{ "Event": { "analysis": "1", "date": "2025-02-14", "extends_uuid": "", "info": "[Threat Intel] Inside a Malware Campaign: A Nigerian Hacker's Perspective", "protected": false, "publish_timestamp": "1780041126", "published": true, "threat_level_id": "3", "timestamp": "1772902044", "uuid": "0d554823-c011-4abf-95ce-69d1449a2ff8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#59699c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#57997c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Bidirectional Communication - T1102.002\"", "relationship_type": "" }, { "colour": "#a0d02a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing for Information - T1598\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1569.002\"", "relationship_type": "" }, { "colour": "#52d590", "local": false, "name": "misp-galaxy:target-information=\"China\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"nigeria\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#14004d", "local": false, "name": "rectifyq:sub-category=\"leak-infostealer\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"Cybercrime\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1739701918", "to_ids": false, "type": "link", "uuid": "21f67a37-8e3a-4936-a1b5-aa861faa01fc", "value": "https://cyberarmor.tech/inside-a-malware-campaign-a-nigerian-hackers-perspective/", "Tag": [ { "colour": "#6b003a", "local": false, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1739697886", "to_ids": false, "type": "text", "uuid": "6bc7037c-1682-45a9-9a8e-731eaa47dc37", "value": "This analysis provides an in-depth look at a Nigerian cybercriminal's malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hosting. The cybercriminal leverages ChatGPT to craft convincing phishing messages and uses Gammadyne Mailer to distribute emails. The campaign successfully sent nearly 6,000 emails in 30 minutes, resulting in several compromised victims. The malware, identified as XLogger, is distributed via RAR attachments containing executable files. Upon execution, it deploys a PowerShell script to decrypt the payload, inject it into a Windows service, and exfiltrate stolen data to a Telegram channel. This insight into the hacker's methodology highlights the ongoing challenges in cybersecurity and the need for improved user awareness and countermeasures." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1739697886", "to_ids": false, "type": "text", "uuid": "65c623aa-4372-4716-af54-546f761b5e90", "value": "Name: Inside a Malware Campaign: A Nigerian Hacker's Perspective\nAuthor: AlienVault\nAdversary: \nTags: [\"nigerian hacker\", \"social engineering\", \"redline stealer\", \"google dorking\", \"phishing\", \"gammadyne mailer\", \"chatgpt\", \"email harvesting\", \"xlogger\", \"redline\"]\nTgtd countries: [\"China\", \"Malaysia\", \"Nigeria\"]\nMlwr families: [\"XLogger\", \"Redline\"]\nAttack_ids: [\"T1140\", \"T1055\", \"T1204\", \"T1059.001\", \"T1566\", \"T1078\", \"T1573\", \"T1102.002\", \"T1598\", \"T1569.002\"]\nIndustries: [\"Agriculture\", \"Manufacturing\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1739706925", "to_ids": true, "type": "domain", "uuid": "e2e289e1-0b17-4244-bba4-f0f8e5d9958c", "value": "biz-abc.fit", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747981785", "uuid": "56440ce8-9a85-4198-b2a1-b10bc29fa019", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747981785", "to_ids": true, "type": "md5", "uuid": "13fdec20-e1b8-4912-818d-6ec1a0d30c76", "value": "4fdfab8f4aaae7d90319a9a5cbc0f8ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1747981785", "to_ids": true, "type": "sha1", "uuid": "19eb963a-faf7-424b-ab3f-804d7a1b0e54", "value": "a8319c665e8cc5987277a5d71feeb086008672cd", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1747981785", "to_ids": true, "type": "sha256", "uuid": "d74167a3-bc4e-406e-9384-18524838838f", "value": "bae3ada1c2bdcabc3ebd059ee2715a975237118be145301a0257da5fa84288ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739705980", "to_ids": true, "type": "ssdeep", "uuid": "72801568-20d8-432a-96b1-61898b8efa4f", "value": "12288:efY9jrJ0EXzCU/pBFintEAiNorGwKKH3wxEf0cPetTt4P2e2Nz0Jqv07l:efY9jjzPx/QLimySwxEf06edMIz0sM7l" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739705980", "to_ids": false, "type": "size-in-bytes", "uuid": "0b911f6b-331f-4e3d-b92f-c078d8dcb1bd", "value": "675944" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1739705980", "to_ids": true, "type": "vhash", "uuid": "a42ea7ae-c3c0-446e-a7e6-7a2c068ab927", "value": "065056655d1c0510c043z800417z57z52z4gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739705980", "to_ids": true, "type": "filename", "uuid": "de518e6e-2068-4531-8fc9-9f5681f4de9c", "value": "venoming squashes.exe" }, { "category": "Other", "comment": "Checked: 16/02/2025\nLast-scan\t: 06/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739705980", "to_ids": false, "type": "text", "uuid": "18e4dd5f-ec7f-498e-ac41-7aab4a4655d5", "value": "Type Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Leonem\nVT Total Detection:24/72" }, { "category": "Other", "comment": "Checked: 16/02/2025\nLast-scan\t: 06/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739711481", "to_ids": false, "type": "text", "uuid": "1b99f90d-e273-4769-836f-a25c91134aa9", "value": "Type Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Leonem\nVT Total Detection:24/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739711481", "to_ids": true, "type": "ssdeep", "uuid": "49ec100c-9b22-4a6d-af58-f1eb95e1dcde", "value": "12288:efY9jrJ0EXzCU/pBFintEAiNorGwKKH3wxEf0cPetTt4P2e2Nz0Jqv07l:efY9jjzPx/QLimySwxEf06edMIz0sM7l" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739711481", "to_ids": false, "type": "size-in-bytes", "uuid": "619cf65f-807d-462b-8333-cc342691dc85", "value": "675944" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1739711481", "to_ids": true, "type": "vhash", "uuid": "1719c359-ba87-43b0-86bf-5329f622e507", "value": "065056655d1c0510c043z800417z57z52z4gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739711481", "to_ids": true, "type": "filename", "uuid": "4135d348-8a3a-4b7f-9588-3c09d81969f1", "value": "venoming squashes.exe" }, { "category": "Other", "comment": "Checked: 16/02/2025\nLast-scan\t: 06/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739712432", "to_ids": false, "type": "text", "uuid": "18a34a78-2890-4b8e-890e-c0e217e6d3e9", "value": "Type Description: Win32 EXE\n\nMicrosoft: Trojan:Win32/Leonem\nVT Total Detection:24/72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739712432", "to_ids": true, "type": "ssdeep", "uuid": "9f91d08b-6e00-43bd-ba1b-36fbc7ec47b6", "value": "12288:efY9jrJ0EXzCU/pBFintEAiNorGwKKH3wxEf0cPetTt4P2e2Nz0Jqv07l:efY9jjzPx/QLimySwxEf06edMIz0sM7l" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739712432", "to_ids": false, "type": "size-in-bytes", "uuid": "7d8160ac-bcef-457a-a416-b2cd4e8c7381", "value": "675944" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1739712432", "to_ids": true, "type": "vhash", "uuid": "46472501-6719-4947-a579-7767ff8b9489", "value": "065056655d1c0510c043z800417z57z52z4gz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739712432", "to_ids": true, "type": "filename", "uuid": "e7200598-b2aa-4efc-8648-100af7ccaa86", "value": "venoming squashes.exe" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1739712455", "uuid": "258d5164-0f36-4373-8ee4-0cf3c032cdd3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1739706969", "to_ids": true, "type": "md5", "uuid": "b26fc60d-3cf4-48be-ba66-6ea8feb8dcc4", "value": "65975cc3faf23bfc6a2e0cff91d9c39f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1739706603", "to_ids": true, "type": "sha1", "uuid": "e928bed8-e45a-4455-b2a9-679c2c957e2f", "value": "4d69b63226374a63669550515c7010de57ae34de", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1739706603", "to_ids": true, "type": "sha256", "uuid": "34973576-e1f5-4141-881f-4f3035bec65d", "value": "9330115e568582d005e19dbedb11d2f08ea7e6492a41a8739f730bf20672b3f9", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739706001", "to_ids": true, "type": "ssdeep", "uuid": "dbf412f4-d19b-422e-a5aa-0f9fe7e9043a", "value": "12288:y/8dF8PCMVOPI6Ahx58PhYycDId9NEaDh1v4B2Uc6Zlwsc+fMNASyzzIe:ji631Ab6hYTI5xh1vLUT8sc0MNAdf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739706002", "to_ids": false, "type": "size-in-bytes", "uuid": "e629246d-7dc1-41f4-81fa-2c19bf52b428", "value": "652869" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739706002", "to_ids": true, "type": "filename", "uuid": "466b0c8a-08e0-4119-be98-88244006f730", "value": "Factura.rar" }, { "category": "Other", "comment": "Checked: 16/02/2025\nLast-scan\t: 04/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739706002", "to_ids": false, "type": "text", "uuid": "00606a88-bb56-4658-a6f1-f0f60cff7e50", "value": "Type Description: RAR\n\nMicrosoft: None\nVT Total Detection:4/63" }, { "category": "Other", "comment": "Checked: 16/02/2025\nLast-scan\t: 04/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739711503", "to_ids": false, "type": "text", "uuid": "93ed857f-318b-4003-88e8-a6b72bc26c75", "value": "Type Description: RAR\n\nMicrosoft: None\nVT Total Detection:4/63" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739711503", "to_ids": true, "type": "ssdeep", "uuid": "b69a6811-1c51-4eb0-a25b-8075f867ce51", "value": "12288:y/8dF8PCMVOPI6Ahx58PhYycDId9NEaDh1v4B2Uc6Zlwsc+fMNASyzzIe:ji631Ab6hYTI5xh1vLUT8sc0MNAdf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739711503", "to_ids": false, "type": "size-in-bytes", "uuid": "324047dc-0601-4740-bf01-5e6bbdbf01d1", "value": "652869" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739711503", "to_ids": true, "type": "filename", "uuid": "e5f98470-14a1-4535-aa8f-675d20c7592b", "value": "Factura.rar" }, { "category": "Other", "comment": "Checked: 16/02/2025\nLast-scan\t: 04/02/2025", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1739712455", "to_ids": false, "type": "text", "uuid": "e3facd39-3cf3-474b-b8fb-6d9280924558", "value": "Type Description: RAR\n\nMicrosoft: None\nVT Total Detection:4/63" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1739712455", "to_ids": true, "type": "ssdeep", "uuid": "924fd8d4-188c-4b5b-bf27-683855ac6cc8", "value": "12288:y/8dF8PCMVOPI6Ahx58PhYycDId9NEaDh1v4B2Uc6Zlwsc+fMNASyzzIe:ji631Ab6hYTI5xh1vLUT8sc0MNAdf" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1739712455", "to_ids": false, "type": "size-in-bytes", "uuid": "bcf89113-41fc-471f-ae64-bd997e090613", "value": "652869" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1739712455", "to_ids": true, "type": "filename", "uuid": "606a2597-65fb-4f68-b76c-ba239dacf743", "value": "Factura.rar" } ] } ] } }