Fake Zoom Ends in BlackSuit Ransomware

    Tuesday, April 1, 2025 In: Threat Research Print

    Date: 04/01/2025

    Severity: Critical

    Summary

    The threat actor gained initial access via a fake Zoom installer, deploying d3f@ckloader and IDAT loader to drop SectopRAT. After nine days, SectopRAT delivered Cobalt Strike and Brute Ratel, enabling lateral movement through remote services and RDP. To facilitate RDP movement, the attacker used QDoor, a malware with proxy capabilities. They archived files with WinRAR, uploaded them to the cloud SaaS app Bublup, and finally executed BlackSuit ransomware across all Windows systems using PsExec. 

    Indicators of Compromise (IOC) List

    Domain\URL :

    http://78.47.105.28/manual/152/152.zip

    http://78.47.105.28/manual/152/1522.zip

    megupdate.com

    administrative-manufacturer-gw.aws-usw2.cloud-ara.tyk.io

    provincial-gaiters-gw.aws-use1.cloud-ara.tyk.io

    IP Address :

    45.141.87.218

    5.181.159.31

    44.196.9.9

    88.119.167.239

    143.244.146.183

    Hash :

    80110fbb81d0407340b908bb43c815d3

    d98fb34b4fa0f83d02e3272f1cb9c5fc

    91f69fa3439f843b51c878688963e574 

    27304b246c7d5b4e149124d5f93c5b01

    85144918f213e38993383f0745d7e41e

    ffb3755897b8d38ccc70b9c3baa38960

    d1ba9412e78bfc98074c5d724a1a87d6

    9bddb0e95a03fdcea4c62210f5818184

    4b22032954a12677675add0de20d7b94

    9fb4770ced09aae3b437c1c6eb6d7334

    8477ef317b8974e18ed84ca69b9f6a08

    eae6cd02784743cde314afb8c533c5cd

    c0230d748e61819d9dfad0da03fe6ec8

    f91fbe09b593fb1104b30e3343afb392

    5b8ebe43ded7ba460e4827206329375a

    8d4f2aa315ce17505b8698db22ec2526805645a4

    6c75e2c704f69aaa09cdfd455c7bdbf9336dc7fe

    c5826e9e3c4b1fece4991f269fd4e5307e92bfe2

    e50d9e3bd91908e13a26b3e23edeaf577fb3a095

    a6dcdfc8e97616c07549290950e78b145883e532

    a25cfdcff675277035fb35add9d273934117e943

    0572f98d78fb0b366b5a086c2a74cc68b771d368

    3eb042e449c6097f29fad255d21aac336fae534b

    5b1e0d72435da7d3a97107cddc655be71769ba53

    fe54b31b0db8665aa5b22bed147e8295afc88a03

    328d5554025757e5ec8e2e9eee2ad97d0e986a59

    a13061b229a225441f67d2b25ccda139ee21b14e

    951154980d3ddd4101b8e09b11669cbedc86f979

    41360d3eae3a71dd60c9ac34788d6863ef4e3e30

    df774b96aa6f7ba914e7d6c1e3c448170e2e419e 

    b837bec967df6748b72c3b43c254532620977d0bbe0fc23e0c178c74516baab9

    f34aad9a56ca9310f40ecbcb075e4be12aaf9ef60fd24893b5e8fb28934cd730

    ecb0b3057163cd25c989a66683cfb47c19f122407cbbb49b1043e908c4f07ad1

    3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

    e6cfae572f777def856878e36bbacfaa82cb5662fc97c1492e2367a105dddbc9

    b594b8b91b6967e2fa6946753c8fd3f6ed3592c55c49a0ada7abd41752ae8a41

    cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

    cb53118ec2d578febfd311bcda298c716f1f543b24f780f2721f45df0bda3dc3

    a8a88bf91d1280ffa59536a6e50f24fe9c1ef79f68a300ef047d92eec7231d9e

    a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

    b676dbc3e20fa7acb92c1cc0a90132798c482dbf43211793abb937bd43295d42

    58dde623e36fefe8038aa2d579d3d1f5394b96ea3623b3125876137b4ee08d80

    3967b38f763b2e58b0679bc0178247b855c68d761187c71c2f1760b6882e473a

    63dcff4bad9576794c3a412cf8dae83b807a138cc09c4de64485bb8ec991cd4b

    e0f31fe28223b5bd22ce01c6bc1d3a4d3e030b9dc3c98440d11d72e67fdaa453

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domain\URL :

    domainname like "http://78.47.105.28/manual/152/1522.zip" or siteurl like "http://78.47.105.28/manual/152/1522.zip" or domainname like "administrative-manufacturer-gw.aws-usw2.cloud-ara.tyk.io" or siteurl like "administrative-manufacturer-gw.aws-usw2.cloud-ara.tyk.io" or domainname like "megupdate.com" or siteurl like "megupdate.com" or domainname like "http://78.47.105.28/manual/152/152.zip" or siteurl like "http://78.47.105.28/manual/152/152.zip" or domainname like "provincial-gaiters-gw.aws-use1.cloud-ara.tyk.io" or siteurl like "provincial-gaiters-gw.aws-use1.cloud-ara.tyk.io"

    IP Address :

    srcipaddress IN ("45.141.87.218","5.181.159.31","44.196.9.9","88.119.167.239","143.244.146.183") or dstipaddress IN ("45.141.87.218","5.181.159.31","44.196.9.9","88.119.167.239","143.244.146.183") 

    Hash 1 :

    md5hash IN ("c0230d748e61819d9dfad0da03fe6ec8","d1ba9412e78bfc98074c5d724a1a87d6","85144918f213e38993383f0745d7e41e","80110fbb81d0407340b908bb43c815d3","d98fb34b4fa0f83d02e3272f1cb9c5fc","91f69fa3439f843b51c878688963e574","27304b246c7d5b4e149124d5f93c5b01","ffb3755897b8d38ccc70b9c3baa38960","9bddb0e95a03fdcea4c62210f5818184","4b22032954a12677675add0de20d7b94","9fb4770ced09aae3b437c1c6eb6d7334","8477ef317b8974e18ed84ca69b9f6a08","eae6cd02784743cde314afb8c533c5cd","f91fbe09b593fb1104b30e3343afb392","5b8ebe43ded7ba460e4827206329375a")

    Hash 2 : 

    hash IN ("3eb042e449c6097f29fad255d21aac336fae534b","951154980d3ddd4101b8e09b11669cbedc86f979","a6dcdfc8e97616c07549290950e78b145883e532","0572f98d78fb0b366b5a086c2a74cc68b771d368","8d4f2aa315ce17505b8698db22ec2526805645a4","6c75e2c704f69aaa09cdfd455c7bdbf9336dc7fe","c5826e9e3c4b1fece4991f269fd4e5307e92bfe2","e50d9e3bd91908e13a26b3e23edeaf577fb3a095","a25cfdcff675277035fb35add9d273934117e943","5b1e0d72435da7d3a97107cddc655be71769ba53","fe54b31b0db8665aa5b22bed147e8295afc88a03","328d5554025757e5ec8e2e9eee2ad97d0e986a59","a13061b229a225441f67d2b25ccda139ee21b14e","41360d3eae3a71dd60c9ac34788d6863ef4e3e30","df774b96aa6f7ba914e7d6c1e3c448170e2e419e")

    Hash 3:

    sha256hash IN ("3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef","e6cfae572f777def856878e36bbacfaa82cb5662fc97c1492e2367a105dddbc9","cb53118ec2d578febfd311bcda298c716f1f543b24f780f2721f45df0bda3dc3","cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15","b837bec967df6748b72c3b43c254532620977d0bbe0fc23e0c178c74516baab9","f34aad9a56ca9310f40ecbcb075e4be12aaf9ef60fd24893b5e8fb28934cd730","ecb0b3057163cd25c989a66683cfb47c19f122407cbbb49b1043e908c4f07ad1","b594b8b91b6967e2fa6946753c8fd3f6ed3592c55c49a0ada7abd41752ae8a41","a8a88bf91d1280ffa59536a6e50f24fe9c1ef79f68a300ef047d92eec7231d9e","a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3","b676dbc3e20fa7acb92c1cc0a90132798c482dbf43211793abb937bd43295d42","3967b38f763b2e58b0679bc0178247b855c68d761187c71c2f1760b6882e473a","63dcff4bad9576794c3a412cf8dae83b807a138cc09c4de64485bb8ec991cd4b","e0f31fe28223b5bd22ce01c6bc1d3a4d3e030b9dc3c98440d11d72e67fdaa453")

    Reference:    

    https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/


    Tags

    MalwareRansomwareBlacksuitSectopRATRAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.