Void Dokkaebi Expands Malware Campaign With Cython-Compiled InvisibleFerret Info Stealer IoCs
====================================================================================================================================================
Indicator								Detection name			Description
====================================================================================================================================================
BeaverTail
f2df45291e4c0083f13d69e8ebb29b2558b2c92daf89980a31ae5f77b5fc1c12
e884fe5353849eda5d94d4479118283a06d49a85ec83f0dbc39a10aa1d1b7397
6a81d8041de41d796be6bdb1dd75c4d0e1624fc6074ab667097c6b0a3f9a462e
f298b8e7f7c4c0c394f29f848c1483679d15eb095e8cc7c67e5a3599ad4bcca2
b8a9804ffd137fddc1d187b4747dc0535c32927ee5e61465f12448b08f2ce07f
df515c24bd0d3500316d24f8357afd8b60ea69e92755fd40e53097d5ad01df38
968db31fc33a6c42fa82f7459c2ad7d0ca2ad92b61dfcd53e1b946dd7e9d6fcb
c53f3591142b4742b14ad43733a800fc2c1f17d64c7625965d685e74bdaf33c6
bf2ca7da5c2285cdeeabe296e99ad2d774151856f788ea32d811046891a9f027
14749e579e0b6e1429bc75e0816dccd8f8007da8e80fbbf046bfd198dde80835
0397d0678bef6721bb123eb9f957022abc4538835b4c9be62ca6604e0a2ac039
ffb7cf05927dbf664acf597902d2c4ff8a39cf77ed82438587eb804051eed8d7

InvisibleFerret
9f0235c6698219e7c414720384a48c8399da232344e2a9d5f4a129a8e875464e
7fe6daaedbcacf14f1168d4652ae0d987e9ec83db1c01eb0a87a822012a9360a
429dec1abbef575c8540201c61c03096f25df4d548c5a22b73d824e7659d6e32
1f43c3940b1c05b5de5f56a7dba16276b1843993970c09d803d487e7a8f4cdee
6aa985715d4fbeb6b19022c10f7a3cb8e100ae164dfa417cc52775d1b4434d15
b4cc5337882da500899770fdb2314223afba4399bf283a92924590a270d1ce9b
d65911de9ba5e52e174627f755590df0fe4f051b63a117cfce8a77fcc03893bf
8a2c2194bf9e71847ca2c97c898803417b0c99b3824a4707c647fbfb7413d921
a3f03e23059bc2f58f6d990e737aa1e7a2fe0ce966b3c95f73cb774c50d4d4e1
5673a8d36aaae43799831e81736022c16d84342a3699b3ea7e9f8f4c8414e91c
d6babcdca4e5bff5417b8030b73c04923e7a6decf53ae1f6bcb29950290e3b6e
947521bf9fea9b75656400ee5e0602083c471951853d967dc55b132234d46e31
4fcdeb290cb7b0d9dbb0f1018eecceebd37a479fa16fb9308b456bfcfa59ceb8
634c4200baaa999e479c618af42bb3bed11e6795486476c81b048c224d4b5c08
812299610b383b54b3645afcc7ad014276ec98a4c0255182ce917a3817d8c841
b23ebdd465525d3f943eefbba8818c5d9025ef4b402f96d4806c6310899c37d2
8c159dc15cba44ca6e0c42b9d6d1cc301316833d613369e9a71b3015758264c5
6055212de884b78d0730d520f01d3961136b171554afe8acb71e83413f444716
1b911d1ed5c6624a160f8601f6b6cff678707eaff8bfa4a7b12472e5e7b8c82f
f96cb2c582ec43aa230df086acc1824ec577f342ec7c0c6c88be17383ec52303
ddb1d1b587f0be504f8c58f1f90e78b13b4d56b3e11312eab631773d584b2882
728486086331ee4d63050d9c81fbbc5b2a14eadecbb27a978ce71cafbb97e891
84a8e051a7687d3dfbe88648726e85b79d7bf7f031f9d2f6615e3d45b8700af9


====================================================================================================================================================
URLs
====================================================================================================================================================
C&C servers
45[.]43[.]11[.]245:1247 (TCP)
45[.]43[.]11[.]245:1245 (TCP)
45[.]43[.]11[.]245:1248 (TCP)
45[.]43[.]11[.]245:1243 (TCP)
147[.]124[.]202[.]1242 (TCP)


Exfiltration destination
hxxp://45[.]59[.]160[.]199:1244/uploads
hxxp://45[.]59[.]160[.]199:1244/keys
hxxp://66[.]235[.]168[.]20:1249/t
hxxp://66[.]235[.]168[.]20:1249/hm
hxxp://66[.]235[.]168[.]20:1244/t
hxxp://66[.]235[.]168[.]20:1244/h
hxxp://45[.]59[.]160[.]199:1244/du
hxxp://45[.]59[.]160[.]210:1244/uploads
hxxp://45[.]59[.]160[.]210:1244/keys
hxxp://66[.]235[.]168[.]20:1249/t
hxxp://66[.]235[.]168[.]20:1249/hm
hxxp://45[.]59[.]160[.]211:1244/uploads
hxxp://45[.]59[.]160[.]211:1244/keys


Download module or payloads
hxxp://45[.]59[.]160[.]199:1244/clw/gbNsMq7
hxxp://45[.]59[.]160[.]199:1244/clw1/gbNsMq7
hxxp://45[.]59[.]160[.]199:1244/o/gbNsMq7
hxxp://45[.]59[.]160[.]199:1244/z/gbNsMq7
hxxp://45[.]59[.]163[.]50:1244/pd2
hxxp://45[.]59[.]160[.]199:1244/c/gbNsMq7
hxxp://45[.]59[.]163[.]50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_gbNsMq7
hxxp://45[.]59[.]163[.]50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_gbNsMq7
hxxp://45[.]59[.]163[.]50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_gbNsMq7
hxxp://45[.]59[.]163[.]50:1244/ddo
hxxp://45.59.160.199:1244/pad
hxxp://45.59.160.199:1244/pad1
hxxp://45.59.160.199:1244/brw
hxxp://45.59.160.199:1244/brw1
hxxp://45[.]59[.]160[.]199:1244/brw
hxxp://45[.]59[.]160[.]199:1244/brw1
hxxp://45[.]59[.]160[.]199:1244/mc1
hxxp://45[.]59[.]160[.]210:1244/clw/trJnMn9
hxxp://45[.]59[.]160[.]210:1244/clw1/trJnMn9
hxxp://45[.]59[.]160[.]210:1244/o/trJnMn9
hxxp://45[.]59[.]160[.]210:1244/z/trJnMn9
hxxp://45[.]59[.]160[.]210:1244/c/trJnMn9
hxxp://45[.]59[.]163[.]50:1244/mmz/nkbihfbeogaeaoehlefnkodbefgpgknn_trJnMn9
hxxp://45[.]59[.]163[.]50:1244/mmz/acmacodkjbdgmoleebolmdjonilkdbch_trJnMn9
hxxp://45[.]59[.]163[.]50:1244/mmz/bfnaelmomeimhlpmgjnjophhpkkoljpa_trJnMn9
hxxp://45[.]59[.]160[.]210:1244/pad
hxxp://45[.]59[.]160[.]210:1244/pad1
hxxp://45[.]59[.]160[.]210:1244/brw
hxxp://45[.]59[.]160[.]210:1244/brw1
hxxp://45[.]59[.]160[.]210:1244/mc1
hxxp://45[.]59[.]160[.]211:1244/clw1/reCgNg6
hxxp://45[.]59[.]160[.]211:1244/z/reCgNg6
hxxp://45[.]59[.]160[.]211:1244/pad
hxxp://45[.]59[.]160[.]211:1244/pad1
hxxp://45[.]59[.]160[.]211:1244/brw1
hxxp://45[.]59[.]160[.]211:1244/mc1