SECUINFRA Falcon Team · @SI_FalconTeam
34 followers · 14 posts · Server infosec.exchange
Today in our section on "uncoventional #Malware delivery": #ARJ archives! 📦
ARJ (Archived by Robert Jung) has been around since the MS-DOS days and is occasionally used to deliver e.g. #AgentTesla, #Formbook or #Guloader
You can recognize ARJ archives by their Magic: 60 EA
Extraction can be handled with 7zip for example.
For more information on the file format check out Ange Albertini's excellent graphic representation: https://twitter.com/angealbertini/status/1619006171360395264
As an example we dug up a #Lokibot sample from last year where the delivery chain looked like this: ARJ --> RAR --> EXE
To fool the victims into opening the next file they used the common #doubleExtension tick, e.g. .pdf.exe
IoC for those playing along at home:
162.0.223[.]13
kbfvzoboss[.]bid
alphastand[.]trade
alphastand[.]win
alphastand[.]top
➡️/alien/fre.php
PO_Payment for invoice[...].eml.arj
d0c8824d1e19ca1af0b88a477fa4cad6
SHIPPING_DL-PL-EXPRESS_EXPORT.PDF.exe
88bdf4f8fe035276da984c370e4cda2c
#malware #arj #agenttesla #formbook #GuLoader #lokibot #doubleextension #infosec #cybersecurity #blueteam