High

The shellcode acts as a launcher to fetch and decrypt a second-stage payload that loads an embedded Windows executable named SnakeDropper. This malware installs a disguised Ruby 3.3.0 runtime environment, modifies the Ruby interpreter to act as a backdoor, and creates a scheduled task to execute every five minutes, ensuring persistence.

SnakeDropper drops ThumbsBD, a backdoor designed to exfiltrate data from air-gapped systems using USB drives as bidirectional relays. It creates hidden directories on removable drives to stage commands and stolen data. ThumbsBD also gathers system information, downloads additional payloads, and executes shellcode.

Another tool, VirusTask, spreads the infection by copying malicious executables onto USB drives and replacing legitimate files with weaponized LNK shortcuts. When users open these files, the malware executes on isolated systems. Together, ThumbsBD and VirusTask form a comprehensive air-gap attack toolkit.

Additionally, ThumbsBD deploys FootWine, an encrypted Android package with surveillance capabilities including keystroke logging, audio and video recording, file manipulation, and system control.

Security experts recommend enhanced endpoint monitoring and stricter control of physical access points to mitigate such air-gap bypass threats.

Impact

• Data Exfiltration
• Security Bypass
• Lateral Movement
• Unauthorized Access

Indicators of Compromise

Domain Name

• philion.store

• homeatedke.store

• hightkdhe.store

IP

• 144.172.106.66

MD5

• 709d70239f1e9441e8e21fcacfdc5d08
• ad556f4eb48e7dba6da14444dcce3170
• 098d697f29b94c11b52c51bfe8f9c47d
• 476bce9b9a387c5f39461d781e7e22b9
• 585322a931a49f4e1d78fb0b3f3c6212

SHA-256

• c07e0f01e39ae74667d3014904706b50effd1f3cb75e8130eb57729d38589ad5
• cf2e3f46b26bae3d11ab6c2957009bc1295b81463dd67989075592e81149c8ec
• e654df84fd6dc02ca1b312ff856ef2ca88b42a72bab31ea3168965cb946cf16e
• c61c679eec1c1b43bbd01727fdfb6a69b11485931eb8569e6b20ada30bfe84af
• a8b8a92d170029885d4e7763675f10eb172150f8503592677cadedc392edccf4

SHA1

• f30ef4afe1c0c3f8694d820bf469335d0f2f390d
• 3407884ad2990eeeb7bf1084eb30cfd86568c4f0
• 99ba79cfb373484ac73be5c9c02d5d011a366bc8
• 37ee1e1c3e19d9e2a4683b1a42f9febab6302d18
• 951b05a18db95c8411404ed371b46ca6faf47f9c

Remediation

• Disable or restrict execution of LNK files from removable media to prevent shortcut-based malware delivery.
• Enforce strict USB device control policies to block unauthorized removable drives on sensitive systems.
• Implement endpoint detection and response (EDR) solutions to monitor suspicious PowerShell and in-memory execution.
• Monitor and restrict scheduled task creation to detect persistence mechanisms.
• Apply application allowlisting to prevent unauthorized executables and interpreters from running.
• Inspect and log cloud storage traffic to identify abnormal C2 communication patterns.
• Regularly scan removable media in controlled environments before use on isolated systems.
• Disable Windows AutoRun and AutoPlay features to reduce automatic malware execution risks.
• Monitor creation of hidden directories on USB drives as potential staging locations.
• Restrict installation of unauthorized runtime environments such as rogue interpreters.
• Conduct periodic forensic audits of air-gapped systems to detect covert persistence.
• Implement strict physical access controls around high-value and air-gapped assets.
• Provide user awareness training to reduce social engineering-driven execution of malicious files.
• Maintain up-to-date endpoint security signatures and behavioral detection rules.
• Segment critical systems further and enforce least-privilege access controls.