Thursday, November 30, 2023

The Mahagrass Organization (APT-Q-36) uses the Spyder downloader to deliver the Remcos Trojan

The Mahagrass Organization, known as APT-Q-36, has been using the Spyder downloader to deliver the Remcos Trojan. This group, also identified by other names such as Maha Gras, Patchwork, Hangover, Dropping Elephant, and White Elephant, has been active since at least November 2009 and primarily targets Asian countries. The Spyder downloader, which the group uses, has seen several updates in a short period. These updates indicate the group's efforts to evade detection by security protection software and successfully carry out their intelligence-stealing missions

The Qi’anxin Threat Intelligence Center has recently identified new activities by the APT-Q-36 group. Notably, some key strings in the Spyder downloader have been encrypted, and adjustments have been made to the communication data format between the malware and its command and control (C2) servers. This suggests a level of sophistication and adaptability in their approach to cyber espionage and malware deployment.

IoC

DOMAIN

  • www.wingtiptoys.com
  • omeri12oncloudd.com
  • morimocanab.com
  • mfaturk.com
  • grand123099ggcarnivol.com
  • firebasebackups.com

SHA256

  • fbd567c08b493a4c406fcd4d9a6d7403dc572f9b4c50fc4a56d37982c25dc457
  • 27b2cbb45e866e8db8bf8933d6749164dc97995351704f0d33f62982a9abf955

SHA1

  • af42866f0a4fbd9d481a845120cadb1dbad289d1
  • 4169a82c81633f9cae0cc5a65cd26bc1959aeeec

REFERENCES

  • https://www.securitricks.com/the-mahagrass-organization-apt-q-36-uses-the-spyder-downloader-to-deliver-the-remcos-trojan-tuesday-november-28-2023/#:~:text=The%20Mahagrass%20Organization%20%28APT,intelligence%2C%20according%20to%20MP%20Weixin
  • https://securityonline.info/south-asian-cyber-threat-persists-apt-q-36-upgrades-spyder-loader-targets-remcos-delivery/#:~:text=Cyber%20Security%20South%20Asian%20Cyber,Patchwork%2C%20Hangover%2C%20and%20Dropping%20Elephant
  • https://securityonline.info/south-asian-cyber-threat-persists-apt-q-36-upgrades-spyder-loader-targets-remcos-delivery/#:~:text=Cyber%20Security%20South%20Asian%20Cyber,Patchwork%2C%20Hangover%2C%20and%20Dropping%20Elephant
  • https://www.difesaesicurezza.com/en/cyber-en/cybercrime-maha-grass-is-using-spyder-to-deliver-remcos/#:~:text=Maha%20Grass%20is%20using%20Spyder,Elephant%2C%20Hangover%2C%20Droping%20Elephant
  • https://otx.alienvault.com/pulse/6566312bddcfb0e7f0991687

TAGS

spyder, remcos, http, malware, c2 server, RC4 decpryption


at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

En el contexto creciente de convergencia entre sistemas industriales, inteligencia artificial (IA) y digitalización, la gestión del riesgo c...