Page cover

Tusk Infostealer

Lab Link

Category: Threat Intel

Tools: Kaspersky Threat Intelligence Portal Threat Intelligence Reports

Scenario

A blockchain development company detected unusual activity when an employee was redirected to an unfamiliar website while accessing a DAO management platform. Soon after, multiple cryptocurrency wallets linked to the organization were drained. Investigators suspect a malicious tool was used to steal credentials and exfiltrate funds.

Your task is to analyze the provided intelligence to uncover the attack methods, identify indicators of compromise, and track the threat actor’s infrastructure.

Questions

Q1: In KB, what is the size of the malicious file?

This can be obtained from VirusTotal or Kaspersky Threat Intelligence Portal using the MD5 hash provided

Q2: What word does the threat actor use in log messages to refer to victims, drawing inspiration from ancient tusk hunters?

This detail can be obtained through the analysis of threat intelligence reports, using the lab name "Tusk Infostealer" as a keyword, you can easily find this report by Kaspersky GERT https://securelist.com/tusk-infostealers-campaign/113367/

Q3: The threat actor set up a malicious website to mimic a platform designed for creating and managing decentralized autonomous organizations (DAOs) on the MultiversX blockchain (peerme.io). What is the name of the malicious website the attacker created to simulate this platform?

Q4: Which cloud storage service did the campaign operators use to host malware samples for both macOS and Windows OS versions?

Q5: The malicious executable contains a configuration file that includes base64-encoded URLs and a password used for archived data decompression, enabling the download of second-stage payloads. What is the password for decompression found in this configuration file?

Q6: What is the name of the function responsible for retrieving the field archive from the configuration file?

Q7: In the third sub-campaign carried out by the operators, the attacker mimicked an AI translator project. What is the name of the legitimate translator, and what is the name of the malicious translator created by the attackers?

Q8: The downloader is tasked with delivering additional malware samples to the victim’s machine, primarily infostealers like StealC and Danabot. What are the IP addresses of the StealC C2 servers used in the campaign?

Q9: What is the address of the Ethereum cryptocurrency wallet used in this campaign?

PreviousLespion

Last updated