IronWind

Description

(Proofpoint) Once sideloaded, IronWind sent an HTTP GET request to a known TA402 C2 domain. After receiving the HTTP GET request, the C2 responded with shellcode that represented the third stage of the infection chain. During Proofpoint’s analysis, the shellcode used reflective .NET loaders to conduct WMI queries. The shellcode also served as a multipurpose loader, downloading the fourth stage—a .NET executable that used SharpSploit, a .NET post-exploitation library written in C#.

Names

Name
IronWind

Type

Backdoor

Information

https://www.proofpoint.com/us/blog/threat-insight/ta402-uses-complex-ironwind-infection-chains-target-middle-east-based-government

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.ironwind

Other Information

Uuid

177c5394-070d-4a88-b852-f8220f23d26e

Last Card Change

2024-01-17

Threat Intelligence Garden

Explorer

IronWind

IronWind

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks