DoublePulsar - Medium, EN

Handala attempts a supply chain hack via ReutOne

During the week, Handala — a group painfully in love with Israel, breached ReutOne, a small Microsoft 365 Dynamics reseller. They sent out an email to their customers on 24th December 2024, asking them to run a software update:

Kevin Beaumont (@GossiTheDog@cyberplace.social)

The update was, of course, fake.

The installer looks like this:

Instead, it reaches out to various hosts, and starts profiling the system if certain criteria are met.

Example commands (not exhaustive):

cmd.exe /c powershell Get-ComputerInfo
cmd.exe /c systeminfo
cmd.exe /c wmic logicaldisk get caption,description,providername
cmd.exe /c net group /domain
cmd.exe /c wmic ntdomain list /format:list
cmd.exe /c dsquery user
cmd.exe /c vaultcmd /listcreds:”Windows Credentials” /all
cmd.exe /c ipconfig /all
cmd.exe /c netsh firewall show state

Results are posted off to a C2 server. I have observed follow on, hands on keyboard activity. They like to exclude processes from antimalware products.

Static antimalware detection is poor, 4 days in payload detection is missing from most major vendors.

I did manage to make some pivots on this and find other victim orgs and targeting, IoCs enclosed.

Indicators of Compromise

Payload downloads

gateway.storjshare.io
link.storjshare.io

C2 comms

209.250.255.169

First stage payload

5ee2120821e570760cfb22b8b1d3329407807c14d31c0667f47f36d5d11b0111
d234bb81737612a4f9d18d47992412e84bbfb7f75de2c7c83e850c16b88f6fff

Emerging Threats network signatures

  • ET INFO File Sharing Service Domain in DNS Lookup (link .storjshare .io)
  • ET INFO Observed File Sharing Service Domain (link .storjshare .io in TLS SNI)
  • ET INFO Commonly Actor Abused Online Service Domain (storjshare .io)
  • ET INFO Observed Commonly Actor Abused Online Service Domain (storjshare .io in TLS SNI)

Network traffic tells — C2 comms

http://x.x.x.x/get_updates
http://x.x.x.x/send_message
http://x.x.x.x/send_status

Additional Handala activity IOCs

First stage payload

6c

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from DoublePulsar – Medium

Read the original article: