December 2, 2022

TheCyberThrone

Thinking Security ! Always

Verblecon Malware Found Stealing Discord Token

A threat actor has been observed using a complex and powerful malware loader dubbed Verblecon with the ultimate goal of deploying cryptocurrency miners on compromised systems and potentially facilitating the theft of Discord tokens.

Evidences shows that the attacker’s goal was to install cryptocurrency mining software on the victims’ machines. said researchers from the Symantec Threat Hunter team.

Advertisements

There are also indications that the attacker may be stealing Discord tokens and using these to advertise Trojanized videogame applications.

This would appear to be a relatively low reward goal for the attacker, given the level of effort that would have been required to develop this sophisticated malware.

Verblecon, Initially detected a year back, with the payload incorporating polymorphic qualities to evade signature-based detection by software. security.

The loader performs AV security checks to determine if it is currently being debugged or opened in a virtual or sand boxed environment, before proceeding to copy to the machine and connect to a remote server to retrieve a encrypted blob containing a URL, which is then used to get the payloads from the miner.

Advertisements

If used by sophisticated threat actors there is a possibility that this could be used for more serious attacks, including potentially ransomware and espionage campaigns.

Indicators of Compromise

  • 32a9415daa7f37a93dd0b347461844673c0f5baf0c15c01ee48b147dadf28299
  • 3688c249774cc9a28d2b9b316921cec842bb087c57f4733cf5866226fbe2aeed
  • 5a4f6332ad08b35c055bb5e6dfddc79d2f7905e63fac7595efbedd0b27f12eb8
  • 007f5898c52c3aa1c3dca6d3a30f28f5f72d9789fbb440ae656d88959f68e53e
  • f3f4af5f5eae1a28ad5a01b56d71302a265bce17d2c87ce731edf440612818a6
  • hxxp://verble[.]software/styles.jar
  • hxxps://jonathanhardwick[.]me/hardwick.jar
  • hxxps://jonathanhardwick[.]me/hardwick.bin
  • hxxps://jonathanhardwick[.]me/config.txt
  • hxxp://test.verble[.]rocks/dorflersaladreviews.jar
  • hxxp://test.verble[.]rocks/dorflersaladreviews.bin
%d bloggers like this: