⚠

Proto8

backdoor3 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

Proto8

CATEGORY:

BACKDOOR

DESCRIPTION:

Proto8 is a sophisticated backdoor malware that has been observed in targeted attacks against betting companies. The malware is designed to provide remote access to compromised systems and has been associated with Operation Dragon Castling APT group. It employs dynamic mutex generation based on victim information and sophisticated evasion techniques.

ALIASES:

Proto8 Backdoor

TAGS:

remote_accessaptbetting_companiesoperation_dragon_castlingdynamic_mutexevasion_techniques

[MUTEX_SIGNATURES](3)

[MUTEX_01]

Global\sysmon-windows-<CRC32 of an MD5 hash of the victim's username>

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

[MUTEX_02]

Global\IntelGameSpeed-<CRC32 of an MD5 hash of the victim's username>

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

[MUTEX_03]

Global\TencentSecuriryAgent-P01-<victim's username>

ANALYST: @adhikara13 DATE: 2024-07-16

REFERENCES:

https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Unknown

FIRST_OBSERVED:

2024

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:3

THREAT_ACTORS:1

ALIASES:1

TAGS:6

CATEGORY:BACKDOOR

Malware profile loaded successfully