Trusted Design

#1020 Dissecting the Malware Involved in the INOCNATION Campaign

概要

Last month, CrowdStrike published a blog on malware campaigns attributed to Sakula. We took a look at the malware specifically in the INOCNATION campaign to analyze what was new and different about the techniques used by the threat actor. It appears the entity behind this campaign took steps to make reverse engineering more difficult and chose the use of Cisco’s AnyConnect Client as a lure to trick victims into installing the malware. The RAT delivered by this campaign was not particularly interesting and had all the features you would expect in such a tool. The use of the obfuscation techniques was novel and this advisory discusses those in detail, along with how we detected them.

Created: 2026-02-23

Indicators

類似Pulses

Sakula Malware Family (score: 0.66)
Sakula Reloaded (score: 0.64)
Evasive Maneuvers by Wekby with Rop-packing, DNS Covert Channels (score: 0.62)
Spam Campaign Distributes AdWind RAT (score: 0.61)
Korplug RAT used to attack Vietnamese institutions (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

Mustard Tempest

Score: 4.54

Matched TTPs:

T1682 - Query Public AI Services

MITREへのリンク →

Kimsuky

Score: 7.83

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1601.001 - Patch System Image

MITREへのリンク →

FIN13

Score: 3.57

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Moonstone Sleet

Score: 8.31

Matched TTPs:

T1606.002 - SAML Tokens
T1491 - Defacement
T1573 - Encrypted Channel

MITREへのリンク →

Lazarus Group

Score: 12.71

Matched TTPs:

T1606.002 - SAML Tokens
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1055.005 - Thread Local Storage
T1578.001 - Create Snapshot

MITREへのリンク →

Contagious Interview

Score: 8.09

Matched TTPs:

T1606.002 - SAML Tokens
T1021.006 - Windows Remote Management
T1601.001 - Patch System Image

MITREへのリンク →

OilRig

Score: 15.12

Matched TTPs:

T1606.002 - SAML Tokens
T1005 - Data from Local System
T1059.004 - Unix Shell
T1218.010 - Regsvr32
T1592.002 - Software

MITREへのリンク →

UNC3886

Score: 14.94

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1021.006 - Windows Remote Management
T1059.004 - Unix Shell
T1218.010 - Regsvr32
T1578.001 - Create Snapshot

MITREへのリンク →

Sandworm Team

Score: 23.56

Matched TTPs:

T1606.002 - SAML Tokens
T1005 - Data from Local System
T1140 - Deobfuscate/Decode Files or Information
T1049 - System Network Connections Discovery
T1187 - Forced Authentication
T1573 - Encrypted Channel
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1601.001 - Patch System Image

MITREへのリンク →

Salt Typhoon

Score: 3.57

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

APT29

Score: 5.06

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1218.010 - Regsvr32

MITREへのリンク →

Play

Score: 5.43

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1601.001 - Patch System Image

MITREへのリンク →

Aoqin Dragon

Score: 3.59

Matched TTPs:

T1606.002 - SAML Tokens
T1218.010 - Regsvr32

MITREへのリンク →

Moses Staff

Score: 3.57

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Turla

Score: 12.10

Matched TTPs:

T1606.002 - SAML Tokens
T1059.004 - Unix Shell
T1547.002 - Authentication Package
T1601.001 - Patch System Image
T1578.001 - Create Snapshot

MITREへのリンク →

Ke3chang

Score: 3.57

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Mustang Panda

Score: 7.72

Matched TTPs:

T1606.002 - SAML Tokens
T1218.010 - Regsvr32
T1055.005 - Thread Local Storage

MITREへのリンク →

FIN7

Score: 13.35

Matched TTPs:

T1606.002 - SAML Tokens
T1140 - Deobfuscate/Decode Files or Information
T1573 - Encrypted Channel
T1547.002 - Authentication Package
T1601.001 - Patch System Image
T1578.001 - Create Snapshot

MITREへのリンク →

Ember Bear

Score: 6.81

Matched TTPs:

T1005 - Data from Local System
T1140 - Deobfuscate/Decode Files or Information
T1218.010 - Regsvr32

MITREへのリンク →

Threat Group-3390

Score: 10.02

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1218.003 - CMSTP
T1573 - Encrypted Channel
T1218.010 - Regsvr32

MITREへのリンク →

Volt Typhoon

Score: 10.97

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1491 - Defacement
T1049 - System Network Connections Discovery
T1578.001 - Create Snapshot

MITREへのリンク →

APT28

Score: 5.36

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1218.010 - Regsvr32

MITREへのリンク →

GOLD SOUTHFIELD

Score: 6.26

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1573 - Encrypted Channel
T1601.001 - Patch System Image

MITREへのリンク →

Magic Hound

Score: 9.58

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1187 - Forced Authentication
T1547.002 - Authentication Package
T1601.001 - Patch System Image

MITREへのリンク →

Medusa Group

Score: 7.47

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1218.003 - CMSTP
T1601.001 - Patch System Image

MITREへのリンク →

Fox Kitten

Score: 6.62

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1491 - Defacement
T1601.001 - Patch System Image

MITREへのリンク →

GALLIUM

Score: 4.62

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1059.004 - Unix Shell

MITREへのリンク →

Dragonfly

Score: 5.89

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1573 - Encrypted Channel
T1218.010 - Regsvr32

MITREへのリンク →

Axiom

Score: 11.12

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1049 - System Network Connections Discovery
T1218.010 - Regsvr32
T1160 - Launch Daemon

MITREへのリンク →

APT41

Score: 5.89

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1573 - Encrypted Channel
T1218.010 - Regsvr32

MITREへのリンク →

HAFNIUM

Score: 9.63

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1059 - Command and Scripting Interpreter
T1049 - System Network Connections Discovery

MITREへのリンク →

MuddyWater

Score: 7.23

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package
T1218.010 - Regsvr32
T1601.001 - Patch System Image

MITREへのリンク →

APT39

Score: 3.87

Matched TTPs:

T1140 - Deobfuscate/Decode Files or Information
T1547.002 - Authentication Package

MITREへのリンク →

MoustachedBouncer

Score: 4.54

Matched TTPs:

T1055.003 - Thread Execution Hijacking

MITREへのリンク →

APT38

Score: 3.29

Matched TTPs:

T1491 - Defacement

MITREへのリンク →

Scattered Spider

Score: 3.29

Matched TTPs:

T1491 - Defacement

MITREへのリンク →

Chimera

Score: 7.74

Matched TTPs:

T1491 - Defacement
T1601.001 - Patch System Image
T1578.001 - Create Snapshot

MITREへのリンク →

Gamaredon Group

Score: 8.80

Matched TTPs:

T1061 - Graphical User Interface
T1547.002 - Authentication Package
T1601.001 - Patch System Image

MITREへのリンク →

Patchwork

Score: 6.51

Matched TTPs:

T1059.004 - Unix Shell
T1218.010 - Regsvr32
T1601.001 - Patch System Image

MITREへのリンク →

Deep Panda

Score: 3.15

Matched TTPs:

T1059.004 - Unix Shell

MITREへのリンク →

APT3

Score: 4.65

Matched TTPs:

T1059.004 - Unix Shell
T1218.010 - Regsvr32

MITREへのリンク →

Andariel

Score: 5.34

Matched TTPs:

T1187 - Forced Authentication
T1218.010 - Regsvr32

MITREへのリンク →

Cobalt Group

Score: 6.29

Matched TTPs:

T1573 - Encrypted Channel
T1218.010 - Regsvr32
T1601.001 - Patch System Image

MITREへのリンク →

APT37

Score: 3.89

Matched TTPs:

T1547.002 - Authentication Package
T1218.010 - Regsvr32

MITREへのリンク →

APT12

Score: 3.89

Matched TTPs:

T1547.002 - Authentication Package
T1218.010 - Regsvr32

MITREへのリンク →

HEXANE

Score: 4.26

Matched TTPs:

T1547.002 - Authentication Package
T1601.001 - Patch System Image

MITREへのリンク →

ZIRCONIUM

Score: 4.99

Matched TTPs:

T1547.002 - Authentication Package
T1578.001 - Create Snapshot

MITREへのリンク →

Sidewinder

Score: 5.95

Matched TTPs:

T1218.010 - Regsvr32
T1601.001 - Patch System Image
T1578.001 - Create Snapshot

MITREへのリンク →

The White Company

Score: 4.09

Matched TTPs:

T1218.010 - Regsvr32
T1578.001 - Create Snapshot

MITREへのリンク →

Higaisa

Score: 4.09

Matched TTPs:

T1218.010 - Regsvr32
T1578.001 - Create Snapshot

MITREへのリンク →

BRONZE BUTLER

Score: 4.09

Matched TTPs:

T1218.010 - Regsvr32
T1578.001 - Create Snapshot

MITREへのリンク →

Darkhotel

Score: 4.09

Matched TTPs:

T1218.010 - Regsvr32
T1578.001 - Create Snapshot

MITREへのリンク →

APT32

Score: 3.36

Matched TTPs:

T1218.010 - Regsvr32
T1601.001 - Patch System Image

MITREへのリンク →

PLATINUM

Score: 4.54

Matched TTPs:

T1686 - Disable or Modify System Firewall

MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Sandworm Team

Score: 0.82

Matched TTPs:

T1547.002 - Authentication Package
T1606.002 - SAML Tokens
T1049 - System Network Connections Discovery
T1218.010 - Regsvr32
T1005 - Data from Local System
T1187 - Forced Authentication
T1573 - Encrypted Channel
T1601.001 - Patch System Image
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

UNC3886

Score: 0.59

Matched TTPs:

T1606.002 - SAML Tokens
T1218.010 - Regsvr32
T1059.004 - Unix Shell
T1021.006 - Windows Remote Management
T1578.001 - Create Snapshot
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

FIN7

Score: 0.56

Matched TTPs:

T1547.002 - Authentication Package
T1606.002 - SAML Tokens
T1573 - Encrypted Channel
T1601.001 - Patch System Image
T1578.001 - Create Snapshot
T1140 - Deobfuscate/Decode Files or Information

MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクターグラフ

← Pulse一覧に戻る