Shares 4 IOCs
펌웨어 업데이트로 위장한 드로퍼 악성코드
2022-07-08 • Hauri • Dropper malware disguised as a firmware update •
https://download.hauri.net/DownSource/down/dwn_detail_down.html?uid=40
Attachments
Hauri analyzed a dropper disguised as an ipTIME router firmware update that displayed a fake upgrade window while executing malicious activity in the background. The malware decrypted embedded data, created a mutex named like a Windows update artifact, wrote a payload under the user's roaming application-data path, and launched it through regsvr32.exe. It also opened iptime.com with Explorer for deception and communicated with a command-and-control server to conduct additional malicious actions.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | fedra.p-e.kr | 2022-05-31 | 2023-11-01 |
| URL | http://fedra.p-e.kr | 2022-07-08 | 2022-07-08 |
| HASH | 851e33373114fef45d0fe28c6934fa73 | 2022-05-31 | 2022-07-08 |
| HASH | 9ac572bdca96a833a40edcaa91e04c2b | 2022-05-31 | 2022-07-08 |
| DOMAIN | leomin.dothome.co.kr | 2022-05-31 | 2022-07-08 |