Tusk Infostealer Lab

CyberDefenders Threat Intel Lab

Scenario

A blockchain development company detected unusual activity when an employee was redirected to an unfamiliar website while accessing a DAO management platform. Soon after, multiple cryptocurrency wallets linked to the organization were drained. Investigators suspect a malicious tool was used to steal credentials and exfiltrate funds.

Your task is to analyze the provided intelligence to uncover the attack methods, identify indicators of compromise, and track the threat actor’s infrastructure.

Question 1

In KB, what is the size of the malicious file?

Answer 1

This lab is marked as easy, providing the MD5 hash on the malicious file. I am not going to go into too much detail with some answers.

Searching VirusTotal for the MD5 hash gives me the following result.

Press enter or click to view image in full size

Question 2

What word do the threat actors use in log messages to describe their victims, based on the name of an ancient hunted creature?

Answer 2

Doing some simple research on the website securelist.com I am able to find out that “Mammoth” is Russian slang to refer to victims.

Question 3

The threat actor set up a malicious website to mimic a platform designed for creating and managing decentralized autonomous organizations (DAOs) on the MultiversX blockchain (peerme.io). What is the name of the malicious website the attacker created to simulate this platform?

Answer 3

The article dives into how the malware was distributed. Giving me the first website they used to host the malware.

Question 4

Which cloud storage service did the campaign operators use to host malware samples for both macOS and Windows OS versions?

Answer 4

Question 5

The malicious executable contains a configuration file that includes base64-encoded URLs and a password used for archived data decompression, enabling the download of second-stage payloads. What is the password for decompression found in this configuration file?

Answer 5

The article goes on to show different stages of the payload and discusses the routine of the downloader.

Question 6

What is the name of the function responsible for retrieving the field archive from the configuration file?

Answer 6

 downloadAndExtractArchive

Question 7

In the third sub-campaign carried out by the operators, the attacker mimicked an AI translator project. What is the name of the legitimate translator, and what is the name of the malicious translator created by the attackers?

Answer 7

Question 8

The downloader is tasked with delivering additional malware samples to the victim’s machine, primarily infostealers like StealC and Danabot. What are the IP addresses of the StealC C2 servers used in the campaign?

Answer 8

The same article details a list of network IoC’s, which tell me the StealC C2 servers IP addresses.

46.8.238.240, 23.94.225.177

Question 9

What is the address of the Ethereum cryptocurrency wallet used in this campaign?

Answer 9

This lab was a little easy. Basic threat intel and OSINT.