216.73.216.128

FHAPPI Campaign APT10 FreeHosting APT PowerSploit Poison Ivy

· Published 19/06/2024 07:24 · Modified 19/06/2024 08:10

Export JSON

Essential information

Published
19/06/2024 07:24
Modified
19/06/2024 08:10
Tags
2024-06-19 apt breut darkmoon encodedpayload geocities malware poison ivy poisonivy powershell
Related entities
5 observables, 1 intrusion sets (apt), 8 techniques (mitre), 4 malware

Description

This analysis details a malicious campaign dubbed 'FHAPPI' by the researcher, which utilized compromised Japan accounts to host payloads. The campaign leveraged VBScript and scripts to execute encoded commands, ultimately delivering the remote access trojan (RAT) through process injection. The researcher provides a detailed reverse engineering analysis of the components, including decoding multiple layers of obfuscation, identifying the use of PowerSploit code, and tracing the 's behavior and network communications. The report concludes by attributing the campaign to the threat actor APT10 and providing relevant indicators of compromise.

External references