Fraud apps, like SteamCDKeys that share Steam keys,. The malware installer comes disguised as one of the following: It places all the needed files in the folder. The oldest part of the family is a simple RAT with sivpici.php5sk as the C&C server. The map above shows the risk ratio of users around who were at risk of encountering one of the malware families (2015-2018) The command from the registry key is started with the task from the picture above. Miner or ransomware downloaded from hacked websites and launched from a powershell command hidden in registry keys.Miner downloaded from hacked websites and started with the script que.vbs from the task.RAT with a C&C server sivpici.php5sk (Czech/Slovak slang for “you are fucked up”), which has AutoIT, C++ and Go versions.The Ceritshell family can be split into three different parts. This person’s malware is spread with illegal copies of songs and movies and with alleged cracks and keygens of games and common tools ( GTA SA, Mafia, Avast, Microsoft Office) that were hosted on one of the most popular Czech and Slovak file-sharing services uloz.to. The bad actor’s repertoire contains a few RATs, some packers for cryptominers and, almost obligatorily, ransomware, and I have named the malware family Certishell. The threat actor seems to have been creating malware since 2015 and appears to be from Slovakia. Living in a smaller country, Czech Republic, it is a rare sight to see someone exclusively targeting the local Czech/ Slovak audience. I wasn’t expecting the surprise I’d arrived at when I began tracking its origins. Research of this malware family began when I found a malicious task starting powershell code directly from a registry key within our user base.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |