Free, Unbiased, and Open threat intelligence

PassiveNeuron Campaign with APT Implants and Cobalt Strike

threat Profile

HIGH
Kaspersky Securelist

Description

A complex cyberespionage campaign targeting government, financial and industrial organizations in Asia, Africa, and Latin America. The campaign involves compromising Windows Server machines through SQL server exploitation, deploying custom APT implants (Neursite and NeuralExecutor) and Cobalt Strike framework. The attack uses sophisticated multi-stage DLL loading chains with MAC address-based targeting and Phantom DLL Hijacking for persistence.

MITRE ATT&CK Techniques

T1574.001 - DLL Side-Loading (Phantom DLL Hijacking) T1055 - Process Injection T1027 - Obfuscated Files or Information T1082 - System Information Discovery T1057 - Process Discovery T1090 - Proxy T1059.001 - PowerShell T1059.005 - Visual Basic T1505.003 - Web Shell T1071.001 - Web Protocols (HTTP/HTTPS) T1573 - Encrypted Channel T1102.001 - Dead Drop Resolver T1569.002 - Service Execution T1083 - File and Directory Discovery T1584.006 - Web Services (GitHub for C2)

Related Entities

Indicators of Compromise (7)

406db41215f7d333db2f2c9d60c3958b
PassiveNeuron-related loader file (MD5)
8dcf258f66fa0cec1e4a800fa1f6c2a2
PassiveNeuron-related loader file (MD5)
751f47a688ae075bba11cf0235f4f6ee
Malicious imjp14k.dll DLL file (MD5)
12ec42446db8039e2a2d8c22d7fd2946
PassiveNeuron-related loader file (MD5)
d587724ade76218aa58c78523f6fa14e
PassiveNeuron-related loader file (MD5)
f806083c919e49aca3f301d082815b30
PassiveNeuron-related loader file (MD5)
44a64331ec1c937a8385dfeeee6678fd
PassiveNeuron-related loader file (MD5)

Metadata

Published

7 months ago

Views

1