Severity

High

Analysis Summary

CageyChameleon Malware is associated with a low-volume eCrime operation that targets companies involved in cryptocurrency and blockchain technology, particularly cryptocurrency exchange companies.The groups is responsible for the deployment of ageyChameleon is known as CrytpoCore (aka CryptoMimic, Leery Turtle, and Dangerous Password). The group heavily relies on Visual Basic Script (VBScript), rather than executables or in-memory payloads. The group’s main arsenal is script-based backdoor, tracked as CageyChameleon. Active since at least 2018, and since August 2020, the group has now shifted their Visual Basic Script (VBScript) infection chain with JavaScript (JS) payloads performing equivalent functions. The introduction of JavaScript (JS) payloads may represent an attempt to avoid detection.

Impact

• Exposure of sensitive data
• Financial loss

Indicators of Compromise

MD5

• 60214745027c7efa7cc920d43d9c254a
• 9a06ce2b0b038de9147f93bbb3b3c56c
• 2b89480b4021e82210f6713a3c34d0de
• 408b27039e928c6aebb1b72a23257486
• 52965357107ab24a33d94bf8ee555dcd
• 539398c1554ebc30f458925d425d16dd

SHA-256

• 8d48a77e7a4b8c824d8c1b890dc3e2b904e6fa8fbe8dae1a22f5870916c01c20
• fd02d7c88c831930ffe45984c714364c004cbb30c3f38cbaf63d0867ac5dd7a1
• 97a4c9d2542285d09dfce1594931cb366bd65edc2454c3984ca6539689c4a6c2
• b807d42926b94116ab57c8c40d5b4795b97375c150e1ec97a6520225dd0d4a0e
• 0172c45bd43dbd0935bda1b9bbc0cb82bd3896c103534922093963dd715cabec
• 8ea0c7e99067c4f9169b505c5072df49270b46129e1aee1e78e4236472a7c382

SHA1

• c02dc79d5b36629c072bb7ebeab897dc46ac9fb9
• a36d8558f1b0796612b17975bc72dd5d335729ec
• 46bf001b6e86a4d459c73b86cdb5b1ad7bc4c6ee
• 0bb1f3337e7532f9b57efcc4a924ff45327639e2
• 040d14fcd88c0cca8fae56f602e2cc9e711afc4e
• c37e1efc01fa39f240e4dcdbbcab12fdf2c187be

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.