Trusted Design

#1020 Dissecting the Malware Involved in the INOCNATION Campaign

概要

Last month, CrowdStrike published a blog on malware campaigns attributed to Sakula. We took a look at the malware specifically in the INOCNATION campaign to analyze what was new and different about the techniques used by the threat actor. It appears the entity behind this campaign took steps to make reverse engineering more difficult and chose the use of Cisco’s AnyConnect Client as a lure to trick victims into installing the malware. The RAT delivered by this campaign was not particularly interesting and had all the features you would expect in such a tool. The use of the obfuscation techniques was novel and this advisory discusses those in detail, along with how we detected them.

Created: 2026-02-23

Indicators

類似Pulses

このPulseに関連する脅威アクター (事実ベース)

Mustard Tempest

Score: 4.54
Matched TTPs:
  • T1583.008 - Malvertising
MITREへのリンク →

Kimsuky

Score: 7.83
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
  • T1102.002 - Bidirectional Communication
  • T1027.010 - Command Obfuscation
MITREへのリンク →

FIN13

Score: 3.57
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
MITREへのリンク →

Moonstone Sleet

Score: 8.31
Matched TTPs:
  • T1587.001 - Malware
  • T1217 - Browser Information Discovery
  • T1195.002 - Compromise Software Supply Chain
MITREへのリンク →

Lazarus Group

Score: 12.71
Matched TTPs:
  • T1587.001 - Malware
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
  • T1027.007 - Dynamic API Resolution
  • T1124 - System Time Discovery
MITREへのリンク →

Contagious Interview

Score: 8.09
Matched TTPs:
  • T1587.001 - Malware
  • T1681 - Search Threat Vendor Data
  • T1027.010 - Command Obfuscation
MITREへのリンク →

OilRig

Score: 15.12
Matched TTPs:
  • T1587.001 - Malware
  • T1195 - Supply Chain Compromise
  • T1027.005 - Indicator Removal from Tools
  • T1203 - Exploitation for Client Execution
  • T1137.004 - Outlook Home Page
MITREへのリンク →

UNC3886

Score: 14.94
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
  • T1681 - Search Threat Vendor Data
  • T1027.005 - Indicator Removal from Tools
  • T1203 - Exploitation for Client Execution
  • T1124 - System Time Discovery
MITREへのリンク →

Sandworm Team

Score: 23.56
Matched TTPs:
  • T1587.001 - Malware
  • T1195 - Supply Chain Compromise
  • T1190 - Exploit Public-Facing Application
  • T1584.005 - Botnet
  • T1592.002 - Software
  • T1195.002 - Compromise Software Supply Chain
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
  • T1027.010 - Command Obfuscation
MITREへのリンク →

Salt Typhoon

Score: 3.57
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
MITREへのリンク →

APT29

Score: 5.06
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Play

Score: 5.43
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
  • T1027.010 - Command Obfuscation
MITREへのリンク →

Aoqin Dragon

Score: 3.59
Matched TTPs:
  • T1587.001 - Malware
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Moses Staff

Score: 3.57
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
MITREへのリンク →

Turla

Score: 12.10
Matched TTPs:
  • T1587.001 - Malware
  • T1027.005 - Indicator Removal from Tools
  • T1102.002 - Bidirectional Communication
  • T1027.010 - Command Obfuscation
  • T1124 - System Time Discovery
MITREへのリンク →

Ke3chang

Score: 3.57
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
MITREへのリンク →

Mustang Panda

Score: 7.72
Matched TTPs:
  • T1587.001 - Malware
  • T1203 - Exploitation for Client Execution
  • T1027.007 - Dynamic API Resolution
MITREへのリンク →

FIN7

Score: 13.35
Matched TTPs:
  • T1587.001 - Malware
  • T1190 - Exploit Public-Facing Application
  • T1195.002 - Compromise Software Supply Chain
  • T1102.002 - Bidirectional Communication
  • T1027.010 - Command Obfuscation
  • T1124 - System Time Discovery
MITREへのリンク →

Ember Bear

Score: 6.81
Matched TTPs:
  • T1195 - Supply Chain Compromise
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Threat Group-3390

Score: 10.02
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1608.002 - Upload Tool
  • T1195.002 - Compromise Software Supply Chain
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Volt Typhoon

Score: 10.97
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1217 - Browser Information Discovery
  • T1584.005 - Botnet
  • T1124 - System Time Discovery
MITREへのリンク →

APT28

Score: 5.36
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

GOLD SOUTHFIELD

Score: 6.26
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1195.002 - Compromise Software Supply Chain
  • T1027.010 - Command Obfuscation
MITREへのリンク →

Magic Hound

Score: 9.58
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1592.002 - Software
  • T1102.002 - Bidirectional Communication
  • T1027.010 - Command Obfuscation
MITREへのリンク →

Medusa Group

Score: 7.47
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1608.002 - Upload Tool
  • T1027.010 - Command Obfuscation
MITREへのリンク →

Fox Kitten

Score: 6.62
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1217 - Browser Information Discovery
  • T1027.010 - Command Obfuscation
MITREへのリンク →

GALLIUM

Score: 4.62
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1027.005 - Indicator Removal from Tools
MITREへのリンク →

Dragonfly

Score: 5.89
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1195.002 - Compromise Software Supply Chain
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Axiom

Score: 11.12
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1584.005 - Botnet
  • T1203 - Exploitation for Client Execution
  • T1001.002 - Steganography
MITREへのリンク →

APT41

Score: 5.89
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1195.002 - Compromise Software Supply Chain
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

HAFNIUM

Score: 9.63
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1592.004 - Client Configurations
  • T1584.005 - Botnet
MITREへのリンク →

MuddyWater

Score: 7.23
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
  • T1027.010 - Command Obfuscation
MITREへのリンク →

APT39

Score: 3.87
Matched TTPs:
  • T1190 - Exploit Public-Facing Application
  • T1102.002 - Bidirectional Communication
MITREへのリンク →

MoustachedBouncer

Score: 4.54
Matched TTPs:
  • T1659 - Content Injection
MITREへのリンク →

APT38

Score: 3.29
Matched TTPs:
  • T1217 - Browser Information Discovery
MITREへのリンク →

Scattered Spider

Score: 3.29
Matched TTPs:
  • T1217 - Browser Information Discovery
MITREへのリンク →

Chimera

Score: 7.74
Matched TTPs:
  • T1217 - Browser Information Discovery
  • T1027.010 - Command Obfuscation
  • T1124 - System Time Discovery
MITREへのリンク →

Gamaredon Group

Score: 8.80
Matched TTPs:
  • T1001 - Data Obfuscation
  • T1102.002 - Bidirectional Communication
  • T1027.010 - Command Obfuscation
MITREへのリンク →

Patchwork

Score: 6.51
Matched TTPs:
  • T1027.005 - Indicator Removal from Tools
  • T1203 - Exploitation for Client Execution
  • T1027.010 - Command Obfuscation
MITREへのリンク →

Deep Panda

Score: 3.15
Matched TTPs:
  • T1027.005 - Indicator Removal from Tools
MITREへのリンク →

APT3

Score: 4.65
Matched TTPs:
  • T1027.005 - Indicator Removal from Tools
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Andariel

Score: 5.34
Matched TTPs:
  • T1592.002 - Software
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

Cobalt Group

Score: 6.29
Matched TTPs:
  • T1195.002 - Compromise Software Supply Chain
  • T1203 - Exploitation for Client Execution
  • T1027.010 - Command Obfuscation
MITREへのリンク →

APT37

Score: 3.89
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

APT12

Score: 3.89
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1203 - Exploitation for Client Execution
MITREへのリンク →

HEXANE

Score: 4.26
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1027.010 - Command Obfuscation
MITREへのリンク →

ZIRCONIUM

Score: 4.99
Matched TTPs:
  • T1102.002 - Bidirectional Communication
  • T1124 - System Time Discovery
MITREへのリンク →

Sidewinder

Score: 5.95
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1027.010 - Command Obfuscation
  • T1124 - System Time Discovery
MITREへのリンク →

The White Company

Score: 4.09
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1124 - System Time Discovery
MITREへのリンク →

Higaisa

Score: 4.09
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1124 - System Time Discovery
MITREへのリンク →

BRONZE BUTLER

Score: 4.09
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1124 - System Time Discovery
MITREへのリンク →

Darkhotel

Score: 4.09
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1124 - System Time Discovery
MITREへのリンク →

APT32

Score: 3.36
Matched TTPs:
  • T1203 - Exploitation for Client Execution
  • T1027.010 - Command Obfuscation
MITREへのリンク →

PLATINUM

Score: 4.54
Matched TTPs:
  • T1056.004 - Credential API Hooking
MITREへのリンク →

このPulseに関連する脅威アクター (推論ベース)

Sandworm Team

Score: 0.82
Matched TTPs:
  • T1027.010 - Command Obfuscation
  • T1102.002 - Bidirectional Communication
  • T1592.002 - Software
  • T1584.005 - Botnet
  • T1195.002 - Compromise Software Supply Chain
  • T1195 - Supply Chain Compromise
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1587.001 - Malware
MITREへのリンク →

UNC3886

Score: 0.59
Matched TTPs:
  • T1681 - Search Threat Vendor Data
  • T1027.005 - Indicator Removal from Tools
  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution
  • T1587.001 - Malware
  • T1124 - System Time Discovery
MITREへのリンク →

FIN7

Score: 0.56
Matched TTPs:
  • T1027.010 - Command Obfuscation
  • T1102.002 - Bidirectional Communication
  • T1195.002 - Compromise Software Supply Chain
  • T1190 - Exploit Public-Facing Application
  • T1587.001 - Malware
  • T1124 - System Time Discovery
MITREへのリンク →

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

← Pulse一覧に戻る