A malicious campaign targeting residents of Middle East and North Africa has been discovered, active since September 2024. The attackers create fake news groups on social media and publish posts with links to file-sharing services or Telegram channels containing modified AsyncRAT malware. The malware is designed to search for crypto wallets and interact with a Telegram bot. The most targeted countries include Egypt, Libya, UAE, Russia, Saudi Arabia, and Turkey. The attack chain involves multiple stages, including the use of PowerShell scripts and a reflective loader written in C#. The AsyncRAT modification includes an offline keylogger and collects information about crypto wallet extensions and software. The campaign has affected approximately 900 victims from various countries, including employees of companies in oil extraction, construction, IT, and agriculture sectors. Author: AlienVault
Related Tags:
T1102.002
T1059.005
Libya
T1059.007
T1132.001
T1056.001
Agriculture
Egypt
Construction
Associated Indicators:
E03B8FC93F8A7366ADF3DCC482147F6FED1C4BB3
7E3D8F52EAF5B17693A0CA98FA837D3349A35A4F
5C7903EBE2CB97475E5505A3116464423C614706
246E5DBB718AFDD6BE95FDA076724BCDCA484E1D
3ACE4C356FD2A7D359E59263D81DE9A138DA3EEB
755649612FB6B8D31165DD729D6044E62A5A2C99
30FD61EC57DEC347989030CAAF0EC6E0
A7F582C808F39659A53FEECEF6C3EBFE
1946B638E4E2C0F5FDC371A9E9C01BC1