 5-star ratings with a 4.8 rating on Gartner® Peer Insights™.4

Supporting every stage of your email security journey

Darktrace / EMAIL supports your security maturity journey, from first time security buyers to mature security stacks looking to augment their existing ESPs – by handling advanced threats without extensive tuning. And unlike other solutions that create a siloed and parallel solution, it works harmoniously with native email providers to create a modern email security stack. That’s why Darktrace performs well with first-time email security buyers and has strong renewal rates.

Integrating with Microsoft and Google via API, we replace traditional Secure Email Gateways (SEGs) with a modern, comprehensive email security stack. By combining approaches, our solution merges attack-centric analysis, which learns attack patterns and threat intelligence, with a business-centric approach that understands user behavior and inbox activity to deliver a unified stack that defends the entire threat spectrum – leading Darktrace to be recognized as Microsoft Partner of the year UK 2024.  

Our user-friendly, self-learning AI solution requires minimal tuning and deployment, making it perfect for customers looking for a highly usable but lightly configurable solution that will accompany them throughout their lifetime as they mature their email security stack in line with the evolving threat landscape.

Learn more

Get complimentary access to the full Gartner® Magic Quadrant™ for Email Security Platforms here.

To learn more about Darktrace / EMAIL or to get a free demo, check out the product hub.

References

1 From September 1 – December 31 2023, 58% of the phishing emails analyzed by Darktrace / EMAIL had already passed through native spam filtering and email security controls. (Darktrace End of Year Threat Report 2023)

2 When customers deployed the Darktrace / EMAIL Outlook Add-in there was a 60% decrease in incorrectly reported phishing emails. Darktrace Internal Research, 2024

3 Once a user reports phishing that contains a link, an automated second level triage engages our link analysis infrastructure expanding the signals analyzed. Darktrace Internal Research, 2024

4 Based on 252 reviews as of 19th December 2024

Continue reading
About the author
Carlos Gray
Product Manager

Blog

/

December 17, 2024

/

Inside the SOC

Cleo File Transfer Vulnerability: Patch Pitfalls and Darktrace’s Detection of Post-Exploitation Activities

Default blog imageDefault blog image

File transfer applications: A target for ransomware

File transfer applications have been a consistent target, particularly for ransomware groups, in recent years because they are key parts of business operations and have trusted access across different parts of an organization that include potentially confidential and personal information about an organization and its employees.

Recent targets of ransomware criminals includes applications like Acellion, Moveit, and GoAnywhere [1]. This seems to have been the case for Cleo’s managed file transfer (MFT) software solutions and the vulnerability CVE-2024-50623.

Threat overview: Understanding Cleo file transfer vulnerability

This vulnerability was believed to have been patched with the release of version 5.8.0.21 in late October 2024. However, open-source intelligence (OSINT) reported that the Clop ransomware group had managed to bypass the initial patch in late November, leading to the successful exploitation of the previously patched CVE.

In the last few days Cleo has published a new vulnerability, CVE-2024-55956, which is not a patch bypass of the CVE-2024-50623 but rather another vulnerability. This is also an unauthenticated file write vulnerability but while CVE-2024-50623 allows for both reading and writing arbitrary files, the CVE-2024-55956 only allows for writing arbitrary files and was addressed in version 5.8.0.24 [2].

Darktrace Threat Research analysts have already started investigating potential signs of devices running the Cleo software with network traffic supporting this initial hypothesis.

Comparison of CVE-2024-50623 and CVE-2024-55956

While CVE-2024-50623 was initially listed as a cross-site scripting issue, it was updated on December 10 to reflect unrestricted file upload and download. This vulnerability could lead to remote code execution (RCE) in versions of Cleo’s Harmony, VLTrader, and LexiCom products prior to 5.8.0.24. Attackers could leverage the fact that files are placed in the "autorun" sub-directory within the installation folder and are immediately read, interpreted, and evaluated by the susceptible software [3].

CVE-2024-55956, refers to an unauthenticated user who can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory [4]. Both CVEs have occurred due to separate issues in the “/Synchronization” endpoint.

Investigating post exploitation patterns of activity on Cleo software

Proof of exploitation

Darktrace’s Threat Research analysts investigated multiple cases where devices identified as likely running Cleo software were detected engaging in unusual behavior. Analysts also attempted to identify any possible association between publicly available indicators of compromise (IoCs) and the exploitation of the vulnerability, using evidence of anomalous network traffic.

One case involved an Internet-facing device likely running Cleo VLTrader software (based on its hostname) reaching out to the 100% rare Lithuanian IP 181.214.147[.]164 · AS 15440 (UAB Baltnetos komunikacijos).

This activity occurred in the early hours of December 8 on the network of a customer in the energy sector. Darktrace detected a Cleo server transferring around over 500 MB of data over multiple SSL connections via port 443 to the Lithuanian IP. External research reported that this IP appears to be a callback IP observed in post-exploitation activity of vulnerable Cleo devices [3].

While this device was regularly observed sending data to external endpoints, this transfer represented a small increase in data sent to public IPs and coupled with the rarity of the destination, triggered a model alert as well as a Cyber AI Analyst Incident summarizing the transfer. Unfortunately, due to the encrypted connection no further analysis of the transmitted data was possible. However, due to the rarity of the activity, Darktrace’s Autonomous Response intervened and prevented any further connections to the IP.

 Model Alert Event Log show repeated connections to the rare IP, filtered with the rarity metric.
Figure 1: Model Alert Event Log show repeated connections to the rare IP, filtered with the rarity metric.
Shows connections to 181.214.147[.]164 and the amount of data transferred.
Figure 2: Shows connections to 181.214.147[.]164 and the amount of data transferred.

On the same day, external connections were observed to the external IP 45.182.189[.]225, along with inbound SSL connections from the same endpoint. OSINT has also linked this IP to the exploitation of Cleo software vulnerabilities [5].

Outgoing connections from a Cleo server to an anomalous endpoint.
Figure 3: Outgoing connections from a Cleo server to an anomalous endpoint.
 Incoming SSL connections from the external IP 45.182.189[.]225.
Figure 4: Incoming SSL connections from the external IP 45.182.189[.]225.

Hours after the last connection to 181.214.147[.]164, the integration detection tool from CrowdStrike, which the customer had integrated with Darktrace, issued an alert. This alert provided additional visibility into host-level processes and highlighted the following command executed on the Cleo server:

“D:\VLTrader\jre\bin\java.exe" -jar cleo.4889

Figure 5: The executed comand “D:\VLTrader\jre\bin\java.exe" -jar cleo.4889 and the Resource Location: \Device\HarddiskVolume3\VLTrader\jre\bin\java.exe.

Three days later, on December 11, another CrowdStrike integration alert was generated, this time following encoded PowerShell command activity on the server. This is consistent with post-exploitation activity where arbitrary PowerShell commands are executed on compromised systems leveraging the default settings of the Autorun directory, as highlighted by Cleo support [6]. According to external researchers , this process initiates connections to an external IP to retrieve JAR files with webshell-like functionality for continued post-exploitation [3]. The IP embedded in both commands observed by Darktrace was 38.180.242[.]122, hosted on ASN 58061(Scalaxy B.V.). There is no OSINT associating this IP with Cleo vulnerability exploitation at the time of writing.

Another device within the same customer network exhibited similar data transfer and command execution activity around the same time, suggesting it had also been compromised through this vulnerability. However, this second device contacted a different external IP, 5.45.74[.]137, hosted on AS 58061 (Scalaxy B.V.).

Like the first device, multiple connections to this IP were detected, with almost 600 MB of data transferred over the SSL protocol.

The Security Integration Detection Model that was triggered  and the PowerShell command observed
Figure 6: The Security Integration Detection Model that was triggered  and the PowerShell command observed
 Incoming connections from the external IP 38.180.242[.]122.
Figure 7: Incoming connections from the external IP 38.180.242[.]122.
Connections to the external IP 5.45.74[.]137.
Figure 8: Connections to the external IP 5.45.74[.]137.
Figure 9: Autonomous Response Actions triggered during the suspicious activities

While investigating potential Cleo servers involved in similar outgoing data activity, Darktrace’s Threat Research team identified two additional instances of likely Cleo vulnerability exploitation used to exfiltrate data outside the network. In those two instances, unusual outgoing data transfers were observed to the IP 176.123.4[.]22 (AS 200019, AlexHost SRL), with around 500 MB of data being exfiltrated over port 443 in one case (the exact volume could not be confirmed in the other instance). This IP was found embedded in encoded PowerShell commands examined by external researchers in the context of Cleo vulnerability exploitation investigations.

Conclusion

Overall, Cleo software represents a critical component of many business operations, being utilized by over 4,000 organizations worldwide. This renders the software an attractive target for threat actors who aim at exploiting internet-facing devices that could be used to compromise the software’s direct users but also other dependent industries resulting in supply chain attacks.

Darktrace / NETWORK was able to capture traffic linked to exploitation of CVE-2024-50623 within models that triggered such as Unusual Activity / Unusual External Data to New Endpoint while its Autonomous Response capability successfully blocked the anomalous connections and exfiltration attempts.

Information on new CVEs, how they're being exploited, and whether they've been patched can be fast-changing, sometimes limited and often confusing. Regardless, Darktrace is able to identify and alert to unusual behavior on these systems, indicating exploitation.

Credit to Maria Geronikolou, Alexandra Sentenac, Emma Fougler, Signe Zaharka and the Darktrace Threat Research team

Insights from Darktrace’s First 6: Half-year threat report for 2024

First 6: half year threat report darktrace screenshot

Darktrace’s First 6: Half-Year Threat Report 2024 highlights the latest attack trends and key threats observed by the Darktrace Threat Research team in the first six months of 2024.

  • Focuses on anomaly detection and behavioral analysis to identify threats
  • Maps mitigated cases to known, publicly attributed threats for deeper context
  • Offers guidance on improving security posture to defend against persistent threats

Appendices

References

[1] https://blog.httpcs.com/en/file-sharing-and-transfer-software-the-new-target-of-hackers/

[2] https://attackerkb.com/topics/geR0H8dgrE/cve-2024-55956/rapid7-analysis

[3] https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild

[4] https://nvd.nist.gov/vuln/detail/CVE-2024-55956

[5] https://arcticwolf.com/resources/blog/cleopatras-shadow-a-mass-exploitation-campaign/

[6] https://support.cleo.com/hc/en-us/articles/28408134019735-Cleo-Product-Security-Advisory-CVE-Pending

[7] https://support.cleo.com/hc/en-us/articles/360034260293-Local-HTTP-Users-Configuration

Darktrace Model Alerts

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data to New Endpoint

Unusual Activity / Unusual External Data Transfer

Device / Internet Facing Device with High Priority Alert

Anomalous Server Activity / Rare External from Server

Anomalous Connection / New User Agent to IP Without Hostname

Security Integration / High Severity Integration Incident

Security Integration / Low Severity Integration Detection

Autonomous Response Model Detections

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Alert

Cyber AI Analyst Incidents

Unusual External Data Transfer

MITRE ATT&CK Mapping

Tactic – Technique

INITIAL ACCESS – Exploit Public-Facing Application

COMMAND AND CONTROL – Application Layer Protocol (Web Protocols)

COMMAND AND CONTROL – Encrypted Channel

PERSISTENCE – Web Shell

EXFILTRATION - Exfiltration Over C2 Channel

IoC List

IoC       Type    Description + Probability

181.214.147[.]164      IP Address       Likely C2 Infrastructure

176.123.4[.]22            IP Address       Likely C2 Infrastructure

5.45.74[.]137               IP Address           Possible C2 Infrastructure

38.180.242[.]122        IP Address       Possible C2 Infrastructure

Continue reading
About the author
Maria Geronikolou
Cyber Analyst
Your data. Our AI.
Elevate your network security with Darktrace AI