Date: 03/17/2025
Severity: High
Summary
We recently discovered several malware samples with unique traits that made attribution and analysis difficult. While many threat actors rely on publicly available tools, some develop custom malware with novel techniques. This article highlights three unusual cases: a passive IIS backdoor written in C++/CLI, a rare choice for malware; a bootkit leveraging an unsecured kernel driver to install a GRUB 2 bootloader; and a Windows implant of a cross-platform post-exploitation framework developed in C++.
Indicators of Compromise (IOC) List
Hash : | 15db49717a9e9c1e26f5b1745870b028e0133d430ec14d52884cec28ccd3c8ab aa2d46665ea230e856689c614edcd9d932d9edad0083bf89c903299d148634a2 a28d0550524996ca63f26cb19f4b4d82019a1be24490343e9b916d2750162cda 8571a354b5cdd9ec3735b84fa207e72c7aea1ab82ea2e4ffea1373335b3e88f4 94017628658035206820723763a2a698a4fd7be98fc2c541aad6aa0281ef090e 950243a133db44e93b764e03c8d06b99310686d010b52b67f4effa57f0d72e04 cca5df85920dd2bdaaa2abc152383c9a1391a3e1c4217382a9b0fce5a83d6e0b |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Hash : | sha256hash IN ("cca5df85920dd2bdaaa2abc152383c9a1391a3e1c4217382a9b0fce5a83d6e0b","8571a354b5cdd9ec3735b84fa207e72c7aea1ab82ea2e4ffea1373335b3e88f4","15db49717a9e9c1e26f5b1745870b028e0133d430ec14d52884cec28ccd3c8ab","a28d0550524996ca63f26cb19f4b4d82019a1be24490343e9b916d2750162cda","94017628658035206820723763a2a698a4fd7be98fc2c541aad6aa0281ef090e","950243a133db44e93b764e03c8d06b99310686d010b52b67f4effa57f0d72e04","aa2d46665ea230e856689c614edcd9d932d9edad0083bf89c903299d148634a2") |
Reference:
https://unit42.paloaltonetworks.com/unusual-malware/