Analysis of Ongoing FROZEN#SHADOW Attack Campaign Leveraging SSLoad Malware and RMM Software for Domain Takeover
Description :
The Securonix Threat Research team observed a malicious campaign deploying SSLoad malware alongside Cobalt Strike implants and ScreenConnect RMM software, enabling the threat actors to infiltrate systems, gather sensitive data, and ultimately take over the victim's entire Windows domain. The initial infection vector was a phishing email containing a link to a JavaScript file that kicked off a multi-stage payload deployment. Once inside, the attackers were able to install RMM software, move laterally, extract credentials, and create a malicious domain admin account, compromising the organization's infrastructure.
Published | Created | Modified |
---|---|---|
2024-04-26 08:45:50 | 2024-04-26 08:45:50 | 2024-04-27 01:52:02 |
Tags
Indicators
IPv4s : URLs :- http://23-95-209-148-host.colocrossing.com:443
- https://skinnyjeanso.com/live/
- https://titnovacrion.top/live/.
- stratimasesstr.com
- wireoneinternet.info
- kasnackamarch.info
- krd6.com
- simplyfitphilly.com
- danteshpk.com
- l1-03.winupdate.us.to
- tjx-usa.com
- maramaravilha.com
- winarkamaps.com
- bjsdg0.pintaexoticfashion.co.in
- 23-95-209-148-host.colocrossing.com
- mmtixmm.org
- globalsolutionunlimitedltd.com
- skinnyjeanso.com
- titnovacrion.top
- sokingscrosshotel.com
- SSLoad
- Cobalt Strike - S0154
- c172abd808cc6216b309bc307fe69b821c7eaed35f874fd4684ab33b4291f95a
- fad25892e5179a346cdbdbba1e40f53bd6366806d32b57fa4d7946ebe9ae8621
- 7206eafc475f246e7c9c258afdaaa64b5193c1c7427d927be417e53dec890078
- ae610eb8f8622653b9be9692a7d2a680b0c2154022704ca58af0eaeed0066d03
- 09e7f7428e6ecc68ef036c0751f53985882f6760cf3892f1d26af44f3b9730de
- 805b59e48af90504024f70124d850870a69b822b8e34d1ee551353c42a338bf7
- 96212917b7b0dc881332db7ece0bacfe21d9ac713af1abe078f6d3e74baacd01
- 17ddc339b14845bc9d67c5c3cd9a0e617387cc0569131ff3641035d82043effa
- db265ea1732935f61e8d0f7a20a8adc54e20af71b3cf4a737714cd3377c838f6
- 2b026343214c3d2c10fdfa9b04b7694e57ee8d3605fbf9a2e127fe6fa9a58309
- 791c28d4201e8b9ea5162fbee3908feb34793b1c51f5aaedc43916e86068248d
- 9fc48724cb9f70f774f7ed9e809e49979bd089dfd641896d8d5e3026f049b0af
- 65da6d9f781ff5fc2865b8850cfa64993b36f00151387fdce25859781c1eb711
- 4f52b4a2a781f366ed534d8c4b2fafef48a7848c4c20b4229b98747ca8ab06d3
- b9dbe9649c761b0eee38419ac39dcd7e90486ee34cd0eb56adde6b2f645f2960
- 232f8f8dc9e5b9723c43c78cb942cc810ef56e305e4bd650110a484334f568a8
- 6e892aa13cbd4b71a1c476207abddb1ef830be04999809b4ef569488a37e47e0
- 75db4709428310c76656bf76f5de267ab490e43284312b374baf7582108300a9
- f8fc9b40b946b742d6044f291914439727e1a7f53ea87562446f682b26cce65a
- 7018c43ee38190eae122797869865fd808817f31d766575b43b118ae176c0c68
- 4d9274cfe7a2bd9a125352271d1634708e1f9b1d70b056d1c1950cb98b8f91ff
- 9856b816a9d14d3b7db32f30b07624e4bcda7f1e265a7bb7a3e3476bfd54a759
- e8979741f0355a47dae575ead8c829df47f282b4533ec1be4d63086515f9c449
- 0ede3cbe821e4f083fc119274f069c77e64a6a7e8a2c16530317b826a0939979
- fc21a125287c3539e11408587bcaa6f3b54784d9d458facbc54994f05d7ef1b0
- 3bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f
- ff5e40fc794e56fd78feb6eb6b30794970f7cdb4a767c4095e2d20a90bb0efe8
- 7dbebb7c76511fc063b5ace0a9359b655f66a55a494200b8fd11905c78b5fb90
- dcae57ec4b69236146f744c143c42cc8bdac9da6e991904e6dbf67ec1179286a
- 2118c5b95d5d57492b2e8b8c0403e23b21acc4ff50282f8b6007ba89adfaa992
- 18d60c9c807da021bc2c31e3ba7ec2737865a8c96060134caa3cf033e43e26fe
- caf8295570e8a8244c7099a8eabfd1bd55ea50f026b4461e9f0f5425d54703e8
- 08075e8a6dcc6a5fca089348edbd5fc07b2b0b26a26a46e0dd401121fdaa88d3
- 780b970dad15835d138546be9b615fc1b4124c1060a8efd91b9c52f9c3160d5b
- 3584ca9c1e7e0a38e47f59bb16c21203a60833d0f826294d535a98e7ca76d9c1
- 6d7a94b7551f15732e193a07357375b98b463f0dce6b1fed871a42fcbdde9f48
- ba3fa920708db856737a66f70e2c7e86bba73c73836f7f30c2ce42cd70d0c5bd
- 68e1caf530366b1890993185157c01161b3d625063d75a41c88d2d1bb8edfe02
- 63283e012f067a3ffb27ed4fe6803f740c80f6f65213fe5507f0cd1ee0019b96
- 5fb093a9348fcf4a81befda978c948796a8319fcabe7899c2cf5ba1419ec9d35
- 0737fa0b403fab17331c9835497a4f3b2955543e2fac85009dcc66df41a015f8
- 24cb279eebcd49e1327905ab2bd19b9b2e09efa3e0a5e1875f3989c398a5da81
- 08e82f1c0a033ab295b4d342c53970e4528e20933c614bda3bbc5d57bab20651
- f5bf914415faf7587958bbdc3312536fd9abea647f1541d44d2e757f0e683650
- a557f891f4d50e458d745c7eaf7d0be3eceea36f0398097e977cd3f6ec463875
- 828ef3e4ca064891836913015c48ac9807ecd43b32f6e7e4bff29b9fd2e218c9
- 7f97adff1d298ccf1f3c7991fcb01008dda22722ebbc11af48fcbf2adb58afb4
- c122596e25a4dad1d46d4ab983f4ef15bfa7b65582b7c311f404036766498105
- e8e76b851fc78d87fe58ad7d29bc6356a8965236d1b96c5f572334dd695d5de9
- 8f7a90b540f38712c9c1a5359c6333bbe1091102d6f621b22321e08352c84cfc
- 092962bc268390debf17cd148d03147cdf919e442e61c92de01eac3bdb34b1c1
- 7dff08656413a737483ecee2a50e412338ebfee3d36a1a5c04e74b25949b2306
- ee1e5b80a1d3d47c7703ea2b6b64ee96283ab3628ee4fa1fef6d35d1d9051e9f
- FROZEN#SHADOW
External References
- https://otx.alienvault.com/pulse/662b69be5392a00e1ebe9e8b
- https://www.securonix.com/blog/securonix-threat-research-security-advisory-frozenshadow-attack-campaign
You can download the txt file containing the indicators by clicking on the button below: