Tusk Infostealer Lab Walkthrough

• Scenario
• CTF Walkthrough
  • Q1 What is the size of the malicious file?
  • Q2 What word does the threat actor use in log messages to refer to victims, drawing inspiration from ancient tusk hunters?
  • Q3 The threat actor created a malicious website to simulate a platform specialized for creating and managing decentralized autonomous organizations (DAOs) on the MultiversX blockchain. What is the name of the malicious website?
  • Q4 Where are malware samples hosted for both macOS and Windows?
  • Q5 The malicious executable contains a configuration file that includes base64-encoded URLs and a password used for archived data decompression, enabling the download of second-stage payloads. What is the password for decompression found in this configuration file?
  • Q6 What is the name of the function responsible for retrieving the field archive from the configuration file?
  • Q7 In the Third Sub-Campaign, The attacker simulated An AI translator, What is the name of the legitimate translator and the name of the Malicious Translator?
  • Q8 What are the IP Addresses of the StealC C2 Server?
  • Q9 What is the address of the Ethereum cryptocurrency wallet used in this campaign?

Tusk Infostealer is a easy beginner level Threat Intelligence Lab by CyberDefenders.Knowing how easy this lab is you probably can do it on your own once you get the right tool. I suggest you read the Introduction Part by clicking on the CTF Walkthrough heading. After that try to solve this lab on your own. You can always come back to this blog anytime.

Scenario

A blockchain development company detected unusual activity when an employee was redirected to an unfamiliar website while accessing a DAO management platform. Soon after, multiple cryptocurrency wallets linked to the organization were drained. Investigators suspect a malicious tool was used to steal credentials and exfiltrate funds.

Your task is to analyze the provided intelligence to uncover the attack methods, identify indicators of compromise, and track the threat actor’s infrastructure.

CTF Walkthrough

You can either do this lab using Kaspersky Threat Intelligence Portal or with your OSINT Skills using Google search. For this lab you'll need both, if you don't have premium access to Kaspersky Threat Intelligence Portal.

• Start by searching for this malware using Google. Search Tusk Infostealer and you'll come across many sources. I would suggest you to read this article and then try to solve this lab using their analysis InfoStealer.com
• Also don't forget to download the lab file. After downloading, unzip and get the Hash. Once you have the hash E5B8B2CF5B244500B22B665C87C11767use it to gather Intelligence from Kaspersky Threat Intelligence Portal

Q1 What is the size of the malicious file?

• You need to make use of the Hash provided in the lab file and use it on Kaspersky Threat Intelligence Portal which is also mentioned in the recommended tools to solve this lab. We can clearly see the size of this Infostealer being exactly 921.36 KB. Here's a link if you want to verify it Tusk Infostealer Kaspersky Threat Intelligence Report

Q2 What word does the threat actor use in log messages to refer to victims, drawing inspiration from ancient tusk hunters?

• If you read the analysis from Infostealer, it's clearly mentioned that threat actor uses the word Mammoth

Q3 The threat actor created a malicious website to simulate a platform specialized for creating and managing decentralized autonomous organizations (DAOs) on the MultiversX blockchain. What is the name of the malicious website?

• As mentioned in the report. The malicious website is tidyme.io

Q4 Where are malware samples hosted for both macOS and Windows?

• Report says that This campaign has several malware samples for macOS and Windows, both hosted on Dropbox. In this post we will explore Windows samples only. For this question Dropbox should be our flag

Q5 The malicious executable contains a configuration file that includes base64-encoded URLs and a password used for archived data decompression, enabling the download of second-stage payloads. What is the password for decompression found in this configuration file?

• Config file in tidyme sample contains a base64-encoded URL which is followed by a password for the second payload which is our flag newfile2024

Q6 What is the name of the function responsible for retrieving the field archive from the configuration file?

• Function name here is downloadAndExtractArchive

Q7 In the Third Sub-Campaign, The attacker simulated An AI translator, What is the name of the legitimate translator and the name of the Malicious Translator?

• Here we can see Yous, voico both side by side. One was created by the attacker to lure victim into thinking it's a legitimate site. For initial compromise attackers try to find out the websites their victim visits often enough and then they try to replicate it as much as possible

Q8 What are the IP Addresses of the StealC C2 Server?

• Need no explanation as both of the IP address used by StealC2 are clearly visible46.8.238.240,23.94.225.177

Q9 What is the address of the Ethereum cryptocurrency wallet used in this campaign?

• BTCis used by Bitcoin and ETH is used by Ethereum so our flag should be 0xaf0362e215Ff4e004F30e785e822F7E20b99723A

If you've made this far, thank you for reading!