This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting. Author: AlienVault
Related Tags:
WINDYTWIST.SEA
CORNFLAKE.V3
T1552.006
node.js
clickfix
T1059.007
T1003.008
T1547.001
T1059.001
Associated Indicators:
905373A059AECAF7F48C1CE10FFBD5334457CA00F678747F19DB5EA7D256C236
14F9FBBF7E82888BDC9C314872BF0509835A464D1F03CD8E1A629D0C4D268B0C
000B24076CAE8DBB00B46BB59188A0DA5A940E325EAAC7D86854006EC071AC5B
6674D9F899D6E5762450380AA6C68BA20CF312D9
E033F9800A5BA44B23B3026CF1C38C72
290CD148ED2F4995F099B7370437509B
chcp.com
windows-msg-as.live
dnsmicrosoftds-data.com