Actor(s): Lazarus Group
WebbyTea is an HTTP(S) downloader that uses AES for C&C trafic encryption.
It sends detailed information about the victim's environment, like proxy settings, system instalation date, Windows product name and version, manufacturer, product name, system boot time, time zone, computer name, user name, current time and a list of currently running processes. Data sent to the C&C server consists of the prefix "ci", a 16-characters long hexadecimal string representing the victim ID and an encrypted data about the victim's system. After the payload is acquired from the server and successfully injected in a newly created explorer.exe process, the malware responds back with the same victim ID having the prefix changed to "cs".
The internal DLL name of the native WebbyTea is usually pe64.dll or webT64.dll (from which its name is derived).
The usual payload associated with WebbyTea is SnatchCrypto.
|2023-10-04 ⋅ Virus Bulletin ⋅ |
Lazarus Campaigns and Backdoors in 2022-23
3CX Backdoor BLINDINGCAN CLOUDBURST DRATzarus ForestTiger ImprudentCook LambLoad LightlessCan miniBlindingCan PostNapTea SnatchCrypto WebbyTea WinInetLoader
|2023-05-22 ⋅ Sekoia ⋅ |
Bluenoroff’s RustBucket campaign
|2022-01-13 ⋅ Kaspersky Labs ⋅ |
The BlueNoroff cryptocurrency hunt is still on
CageyChameleon SnatchCrypto WebbyTea
There is no Yara-Signature yet.