This analysis details a campaign involving two threat groups, UNC5518 and UNC5774, deploying the CORNFLAKE.V3 backdoor. UNC5518 compromises legitimate websites to serve fake CAPTCHA pages, luring visitors to execute a downloader script. UNC5774 then uses this access to deploy CORNFLAKE.V3, a sophisticated backdoor with variants in JavaScript and PHP. The malware collects system information, establishes persistence, and can execute various payloads including shell commands, executables, and DLLs. It communicates with command and control servers using HTTP and can abuse Cloudflare Tunnels for traffic proxying. The campaign also involves active directory reconnaissance and credential harvesting attempts via Kerberoasting. Author: AlienVault
Related Tags:
WINDYTWIST.SEA
CORNFLAKE.V3
T1552.006
node.js
clickfix
T1059.007
T1003.008
T1547.001
T1059.001
Associated Indicators:
14F9FBBF7E82888BDC9C314872BF0509835A464D1F03CD8E1A629D0C4D268B0C
000B24076CAE8DBB00B46BB59188A0DA5A940E325EAAC7D86854006EC071AC5B
290CD148ED2F4995F099B7370437509B
chcp.com
windows-msg-as.live
dnsmicrosoftds-data.com
http://dnsmicrosoftds-data.com/log/out
http://windows-msg-as.live/qwV1jxQ
177.136.225.135