Rectifyq📃Title: Inside a Malware Campaign: A Nigerian Hacker’s Perspective
📅Date: 2025-02-14
🔗References:
Description
This analysis provides an in-depth look at a Nigerian cybercriminal’s malware campaign process. The hacker begins by harvesting email addresses through Google dorking techniques, targeting specific industries and regions. They then configure email campaigns using spoofed domains and bulletproof hosting. The cybercriminal leverages ChatGPT to craft convincing phishing messages and uses Gammadyne Mailer to distribute emails. The campaign successfully sent nearly 6,000 emails in 30 minutes, resulting in several compromised victims. The malware, identified as XLogger, is distributed via RAR attachments containing executable files. Upon execution, it deploys a PowerShell script to decrypt the payload, inject it into a Windows service, and exfiltrate stolen data to a Telegram channel. This insight into the hacker’s methodology highlights the ongoing challenges in cybersecurity and the need for improved user awareness and countermeasures.
🔖Rectifyq Taxonomies:
- relevancy: 🔵 Potentially Relevant
- category: ⚔Threat
- sub-category: leak-infostealer
- target: broad-based
- MY-relevancy: potentially-relevant
🔖MISP Galaxies:
- target-information=“China”
- target-information=“Malaysia”
- country=“nigeria”
- mitre-attack-pattern=[‘T1140’, ‘T1055’, ‘T1204’, ‘T1059.001’, ‘T1566’, ‘T1078’, ‘T1573’, ‘T1102.002’, ‘T1598’, ‘T1569.002’]
MISP event uuid: 0d554823-c011-4abf-95ce-69d1449a2ff8
Indicator of Compromise (IoCs)
type,value,comment
domain, biz-abc.fit, ''
Full IOCs available in Rectifyq's MISP```