Incident Score: Analysis & Impact (BLA1781281519)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Attachment (T1566.001) with moderate to high confidence (80%), supported by evidence indicating spreads via fake installers disguised as legitimate software and User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating fake installers (e.g., Fling-Standalone, FinePrint, SystemSettings). Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating fake installers or fake Windows updates executed by users and Hijack Execution Flow: DLL Side-Loading (T1574.002) with high confidence (95%), supported by evidence indicating dLL sideloading, pairing legitimately signed executable with malicious DLL. Under the Persistence tactic, the analysis identified Hijack Execution Flow: DLL Side-Loading (T1574.002) with high confidence (90%), supported by evidence indicating malicious DLL mimics NVIDIA graphics library for persistence. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with high confidence (95%), supported by evidence indicating c++ with assembly-level evasion techniques, mutating each build, Obfuscated Files or Information: Binary Padding (T1027.001) with high confidence (90%), supported by evidence indicating dLL bloated to 120+ MB to bypass size-based antivirus scans, Subvert Trust Controls: Code Signing (T1553.002) with moderate to high confidence (80%), supported by evidence indicating legitimately signed executable used for DLL sideloading, and Indicator Removal: Clear Windows Event Logs (T1070.001) with moderate confidence (50%), supported by evidence indicating malware includes remote access tools, likely for cleanup. Under the Credential Access tactic, the analysis identified Credentials from Password Stores (T1555) with high confidence (100%), supported by evidence indicating harvests login credentials from 37 Chromium/8 Gecko browsers, 109 extensions, Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with high confidence (95%), supported by evidence indicating 37 Chromium-based browsers, 8 Gecko-based browsers targeted, Credentials from Password Stores: Password Managers (T1555.005) with high confidence (90%), supported by evidence indicating 5 password managers targeted for data extraction, Steal Web Session Cookie (T1539) with high confidence (95%), supported by evidence indicating 4,717 cookies harvested in Blackfog’s tests, Unsecured Credentials: Credentials In Files (T1552.001) with high confidence (90%), supported by evidence indicating 719 autofill entries, credit card details compromised, and Input Capture: Keylogging (T1056.001) with moderate to high confidence (80%), supported by evidence indicating keylogging capability included in toolkit. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), supported by evidence indicating harvests crypto wallet data, 2FA codes, autofill entries, Screen Capture (T1113) with moderate to high confidence (80%), supported by evidence indicating screenshot capture capability included, and Data Staged: Local Data Staging (T1074.001) with moderate to high confidence (70%), supported by evidence indicating data collected before exfiltration (55 passwords, 4,717 cookies). Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating c2 endpoint such as /backend/api/app.php, Cloudflare fronting IPs, Encrypted Channel: Asymmetric Cryptography (T1573.002) with moderate to high confidence (70%), supported by evidence indicating payload decrypts only at runtime, likely encrypted C2, and Proxy: Multi-hop Proxy (T1090.003) with moderate to high confidence (80%), supported by evidence indicating reverse SOCKS5 proxy and Tor tunneling for anonymous traffic. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltrated via C2 (akmuniverstall.top), Cloudflare fronting and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate confidence (50%), supported by evidence indicating cloudflare fronting IPs suggest possible cloud exfiltration. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.