[MART] - Daily Diary #446 - ‘xPack' The new backdoor malware
CTAS-MAT
ctas-mat at appgate.com
Fri Feb 4 21:38:04 UTC 2022
Hello,
I hope everyone is doing well!
Below is the entry for today.
02/04/2022 - Diary entry #446
Disclosed in the past weeks, 'xPack' is a .NET backdoor that fetches and executes AES-encrypted payloads. Among xPack capabilities, it can execute arbitrary commands and exfiltrate data from compromised systems.
xPack was found in attacks against financial organizations and manufacturing companies in Taiwan. Surprisingly, it went undetected on the network for more than 18 months. It's believed that the malware is active since 2020.
After the system is compromised, the malware allows the adversaries to run WMI commands remotely, to leverage EternalBlue exploits, and to extract data from mounted shares over SMB.
When instantiated, xPack sends the attackers basic information about the systems, like configuration and running processes. The attacker then periodically connects to xPack to obtain credentials and other sensitive data.
Kind Regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220204/925ef81d/attachment.htm>
More information about the MART
mailing list