backdoor

Researchers discovered malicious activity known as HydroJiin

Researchers recently discovered malicious activities involving multiple infostealer RATs and mining malware, and named the activity “HydroJiin”. are engaged in the business of selling malware and lurking in various forums, which are common meeting places for junior to mid-level cybercriminals. Researchers speculate that the malware author is conducting a wide range of activities involving different commodities and custom malware to be sold in the underground market.

The scope of the activity is currently unclear. The campaign used many different techniques to increase the chances of successfully infiltrating the organization. The campaign utilizes various payloads and infection vectors from commercial RATs to custom malware, email spam, backdoors/disguised as cracked software, and other decoys.

The following are the characteristics of the malicious activity:

● Multi-level infection chain
● Customized python-based deployed with other RATs (Netwired and Quasar)
● Python command check function for MacOS indicates that more cross-platform functions may appear in the future.
● The activity is related to the attacker, who also participated in the distribution of multiple malicious tools through a special malware e-commerce website
● The malware payload is similar to the CobianRAT case
● A large amount of pastebin is used to host the encoded payload

The infection chain is as follows:

hydrojiin

The infection begins with the delivery of a downloader that downloads multiple payloads. It is currently impossible to confirm the distribution method of this downloader, but the researchers suspect that the attacker used spam and cracked software. Once the attacker gains initial access, the downloader will download three files:
● Injector-used to inject the downloaded payload into a legitimate process.
-a commercial RAT malware used to control infected systems and steal information.
● DownloaderShellcode-Obfuscates the Meterpreter-based shellcode to download more payloads.
● This shellcode downloads a Pyrome python backdoor. Socat and xmrig mining programs will also be downloaded, and finally the xmrig mining program will download another RAT called Quasar.

Researchers believe that the campaign was initiated by attackers aliased as “Hydro” and “JiiN” . The attacker has been active on forums such as hackforums..net since 2010, and has been active on YouTube since at least 2007. Initially, the attacker participated in game modules and cracking, and eventually entered the field of malware. Researchers confidently believe that the attacker is from a French-speaking region.

Another alias used by the attackers is JiiN, which operates a malware store called JiiN shop at “xmr -services [.]com”. Based on these two aliases, we call this event the actor HydroJiin.

HydroJiin has been in the malware business for some time. He not only sells a variety of malware, but also runs his own malicious activities. This attacker may not be considered very advanced, but he uses various tools, techniques, and methods to continuously increase the chances of successful attacks.

IOCs

193.218.118.190:1111
193.218.118.190:2407
193.218.118.190:4442
193.218.118.190:8050
193.218.118.190:8266
82.65.58.129


beltalus.ns1.name:8082
beltalus.ns1.name:8084
xmr.pool.minergate.com


656951fa7b57355b58075b3c06232b01
9c50501b6f68921cafed8af6f6688fed
294fd63ebaae4d2e8c741003776488c2
e9bccc96597cc96d22b85010d7fa3004
3bb3340bccdab8cde94dd1bf105e1d3e
F094D8C0D9E6766BCCF78DA49AAB3CBC
7bc859631c977bf5dcbff9c6fc9cf8d9c1aaa19f
821736017d24af326f0c876d9bdbc395c269f5d0
5e4f12b0cc3fb1377c64869b327b29377c3f476d9dce84bbd4365726a455daaf
6f99e150ee5b3d8fdd69655f540a92f3af72fdac079946047e02b9aeb9859e72