The web shells serve as a means of downloading the DUSTPAN (also known as StealthVector) dropper, which loads Cobalt Strike Beacon for C2 communication. The DUSTTRAP dropper is then deployed after lateral movement. To hide its malicious operations, DUSTTRAP is set up to decrypt a malicious payload and run it in memory. From there, it attempts to connect to a server under the control of the attacker or a Google Workspace account that has been hacked.

According to Google, steps have been taken to prevent unwanted access to the identified Workspace accounts. It did not, however, provide the number of accounts that were impacted. The usage of PINEGROVE to transfer significant amounts of sensitive data from infected networks by abusing Microsoft OneDrive as an exfiltration vector and SQLULDR2 to export data from Oracle Databases to a local text-based file are other characteristics of the intrusions.

It is important to note that the malware families that Mandiant monitors under the codes DUSTPAN and DUSTTRAP overlap with those that researchers have nicknamed DodgeBox and MoonWalk, respectively. DUSTTRAP is a multi-component, multi-stage plugin framework. According to Mandiant researchers, they have discovered at least 15 plugins that can run shell commands, perform file system operations, list and end processes, record keystrokes and screenshots, collect system data, and alter the Windows Registry.

Additionally, it is designed to upload files, list remote desktop sessions, probe distant hosts, run DNS lookups, and execute other operations on Microsoft Active Directory. During the infiltration, it was discovered that the DUSTTRAP malware and its related components were code-signed using what appeared to be stolen code-signing certificates. It appeared that one of the code-signing certificates belonged to a South Korean business engaged in the gaming industry.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Data Exfiltration

Indicators of Compromise

Domain Name

• ns2.akacur.tk
• ns1.akacur.tk
• eloples.com

IP

• 95.164.16.231
• 152.89.244.185

URL

• http://152.89.244.185/conn.exe

MD5

• ac125aea0b703de37980779599438b4a
• 17d0ada8f5610ff29f2e8eaf0e3bb578
• 9991ce9d2746313f505dbf0487337082
• c33247bc3e7e8cb72133e47930e6ddad
• cfce85548436fb89a83bf34dc17f325d
• e98b9e21928252332edf934f3d18ac21
• 8222352a61eacca3a1c6517956aa0b55
• dc725f5e9b1ae062fbec86ee4d816b45
• d72f202c1d684c9a19f075290a60920f
• 393065ef9754e3f39b24b2d1051eab61
• 336a0d6f8cc92bf9740ce17de600463b
• a689e182fe33b9d564dddc35412ea0a7
• e4a4aafb49b8c86a5ac087ae342c0ee6
• e584119a4766e6cf49093c666965c8be
• f1769ad5a9dc44794895275c656ed484

SHA-256

• c40db0438a906eb0bec55093f1a0f2cc4cdc38104af0b4b4b3f18200a635c443
• c3efcb6efad675613721910a783389a646b2d138c7721df9849b28952d25bcfc
• 069ca8ae8a3909aa4717832d911d646c536fed4c907866724f74daf4d740f41a
• 22a50cea6ad67a7e8582d2cd4cdc3eaaf57c0fbe8cd062a9b15710166e255a86
• 073b35ecbd1833575fbfb1307654fc532fd938482e09426cfb0541ad87a04f75
• 7586e58a569c2a07d0b3a710616f48833a040bf3fc57628bbdec7fcb462d565a
• c7dce6c950735bfcf2125be8eb1f3dd468eeb56a1c615c34f95bf38cb58b7d3a
• 6b37e0e0b0586769bc7b32ae3e0bc2f29e8ad2a1d3de07d50bb3e5489e2dd136
• c6a3a1ea84251aed908702a1f2a565496d583239c5f467f5dcd0cfc5bfb1a6db
• 33fd050760e251ab932e5ca4311b494ef72cee157b20537ce773420845302e49
• 8407defe0cc29d04b8d0f519b5008d30c09783fe0c63aad5ccb0950fc9a98406
• cdc619734f4e2aba0137b5fe9faf36896b85dff7cd4a93de562de770777d181a
• e5c7089eb3297b204aaabdb4a660d125a948ba869d2a7cf3cf7c0098125b5ef5
• bd058a6fd20347f21c38115490aef858d06f26b49b9d7be357297e60bd2934cc
• b0890685b25c6736827573e9536b2bf8c42dbaf36760fc947d461efdb6309aec

SHA-1

• 03f2f030182fe2f3d90a4b2584da798b36f35979
• f94225fe2c835cf1afe7ca35bef3e9f99735ebf0
• c5292d299094d778e6c1e7f3424b6d75b2245b30
• 2fce25afb8a29fcd526f61ba30f14dcc7ecfad3e
• df2ebd205e1ad722a6255badbca2496583764507
• 00d2512b5596b4f1150cd13c284727a4fcb1d73e
• f751fd089a2a9b5f5ed8aef52c24d82689c171b1
• 87c0d042d98345f967ac03d0a67199ae9fac3641
• 2cc76a0434a1d489c1547c7021a3dd68499141c3
• c3874d5cc7e82ad373b67a3650b0dfee7c219f8f
• 56b0dec07b2c7f39e6f21af1fd172c6b86016f62
• 2ed5a7067b23b243b4998a09a6d925a3b4737b67
• 5e08fc83cd4bdc38a4fe374559d2c15550c079cf
• d44ee36435344eca49aea84ec28370cde7ca2332
• 66103a68324421852720006e80b23001af906ecd

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Patch and upgrade any platforms and software on time and make it into a standard security policy.
• Employ network intrusion detection and prevention systems to monitor and block malicious network activities.
• Implement network segmentation to limit lateral movement for attackers within the network.
• Implement advanced email filtering to detect and block phishing emails.
• Employ updated and robust endpoint protection solutions to detect and block malware.
• Develop and test an incident response plan to ensure a swift and effective response to security incidents.
• Enhance logging and monitoring capabilities to detect anomalous activities and unauthorized access.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Regularly back up critical data and ensure that backup and recovery procedures are in place.