IB-22-10006 Pysa Golang RAT Intrusion Observed on Network Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) Reference Number: NPG-15373247 Report Date: 2022-01-13 Notification: DISCLAIMER: This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this bulletin or otherwise. This document is distributed as TLP:AMBER: Limited disclosure, restricted to participants organizations. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp. Summary: In early January 2022, a trusted third party reported a Pysa Golang remote access Trojan (RAT) campaign. The initial entry point is suspected to be remote desktop protocol (RDP) to a vendor-managed report server. The threat actor was able to gain access using a compromised account. Endpoint detection and response (EDR) systems detected a RAT. The threat actor attempted to move laterally across the network but the trusted third party successfully applied mitigation measures to stop the intrusion. This activity was observed in the Healthcare and Public Health sector. The following information was derived from trusted third parties and open-source research: File: [MD5: 20D4335B3A9CA44A6559D7BE328C3D0F] Type: Unknown Detection: Unknown Activity: Observed as a Pysa Golang RAT file File: [MD5: 52E666A32D0847B416B66AD9AA98BBED] Filename: Advanced_IP_Scanner_2.5.3850.exe; ip.exe; 3r.exe Type: Win32 EXE Detection: HackTool.IPScanner.20385120 Activity: Observed as Advanced IP Scanner application used in Golang RAT activity File: [MD5: D8CE26B2E59B962FB5D0F60524896443] Filename: lib.dll Type: Unknown Detection: Unknown Activity: Observed as a Pysa Golang RAT file File: [MD5: 932813B7FF9769DE4620FE7CBCC9302B] Filename: svchost.exe Type: Win32 EXE Detection: Gen:Variant.Bulz.280578; Backdoor.Win64.CHACHI.YXBL5Z; Win32.Trojan.Denes.Hqlc, other Activity: Observed as a Pysa Golang RAT file File: [MD5: 52E666A32D0847B416B66AD9AA98BBED] Filename: 3r.exe; ip.exe Type: Win32 EXE Detection: HackTool.IPScanner.20385120 Activity: Observed as Advanced IP Scanner application used in Pysa Golang RAT activity; observed by another trusted third party in ransomware and RAT activity attributed to Cyborg Spider from July to August 2021 File: [MD5: 178C025A9CAC64891C3CC01DE5F2E420] Filename: lib.dll Type: Unknown Detection: Unknown Activity: Observed as a Pysa Golang RAT file File: [MD5: F9747B8DBD3759BFDB5C3CFC24461F4F] Filename: adobe.dll Type: Unknown Detection: Unknown Activity: Observed as a Pysa Golang RAT file File: [MD5: 7257DA1E6699B5F5CABBD114DAE2C1F7] Filename: eventlog.dll Type: Unknown Detection: Unknown Activity: Observed as a Pysa Golang RAT file File: [MD5: 90B2FF4EB4C47C16D8BA2190B5C82130] Filename: run.dll Type: Unknown Detection: Unknown Activity: Observed as a Pysa Golang RAT file File: [MD5: 5020244593C63C292C20D57F2BA52F52] Filename: advanced_ip_scanner.exe Type: Win32 EXE Detection: RemoteAdmin.AdvancedIPScanner.a Activity: Observed as Advanced IP Scanner application used in Pysa Golang RAT activity IP: 134.119.180.74 Domains Hosted: 2 Geolocation: France Organization: Host Europe GmbH Activity: This IP address was observed as a Pysa Golang RAT C2 site IP: 209.127.184.166 Domains Hosted: 3 Geolocation: United States Registrant: B2 Net Solutions Inc. Activity: This IP address was observed as a Pysa Golang RAT C2 site IP: 23.106.239.39 Domains Hosted: 0 Geolocation: Great Britain Organization: Leaseweb UK Limited Activity: This IP address was observed as a Pysa Golang RAT C2 site IP: 23.236.181.110 Domains Hosted: 0 Geolocation: Buffalo, New York Organization: ColoCrossing Activity: This IP address was observed as a Pysa Golang RAT C2 site IP: 45.147.229.118 Domains Hosted: 2 Geolocation: Germany Organization: Combahton GmbH Activity: This IP address was observed as a Pysa Golang RAT C2 site IP: 92.38.171.72 Domains Hosted: 3 Geolocation: Spain Organization: G-Core Labs S.A. Activity: This IP address was observed as a Pysa Golang RAT C2 site IP: 198.252.108.138 Domains Hosted: 18 Geolocation: United States Organization: Hawk Host Inc. Activity: This IP address was observed as a Pysa Golang RAT (Chisel component) C2 site IP: 198.252.108.82 Domains Hosted: 127 Geolocation: United States Organization: Hawk Host Inc. Activity: This IP address was observed as a Pysa Golang RAT (Chisel component) C2 site Domain: oneidrive.org Host IP: 162.255.119.100 (United States) Created Date: 2021-08-30 Registrant: Privacy service provided by Withheld for Privacy ehf Activity: This domain was observed as a Pysa Golang RAT C2 site; appears to be a typo-squatting domain; observed in phishing, malware, and spam activity by other trusted third parties Domain: microsof.net Host IP: 209.127.184.166 (United States) Registrant: Privacy service provided by Withheld for Privacy ehf Activity: This domain was observed as a Pysa Golang RAT C2 site; appears to be a typo-squatting domain; observed in phishing, malware, and spam activity by other trusted third parties Attack Patterns: T1036 - Masquerading - Defense Evasion T1082 - System Information Discovery - Discovery T1071 - Standard Application Layer Protocol - Command and Control Contact CISA Customer Service Email: soc@us-cert.gov Phone: 1-888-282-0870 Website: www.us-cert.gov CISA continuously strive to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.us-cert.gov/forms/feedback.