Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts

    Tuesday, August 13, 2024 In: Threat Research Print

    Date: 08/13/2024

    Severity: Medium 

    Summary

    Before the open directory was detected, the address was flagged in our threat intelligence for PoshC2 command and control, first noted on September 21, 2023, and active intermittently, with recent activity on August 11, 2024. The threat actor used various batch scripts and malware to target both Windows and Linux systems. Their toolkit included scripts like atera_del.bat for removing Atera agents, backup.bat for deleting backups, and clearlog.bat for erasing Windows event logs.

    Indicators of Compromise (IOC) List

    Domains\Urls

    /webhp/

    /adsense/troubleshooter/1631343/

    /trader-update/history&pd=/

    /status/995598521343541248/query=/

    /uasclient/0.1.34/modules/

    /utag/lbg/main/prod/utag.15.js/

    /GoPro5/black/2018/

    /usersync/tradedesk/

    /bootstrap/3.1.1/bootstrap.min.js/

    /TOS/

    /business/home.asp&ved=/

    /web/20110920084728/

    /vssf/wppo/site/bgroup/visitor/

    /Philips/v902/

    /bh/sync/aol/

    /async/newtab/

    /advanced_search/

    /adServingData/PROD/TMClient/6/8736/

    /vfe01s/1/vsopts.js/

    /cisben/marketq/

    /business/retail-business/insurance.asp/

    /client_204/

    /branch-locator/search.asp/

    /work/embedded/search/

    /babel-polyfill/6.3.14/polyfill.min.js=/

    /cdba/

    /putil/2018/0/11/po.html/

    /qqzddddd/2018/load.php/

    /types/translation/v1/articles/

    /classroom/sharewidget/widget_stable.html/

    IP Address 

    94.198.55.181

    94.198.51.247

    94.198.53.143

    185.234.216.64

    Hash

    8c7c782df59edd61aabbc510d7747b11

a5748047ebbe34d7821a2a040e4ca54e

fe00973fc12b3c6330abd9807dfb1d70

d1e3216cf698a58832d947d95dc4f3f8

6b44d99b258c275ee7fcf230da177f3e

a8b335886e39adf23e6aa44a00bf82dc

c84e1655f0ba917cc605018e32eba9f3

5336dffb778b1e2a0b982b337652b213

91be6e6a8b4c2cb99db5b99d40e06978

f7a730acc86f1d6759249ccc579b1794

7ee103ee99b95c07cc4a024e4d0fdc03

c8903eb5763c670a15049d74d764188c

4cf52cee2001cd10528f429fb6d9fd07

444d7a27ac0327ccc0cf4e75a32025c9

1365640fc3c0e1824e348956172caed7

679d0dab79a98da8e20351f9f887e4f2

0f1290d014dfd9e66bbbed96a828f7d1

1393dab192ea2e2427889839a2d8fcf7

e2eadf60d8f25cae9b29decab461177b

97dc80d3844b01587d9fd6377b9ab0a7

9a66570b7e25035ff337fa6098f59823

cc35c94e64830ff143b54783c9869ecf

833a461f6d479d164b453cc9f5f51259d991b1b7

990f68cca516192d73ef443f51ed80813e324b0b

9442647283e52c91c2e836b19749f184936cf6c2

66ac6cf4bb4247daf1d09d9d4bc4e357cc39c6c8

a65d7caf354161798d2458cfee9e4e988f0e94af

300c89889bbb5ef61f470174a6fcad73c4516779

93b717a562f2cc3fdf2355bd9d2670ba2391cc60

86f599090aa2c7c1df65dccccf00e1818e72246a

fe1fb1da6435a6d6283e993569d3fc82a67d7ac8

373609c0f30ee313fd0cc6c4e572452483d87244

cecc54143cc375af1b9aed0021643b179574e592

8441e7b6b6b9f24439e71c6b031262bc76d73c28

55126d8215b771aa2f62f16e6aad9e8832824a4c

885fc76ba1261a1dcce87f183a2385b2b99afd96

7dee2a38cc2ba81cc373b50f42c8946601d177cb

bd65b5306914187f14bfffa995e7e68a8d036d0c

b8fc0194f6ed56e4a57c16756e506369c74c4078

1224f9667d7f1d3b7fba17f414d343912bec03db

2de53c24663149366fca22f354aff5c0f5b348f4

4a8a4e6069ec4f6a4f24614eb885c57484bc9b79

d2f5c890e3e1dd9b42e695586c06408b31d4ec7a

3cf331934996ec4338418b847b52d78d8a29d224

91d9c73b804aae60057aa93f4296d39ec32a01fe8201f9b73f979d9f9e4aea8b

6cff22a3ea7c054075b9aded5933587bf997623183539e10e426d103d604f046

a668a98e57c03decf6ea76bb32f67f3f077ef2277e57f4117d44f4342977fddf

beb5022543a1e12e1f8f5ffe5d520e5fc9cf623aea512cfb43ea2f8c2897420c

cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2

03b3c37300bf9dcfaa4594e86841b70263324dda305484fb268b27deb09f936c

b0056bef817408449470d3fa43e13cbc89cabdae795b1dc8cbe9905c5946f530

09f91e90a1604a633c00d6039581f552603421356cb1edb62e085b32ff01b94e

fdc105ae79dff83f31777c6e047272c5b372251a3af49e20370e7ee9d1c70763

039bf780ae46875945344af489a590c5b7a36d458372a3173b55b3dc3559dfff

38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955

1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386

87ab1707a553557b10fa721a32f053fbb40d11de6f692e96e067d03316fe530b

4106ce787cf73d7f8215311a241f0e42426301a5a2078da9e3349afade2df684

3691dbb1834db4eb8ef4c195d26779b87db267a56f2ebca6c146a53fb8adb9c0

2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465

1aecadf489a6dd7a3a6e5dfda9425673a9d04d38a5cb6b0b8f961536c11237ed

0e626e01d3ae7840aa486468f40138284ccbd70dfe336a6b5d4008d01eb79988

01ec91a3145332174eef9239f7767adaa5e3dff3a436dfb7d2f978f88ea6cd93

63229da1bed0c0eafc4ed087651af3eec521e7fbd098300f7d862582d03a675d

5b43428452a867ad61554d763c8f19ca4cd8af8c31194304785e9e45f9258441

08d40a402b3754e52e4e86003bffddfdccbceefd335f53591f4cf715f8d30321

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls

    url In ("//webhp" , "//adsense//troubleshooter//1631343" , "//trader-update//history&pd=" , "//status//995598521343541248//query=" , "//uasclient//0.1.34//modules" , "//utag//lbg//main//prod//utag.15.js" , "//GoPro5//black//2018" , "//usersync//tradedesk" , "//bootstrap//3.1.1//bootstrap.min.js" , "//TOS" , "//business//home.asp&ved=" , "//web//20110920084728" , "//vssf//wppo//site//bgroup//visitor" ,"//Philips//v902" , "//bh//sync//aol" , "//async//newtab" , "//advanced_search" , "//adServingData//PROD//TMClient//6//8736" , "//vfe01s//1//vsopts.js" , "//cisben//marketq" , "//business//retail-business//insurance.asp" , "//client_204" , "//branch-locator//search.asp" , "//work//embedded//search", "//babel-polyfill//6.3.14//polyfill.min.js=" ,"//cdba" , "//putil//2018//0//11//po.html" , "//qqzddddd//2018//load.php" , "//types//translation//v1//articles", "//classroom//sharewidget//widget_stable.html")

    IP Address

    dstipaddress IN ("94.198.55.181","94.198.51.247","94.198.53.143","185.234.216.64") or ipaddress IN ("94.198.55.181","94.198.51.247","94.198.53.143","185.234.216.64") or publicipaddress IN ("94.198.55.181","94.198.51.247","94.198.53.143","185.234.216.64") or srcipaddress IN ("94.198.55.181","94.198.51.247","94.198.53.143","185.234.216.64")

    Hash Query 1

    md5hash IN ("8c7c782df59edd61aabbc510d7747b11","a5748047ebbe34d7821a2a040e4ca54e","fe00973fc12b3c6330abd9807dfb1d70","d1e3216cf698a58832d947d95dc4f3f8","6b44d99b258c275ee7fcf230da177f3e","a8b335886e39adf23e6aa44a00bf82dc","c84e1655f0ba917cc605018e32eba9f3","5336dffb778b1e2a0b982b337652b213","91be6e6a8b4c2cb99db5b99d40e06978","f7a730acc86f1d6759249ccc579b1794","7ee103ee99b95c07cc4a024e4d0fdc03","c8903eb5763c670a15049d74d764188c","4cf52cee2001cd10528f429fb6d9fd07","444d7a27ac0327ccc0cf4e75a32025c9","1365640fc3c0e1824e348956172caed7","679d0dab79a98da8e20351f9f887e4f2","0f1290d014dfd9e66bbbed96a828f7d1","1393dab192ea2e2427889839a2d8fcf7","e2eadf60d8f25cae9b29decab461177b","97dc80d3844b01587d9fd6377b9ab0a7","9a66570b7e25035ff337fa6098f59823","cc35c94e64830ff143b54783c9869ecf")

    Hash Query 2

    sha1hash IN ("833a461f6d479d164b453cc9f5f51259d991b1b7","990f68cca516192d73ef443f51ed80813e324b0b","9442647283e52c91c2e836b19749f184936cf6c2","66ac6cf4bb4247daf1d09d9d4bc4e357cc39c6c8","a65d7caf354161798d2458cfee9e4e988f0e94af","300c89889bbb5ef61f470174a6fcad73c4516779","93b717a562f2cc3fdf2355bd9d2670ba2391cc60","86f599090aa2c7c1df65dccccf00e1818e72246a","fe1fb1da6435a6d6283e993569d3fc82a67d7ac8","373609c0f30ee313fd0cc6c4e572452483d87244","cecc54143cc375af1b9aed0021643b179574e592","8441e7b6b6b9f24439e71c6b031262bc76d73c28","55126d8215b771aa2f62f16e6aad9e8832824a4c","885fc76ba1261a1dcce87f183a2385b2b99afd96","7dee2a38cc2ba81cc373b50f42c8946601d177cb","bd65b5306914187f14bfffa995e7e68a8d036d0c","b8fc0194f6ed56e4a57c16756e506369c74c4078","1224f9667d7f1d3b7fba17f414d343912bec03db","2de53c24663149366fca22f354aff5c0f5b348f4","4a8a4e6069ec4f6a4f24614eb885c57484bc9b79","d2f5c890e3e1dd9b42e695586c06408b31d4ec7a","3cf331934996ec4338418b847b52d78d8a29d224")

    Hash Query 3

    sha256hash IN ("91d9c73b804aae60057aa93f4296d39ec32a01fe8201f9b73f979d9f9e4aea8b","6cff22a3ea7c054075b9aded5933587bf997623183539e10e426d103d604f046","a668a98e57c03decf6ea76bb32f67f3f077ef2277e57f4117d44f4342977fddf","beb5022543a1e12e1f8f5ffe5d520e5fc9cf623aea512cfb43ea2f8c2897420c","cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2","03b3c37300bf9dcfaa4594e86841b70263324dda305484fb268b27deb09f936c","b0056bef817408449470d3fa43e13cbc89cabdae795b1dc8cbe9905c5946f530","09f91e90a1604a633c00d6039581f552603421356cb1edb62e085b32ff01b94e","fdc105ae79dff83f31777c6e047272c5b372251a3af49e20370e7ee9d1c70763","039bf780ae46875945344af489a590c5b7a36d458372a3173b55b3dc3559dfff","38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955","1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386","87ab1707a553557b10fa721a32f053fbb40d11de6f692e96e067d03316fe530b","4106ce787cf73d7f8215311a241f0e42426301a5a2078da9e3349afade2df684","3691dbb1834db4eb8ef4c195d26779b87db267a56f2ebca6c146a53fb8adb9c0","2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465","1aecadf489a6dd7a3a6e5dfda9425673a9d04d38a5cb6b0b8f961536c11237ed","0e626e01d3ae7840aa486468f40138284ccbd70dfe336a6b5d4008d01eb79988","01ec91a3145332174eef9239f7767adaa5e3dff3a436dfb7d2f978f88ea6cd93","63229da1bed0c0eafc4ed087651af3eec521e7fbd098300f7d862582d03a675d","5b43428452a867ad61554d763c8f19ca4cd8af8c31194304785e9e45f9258441","08d40a402b3754e52e4e86003bffddfdccbceefd335f53591f4cf715f8d30321")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-08-07-domains-impersonating-postal-services.txt 

     

     


    Tags

    MalwareBackdoorExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.