Threat Tracking: Analysis of puNK-003’s Lilith RAT ported to AutoIt Script

2024-08-22 • S2W • Analysis of puNK-003 Lilith RAT ported to AutoIt Script •

https://medium.com/s2wblog/threat-tracking-analysis-of-punk-003s-lilith-rat-ported-to-autoit-script-30dd59e68213

#LNK #LilithRAT #AutoIt #LINKON #CURKON #puNK-003 #puNK-002 #puNK-001 #T1059.003 #T1041 #T1204.002 #T1555.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1059.001 #T1105 #T1571 #T1564.001 #T1027.010 #T1564.003

S2W TALON analyzed an LNK malware case that used a tax-evasion explanation-material lure and downloaded additional files from a hardcoded attacker server. The downloaded payloads included a malicious AutoIt script and a legitimate AutoIt3 runtime, ultimately launching a Lilith RAT implementation ported to AutoIt. The report notes similarities to Konni-style LNK tradecraft while also distinguishing the sample by its downloader role and final AutoIt RAT payload.

Indicators of Compromise

Type	Value	First Seen	Last Seen
HASH	9e1a3653029b5378736ea1debba44cd…	2024-08-22	2026-01-22
IPv4	3.3.14.5	2024-08-22	2026-01-22
IPv4	185.231.154.22	2024-07-31	2026-01-22
IPv4	93.183.93.185	2024-07-12	2026-01-22
IPv4	62.113.118.157	2024-07-08	2026-01-22
HASH	5ea09247ad85915a8d1066d1825061c…	2024-08-22	2024-10-30
HASH	0329bb5b3a450b0a8f148a57e045bf6…	2024-08-22	2024-10-30
DOMAIN	phasechangesolutions.com	2024-07-12	2024-10-30
HASH	2189aa5be8a01bc29a314c3c3803c2b…	2024-05-06	2024-10-30
HASH	9d6c79c0b395cceb83662aa3f7ed0123	2024-05-06	2024-10-30
HASH	ba59f1ece68fa051400fd46467b0dc0…	2024-04-12	2024-10-30
HASH	7bb236041b91d4cd4fa129267cf109c3	2024-08-22	2024-10-08
URL	https://radionaranjalstereo.com…	2024-08-22	2024-09-02
DOMAIN	radionaranjalstereo.com	2024-08-22	2024-09-02
DOMAIN	sibbss.com	2024-08-22	2024-09-02
HASH	c56b5f0201a3b3de53e561fe76912bfd	2024-08-22	2024-08-22
HASH	19dc387bffdc0a22f640bd38af320db4	2024-08-22	2024-08-22
HASH	7c08b9178c05ab765a3d7754ac99f4b…	2024-08-22	2024-08-22
HASH	c2cc785857c64fa1f8fbb2e359a2638…	2024-08-22	2024-08-22
HASH	d357fc478765a22f403c699a812f29bd	2024-08-22	2024-08-22
HASH	5bcfb56c4c884e3657bbfeacca37853…	2024-08-22	2024-08-22
HASH	6d6433c328f6cdce4a80efce3a29ea3e	2024-08-22	2024-08-22
HASH	808425bc599cd60989c90978d179af1…	2024-08-22	2024-08-22
HASH	e63082cf4db94f06d583a6313e48353…	2024-08-22	2024-08-22
URL	https://phasechangesolutions.co…	2024-08-22	2024-08-22
URL	http://sibbss.com/upload.php	2024-08-22	2024-08-22
URL	https://phasechangesolutions.co…	2024-08-22	2024-08-22
URL	https://file.drive002.com/read/…	2024-08-22	2024-08-22
URL	https://www.cammirando.com/wp-a…	2024-08-22	2024-08-22
URL	https://werxtracts.com/wp-conte…	2024-08-22	2024-08-22
URL	http://mq734121.info/index.php	2024-08-22	2024-08-22
URL	https://jethropc.com/wp-admin/c…	2024-08-22	2024-08-22
DOMAIN	mq734121.info	2024-08-22	2024-08-22
DOMAIN	file.drive002.com	2024-08-22	2024-08-22
DOMAIN	werxtracts.com	2024-08-22	2024-08-22
HASH	5613ba2032bc1528991b583e17bad59a	2024-07-31	2024-08-22
HASH	3c81dc763a4f003ba6e33cd5b63068cd	2024-07-31	2024-08-22
HASH	d5809e5f848f228634aa45ffe4a5ece0	2024-07-31	2024-08-22
HASH	4f865db4192afb5bbcdeb2e899ca97a4	2024-07-31	2024-08-22
HASH	77d05cc623f860ca2e6d47cdafc517a…	2024-05-22	2024-08-22
HASH	a0483db3725f8a50078daee7fd10f9bb	2024-05-22	2024-08-22
URL	http://storkse.com/upload.php	2024-05-22	2024-08-22
DOMAIN	storkse.com	2024-05-22	2024-08-22
URL	https://jethropc.com/wp-admin/c…	2024-05-06	2024-08-22
HASH	3334d2605c0df26536058f73a43cb074	2024-04-12	2024-08-22
URL	https://www.cammirando.com/wp-a…	2024-04-12	2024-08-22
URL	http://oryzanine.com/index.php	2024-03-26	2024-08-22
DOMAIN	oryzanine.com	2024-03-26	2024-08-22
URL	http://serviceset.net/upload.php	2023-12-18	2024-08-22
DOMAIN	serviceset.net	2023-12-18	2024-08-22
URL	https://downwarding.com/v2/read…	2023-11-24	2024-08-22
URL	https://bgfile.com/v2/read/get.…	2023-11-24	2024-08-22
DOMAIN	downwarding.com	2023-11-24	2024-08-22
DOMAIN	bgfile.com	2023-11-24	2024-08-22
HASH	6f5e4b45ca0d8c1128d27a15421eea38	2023-09-15	2024-08-22
URL	http://ttzcloud.com/upload.php	2023-09-15	2024-08-22
DOMAIN	ttzcloud.com	2023-09-15	2024-08-22
HASH	778e46f8f3641a92d34da68dffc168f…	2023-09-12	2024-08-22

Related Actors

pu NK-001

S2W

Konni

First seen: Aug 2024

Last seen: Aug 2024

pu NK-002

S2W

First seen: Aug 2024

Last seen: Aug 2024

pu NK-003

S2W

Konni

First seen: Aug 2024

Last seen: Aug 2024

Related Reports

2024-09-12 • 38% Match

APT PROFILE – KIMSUKY

Cyfirma

#Kimsuky #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tags: T1059.003, T1041, T1204.002 • Published within a month

2024-07-19 • 31% Match

APT Quarterly Highlights : Q2 2024

Cyfirma

#Trend #Andariel #Kimsuky #MoonstoneSleet #Lazarus #T1082 #T1059.003 #T1090 #T1140 #T1005 #T1070.004 #T1041 #T1113 #T1555 #T1560 #T1071.001 #T1046 #T1112 #T1115 #T1083 #T1497 #T1056.001 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1071 #T1124 #T1222 #T1552 #T1057 #T1583.003 #T1518.001 #T1547.001 #T1053.005 #T1539 #T1608.005 #T1583.001 #T1059.001 #T1053 #T1552.001 #T1566 #T1059 #T1003 #T1497.001 #T1102.001 #T1574.002 #T1562.001 #T1490 #T1486 #T1129 #T1133 #T1571 #T1548 #T1190 #T1203 #T1564.001 #T1087 #T1562.004 #T1218.011 #T1070.006 #T1547 #T1068 #T1614 #T1573 #T1095 #T1562 #T1070 #T1047 #T1056 #T1176 #T1010 #T1033 #T1569.002 #T1543.003 #T1485 #T1012 #T1202 #T1087.002 #T1021.004 #T1222.001 #T1518 #T1564.003 #T1505.003 #T1069.002 #T1564 #T1595.002 #T1027.005 #T1070.001 #T1056.004 #T1584

Shares tags: T1059.003, T1041, T1204.002

2024-07-31 • 29% Match

AutoIt 활용 방어 회피 전술의 코니 APT 캠페인 분석

Genians

#Konni #LNK #AutoIt

Shares tags: LNK, AutoIt • Shares 10 IOCs • Published within a month

2024-07-31 • 27% Match

Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering

Securonix

#NPM #DevPopper #T1082 #T1059.003 #T1070.004 #T1041 #T1560 #T1059.006 #T1059.001 #T1027.010 #T1033 #T1132

Shares tags: T1059.003, T1041, T1059.001 • Published within a month

2025-02-12 • 23% Match

APT PROFILE – APT43

Cyfirma

#APT43 #T1102.002 #T1082 #T1059.003 #T1567.002 #T1140 #T1005 #T1070.004 #T1587.001 #T1041 #T1608.001 #T1071.001 #T1112 #T1083 #T1056.001 #T1059.006 #T1204.001 #T1059.007 #T1036 #T1027 #T1204.002 #T1566.002 #T1555.003 #T1057 #T1059.005 #T1583.006 #T1518.001 #T1566.001 #T1547.001 #T1585.002 #T1053.005 #T1598.003 #T1583.001 #T1059.001 #T1036.005 #T1552.001 #T1585.001 #T1105 #T1219 #T1055 #T1553.002 #T1562.001 #T1027.002 #T1133 #T1190 #T1098 #T1016 #T1074.001 #T1588.002 #T1055.012 #T1587 #T1078.003 #T1071.002 #T1562.004 #T1550.002 #T1111 #T1071.003 #T1591 #T1003.001 #T1218.011 #T1593.002 #T1586.002 #T1588.005 #T1583.004 #T1036.004 #T1589.003 #T1594 #T1218.010 #T1557 #T1593.001 #T1218.005 #T1589.002 #T1584.001 #T1070.006 #T1021.001 #T1560.001 #T1176 #T1136.001 #T1543.003 #T1012 #T1534 #T1560.003 #T1007 #T1564.003 #T1114.003 #T1114.002 #T1564.002 #T1040 #T1546.001 #T1505.003

Shares tags: T1059.003, T1041, T1204.002

2024-09-02 • 23% Match

부가가치세 신고 파일로 위장한 문서형 악성코드 분석 (Konni APT 캠페인)

Sands Lab

#Konni #LNK

Shares tag: LNK • Shares 3 IOCs • Published within a month

« Back