MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks ====================================================================================================== [Indicators of Compromise] ====================================================================================================== [File] [SHA256] [Description] 07bae9dd9dade31f9df6806ecc7cb430535af674f39a549e875f6efbc429cdb3 DarkNimbus.android 1b6345d855db824e594f28e86e5abb04e0478923e51a3718cff80c42190cff6c DarkNimbus.android 1e2afa69b7ba2a4baf20f3345c7f2fe59077df37cd27f37eddb1568196194706 DarkNimbus.android 1eaeb4558d5c4c67723c90f840b6f137517f4479e9fe8e1e874b18e9da754d4b DarkNimbus.android 5af767c90035a88d9a4d329c24631de21ba0a9481e0e540e058c9cfa4709a7a2 DarkNimbus.android 5c9f525cd60132fa2960953d7a4ba18b1858116c239882554b0d5d43d704fc85 DarkNimbus.android 76c8f1df9461a3258acca6c5dc7962f4f5a34f09a5c7cb9bb58eae5ded240f06 DarkNimbus.android b5040d7ca5e9cdc331cc3fb9abed492be95ad872eb95176ac5bc3def169191e5 DarkNimbus.android b7f7de46f041d8115aeff221934c869fa6f0b449b95e0c6c181de75a3f517407 DarkNimbus.android b83492550bc9aaa0f6e8a669ac1349db59671e2874f4dafa0292c91b68dc2a41 DarkNimbus.android b9a646d39a15f76bb1cd3efd4bef67f31504e25c9ad364f0c4cc3886f2278b0e DarkNimbus.android c5a06ffdf20b39c4555b37dec5e3075c16bd8ffb9bde4c87bd05243df53df064 DarkNimbus.android d65ad9c034cdd188dd566bea220ed07c1ed5d0dd2ac61897c82589efac9e75c5 DarkNimbus.android e9664ad0272bc1b5e0d271dc3a28ef32cbdd0a790a1f5fe26ba4e1904cccbfdc DarkNimbus.android f0b7f4a0e37708e4c767d529cbe35834ee3cff2b00a0c70d080d7f82924ad7ed DarkNimbus.android 09de7f15b1fca9cf586294ced2217a29611f0d34d41622f46d89ea4e3cd63a2e DarkNimbus.windows 11d760f84bea10155cf16b8f3620914a818307f9ece614069509494914a8f8a2 DarkNimbus.windows 154182453f425512010c68f351e09d3debd2f79b12f064b780c3d37809110fab DarkNimbus.windows 1b9ff9743b8aa4f9d3e151c5ab870137fe175240ce853c72a2dffea1a1172487 DarkNimbus.windows 1defb8f7166f604640da5f2a913d69dd8c6ae14ea0bfe3cdfc1f1afcf96837cb DarkNimbus.windows 1f46a13af9ddc66a900fe2e9d717ca58ffd47c215741bca6fb5f3840f1bd9080 DarkNimbus.windows 23ded8dd012bf6d51eda101abc85683759b1b5af9ea94cb54cfcc1a0da53642e DarkNimbus.windows 405c1bd8e829486625c9e5f5acf2a18fb17abe375ae87803e34aaae91646770e DarkNimbus.windows 4f51eb7829b97d4a5ba5cdc9d909f484a0e412340fc68d3cad0e1f2e8972640d DarkNimbus.windows 532b3a47e15c45a113c3b219d0d66a18dcbf20c81de3b56f4bb71f7544de2699 DarkNimbus.windows 7ee53cc01e039e7c7584ea3fe4274292a58957acce61227394889e84b1f7879e DarkNimbus.windows 93dff9eff6a839f7202c109e34484bee5ed2430076ee4ac7e1d8f3d9479e243d DarkNimbus.windows 95da35098d6167c23bdb1901024614d3658fa78b34ae11612ec7abdfd92c92a0 DarkNimbus.windows ba5b80ac52892d4a3d1b187be2e4cd6195e4bfae1eae4d1c59daffb072ec8dd5 DarkNimbus.windows e43b1396419d1954a9911fba1ebec3eb24b27c3b461394b678f89848981f5f8d DarkNimbus.windows e7309efe719765fdc47f0bbf446a310d1a80a5cdadaced68054b3136b6776667 DarkNimbus.windows 8510fc293227ea7b7d4b20073302e015b616aa8af90d30549b5b118034036111 SFX archive dropping Shadowpad and DarkNimbus c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854 Shadowpad loading 4f51eb7829b97d4a5ba5cdc9d909f484a0e412340fc68d3cad0e1f2e8972640d (DarkNimbus.windows) 244e22147cc1e37543159a95cf4674a61f290af305c1c1e37b69c45b444f9097 Shadowpad loader (similar encryption as c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854) 2e6ef72d05b395224a03a73a50eaee1c9dc682976c99dde5317b76938cb669a4 Shadowpad loader (similar encryption as c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854) 73bb7e7d0743d40a1d967497a5fbb79c07132eb15a546fa25bbecaf43993a1d2 Shadowpad loader (similar encryption as c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854) 08d6bfe8a1ff1043df4aebfbb7d074de0923a665a7e8134fd702ee45454304f5 Shadowpad loader (similar encryption as c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854) bdd760d3a8fbff322adad4a9d903daae9544e3c73264650bf60b3fa9a69ac425 Shadowpad loader (similar encryption as c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854) 61b24ff38bfdeb7b9f1716ee22535dccf1add5b19095a8f8b227a67270b279b2 Shadowpad loader (same C&C as c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854 and similar encryption as fc117650688065deeb54e686f873359c2a56d23165567ab3f2a3b62498199fa9, listed in ESET blog) ====================================================================================================== [Network] [Type] [Indicators] [Description] IP address 27.124.20[.]22 DarkNimbus C&C IP address 47.93.54[.]134 DarkNimbus C&C IP address 60.205.148[.]180 DarkNimbus C&C IP address 218.89.135[.]219 DarkNimbus C&C IP address 117.175.185[.]81:8001 DarkNimbus C&C IP address 125.65.40[.]163:46991 Shadowpad C&C (Shadowpad loading DarkNimbus) IP address 103.255.179[.]186:{53,80,443} Shadowpad C&C (Shadowpad with similar encryption algorithm) IP address 154.202.198[.]246:443 Shadowpad C&C (Shadowpad with similar encryption algorithm) IP address 112.121.178.90:44444 Shadowpad C&C (Shadowpad with similar encryption algorithm) Domain ansec[.]com DarkNimbus C&C Domain www.cloudvn[.]info Shadowpad C&C (Shadowpad with similar encryption algorithm) Domain news.tibetonline.info Shadowpad C&C (Shadowpad with similar encryption algorithm) Domain like[.]wechatpictureupload[.]com MOONSHINE exploit kit Domain barginshowless[.]garddenshcok[.]com MOONSHINE exploit kit Domain formaldense[.]weixinpicture[.]com MOONSHINE exploit kit Domain newsdomain[.]net MOONSHINE exploit kit Domain www[.]vikingshielder[.]com MOONSHINE exploit kit Domain server[.]img-bing[.]com MOONSHINE exploit kit Domain www[.]wetransfering[.]com MOONSHINE exploit kit Domain www[.]leadtochanges[.]com MOONSHINE exploit kit Domain whsdwxs[.]com MOONSHINE exploit kit Domain qqmailpls[.]com MOONSHINE exploit kit Domain ammffggo[.]com MOONSHINE exploit kit Domain dash[.]gztesttaac[.]com MOONSHINE exploit kit Domain dash[.]nortonet[.]com MOONSHINE exploit kit Domain www[.]nortonet[.]com MOONSHINE exploit kit Domain www[.]tegacklephys[.]com MOONSHINE exploit kit Domain www[.]esetinc[.]com MOONSHINE exploit kit Domain www[.]mcofea[.]com MOONSHINE exploit kit Domain magt1[.]xyz MOONSHINE exploit kit Domain renp7[.]xyz MOONSHINE exploit kit Domain www[.]yb425ty[.]xyz MOONSHINE exploit kit Domain www[.]qqnmqciug[.]com MOONSHINE exploit kit Domain bstram[.]com MOONSHINE exploit kit Domain acd[.]1yxqwzx2[.]com MOONSHINE exploit kit Domain www[.]onlinewechat[.]com MOONSHINE exploit kit Domain www[.]onlineweixin[.]net MOONSHINE exploit kit Domain www[.]onlinewxapp[.]net MOONSHINE exploit kit Domain wkcxpb[.]xyz MOONSHINE exploit kit Domain info[.]symantke[.]com MOONSHINE exploit kit Domain api1-meta[.]com MOONSHINE exploit kit Domain www[.]online-wechat[.]com MOONSHINE exploit kit Domain www[.]wechatimghs[.]com MOONSHINE exploit kit Domain vsa[.]ahamar[.]com MOONSHINE exploit kit Domain www[.]lodepot[.]com MOONSHINE exploit kit Domain www[.]unusualtransaction[.]com MOONSHINE exploit kit Domain m[.]leak-news[.]com MOONSHINE exploit kit Domain www[.]internetweixin[.]com MOONSHINE exploit kit Domain static[.]chatonlineapp[.]com MOONSHINE exploit kit Domain gates[.]chatonlineapp[.]com MOONSHINE exploit kit Domain www[.]weetogether[.]top MOONSHINE exploit kit Domain wechatnets[.]com MOONSHINE exploit kit Domain www[.]newwechat[.]com MOONSHINE exploit kit Domain www[.]serverwechat[.]com MOONSHINE exploit kit Domain www[.]txwect[.]com MOONSHINE exploit kit