TAMECAT is a complicated PowerShell-based backdoor linked to APT42, an Iranian state-sponsored hacking group.
It steals login credentials from Microsoft Edge and Chrome browsers whereas evading detection.
Safety researchers from Israel’s Nationwide Digital Company detailed its modular design in current SpearSpecter marketing campaign evaluation.
APT42 deploys TAMECAT in long-term espionage operations in opposition to senior protection and authorities officers.
The group builds belief via social engineering earlier than compromising techniques. TAMECAT receives instructions through Telegram bots, downloading additional scripts for duties like display captures and browser knowledge theft, as reported by Pulsedive.
The an infection chain begins with a VBScript downloader (SHA256: 5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422). This script scans for antivirus merchandise utilizing WMI queries.
If “Home windows” seems within the AV checklist, it launches PowerShell through conhost with wget to fetch the loader from tebi[.]io. In any other case, it falls again to cmd.exe and curl for an alternate payload.
Loader Evaluation
The loader, nconf.txt (SHA256: bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8), makes use of AES-encrypted payloads.
It defines Gorba for decryption with key “T2r0y1M1e1n1o0w1” and Borjol for additional processing.
The script drops the primary three bytes from a base64 URL, downloads df32s.txt, and applies bitwise operations plus UTF-8 conversion to disclose extra code.
Decrypted modules deal with sufferer ID era (written to %LocalAppDatapercentconfig.txt) and C2 communication to accurate-sprout-porpoise[.]glitch[.]me.
It collects OS particulars, pc title, and a hardcoded token (GILNH9LX6TCZ9V8ZZSUF), encrypts through Borpos (AES-256, key: kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B), and exfils through POST with customized “Content material-DPR” header for the IV.
C2 responses, separated by ¶, embrace language (PowerShell/C#), base64 command, thread title, and begin/cease flags.
TAMECAT executes these in-memory, suspending Chrome processes and utilizing Edge’s distant debugging for credential extraction.
TAMECAT creates a Chrome listing in %LocalAppData% and targets saved logins. It leverages browser debugging protocols to dump credentials with out disk writes.
Obfuscation consists of array fragments, wildcards, and string substitute traits shared with PowerStar variants.
Consumer-agent mimics Chrome 119: “Mozilla/5.0 (Home windows NT 10.0; Win64; x64) AppleWebKit/537.36…”. Platforms like Discord complement Telegram for C2 flexibility.
MITRE ATT&CK Mapping
- T1059.001: PowerShell execution.
- T1547: Boot/Logon Autostart (suspected persistence).
- T1555: Credentials from Password Shops (Edge/Chrome).
- T1071.001: Internet Protocols (HTTPS C2).
- T1027: Obfuscated Information/Data.
Deploy EDR/AV to catch course of chains like wscript spawning PowerShell. Allow PowerShell script-block logging and constrain execution insurance policies to signed scripts solely. Monitor VBScript launching interpreters and anomalous browser debugging.
TAMECAT evolves, however layered defenses restrict its impression on high-value targets. Organizations ought to prioritize browser safety and logging amid rising nation-state threats.
Observe us on Google Information, LinkedIn, and X to Get On the spot Updates and Set GBH as a Most popular Supply in Google.
