Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft
Storm-2561 is conducting a credential theft campaign leveraging SEO poisoning to distribute fake enterprise VPN clients. The attack utilizes digitally signed payloads and DLL side-loading to deploy the Hyrax infostealer, which harvests VPN credentials and configuration data before redirecting victims to legitimate software to evade detection.
Authors: Microsoft Defender Experts, Microsoft Threat Intelligence
Source:
Microsoft
- domainivanti-vpn[.]orgSpoofed Ivanti VPN download domain used in SEO poisoning.
- domainvpn-fortinet[.]comSpoofed Fortinet VPN download domain used in SEO poisoning.
- urlhxxp://194[.]76[.]226[.]93:8080/iost/income_shitC2 exfiltration endpoint receiving stolen credentials via HTTP POST.
- urlhxxps://github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zipMalicious ZIP payload URL hosted on GitHub containing the fake VPN installer.
Key Takeaways
- Storm-2561 uses SEO poisoning to distribute fake VPN installers (Pulse Secure, Fortinet, Ivanti) that deploy the Hyrax infostealer.
- The malware is delivered via malicious ZIP files hosted on GitHub and uses DLL side-loading within legitimate-looking directory structures.
- Binaries were signed with a now-revoked certificate from 'Taiyuan Lihua Near Information Technology Co., Ltd.' to bypass security controls and appear legitimate.
- The fake VPN client captures credentials via a spoofed GUI, exfiltrates them to a C2 server, and steals stored VPN configuration data.
- Post-compromise, the malware displays a fake error and redirects users to download the legitimate VPN client to evade suspicion.
Affected Systems
- Windows endpoints
- Users of enterprise VPN software (Pulse Secure, Fortinet, Ivanti)
Attack Chain
Users searching for VPN software are directed via SEO poisoning to spoofed websites. Clicking the download link fetches a malicious ZIP from GitHub containing an MSI installer. The MSI drops 'Pulse.exe' and side-loads 'dwmapi.dll' and 'inspector.dll' (Hyrax infostealer) into a legitimate-looking directory, establishing persistence via the Run/RunOnce registry key. The malware presents a fake VPN login GUI to steal credentials, accesses stored VPN configuration data, exfiltrates the data to a C2 server via HTTP POST, and finally displays a fake error message while redirecting the user to the legitimate VPN client.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: Yes
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender XDR
The article provides KQL advanced hunting queries for Microsoft Defender XDR to identify files signed by the malicious certificate and to detect suspicious DLL loads in the Pulse Secure folder.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can easily monitor file creation in Common Files, DLL side-loading events, registry modifications for Run/RunOnce keys, and network connections from unexpected processes. Network Visibility: Medium — Network visibility is possible for the HTTP POST exfiltration to the C2 IP, but initial downloads are over HTTPS (GitHub), obscuring the payload in transit. Detection Difficulty: Moderate — The use of valid (though now revoked) digital certificates and legitimate-looking directory paths (Pulse Secure) may bypass basic anomaly detection, requiring behavioral analysis of the DLL loads and network connections.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Creation (Sysmon 11)
- Image Load (Sysmon 7)
- Registry Events (Sysmon 12/13/14)
- Network Connections (Sysmon 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected DLLs (like dwmapi.dll or inspector.dll) being loaded by executables running from the %CommonFiles%\Pulse Secure directory. | Image Load (Sysmon 7) | Execution / Defense Evasion | Low |
| Monitor for HTTP POST requests to unusual URIs like '/iost/income_shit' originating from VPN client executables. | Network Connections (Sysmon 3) / Proxy Logs | Exfiltration | Low |
| Identify binaries signed by 'Taiyuan Lihua Near Information Technology Co., Ltd.' executing in the environment. | Process Creation / File Creation with Certificate Info | Defense Evasion | Low |
| Detect modifications to the Run or RunOnce registry keys pointing to executables in the Common Files directory. | Registry Events (Sysmon 12/13/14) | Persistence | Medium |
Control Gaps
- Lack of strict application control allowing unknown signed binaries to execute
- Users having local admin rights to install MSI packages
Key Behavioral Indicators
- DLL side-loading in %CommonFiles%
- Fake VPN GUI prompts
- HTTP POST to specific C2 URI (/iost/income_shit)
- Revoked certificate usage
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Block the identified C2 IP (194.76.226.93) and domains (vpn-fortinet.com, ivanti-vpn.org) at the firewall/proxy.
- Revoke trust for the 'Taiyuan Lihua Near Information Technology Co., Ltd.' certificate.
- Search endpoints for the presence of 'inspector.dll' or 'dwmapi.dll' in the Pulse Secure directory.
Infrastructure Hardening
- Enforce MFA on all VPN and enterprise accounts, removing any exclusions.
- Implement Application Control (e.g., WDAC) to block unknown binaries, even if signed.
- Enable Network Protection and Web Protection in endpoint security tools.
User Protection
- Turn on cloud-delivered protection and EDR in block mode.
- Disable password syncing in browsers on managed devices via Group Policy.
- Enable Attack Surface Reduction (ASR) rules to block executable files that do not meet prevalence or age criteria.
Security Awareness
- Educate users on the risks of SEO poisoning and downloading enterprise software from unofficial sources.
- Instruct employees not to store workplace credentials in personal browser password vaults.
MITRE ATT&CK Mapping
- T1189 - Drive-by Compromise
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1553.002 - Subvert Trust Controls: Code Signing
- T1056.002 - Input Capture: GUI Input Capture
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1005 - Data from Local System
- T1041 - Exfiltration Over C2 Channel
Additional IOCs
- Ips:
194[.]76[.]226[.]93- C2 server IP address
- Domains:
vpn-fortinet[.]com- Fake Fortinet download domainivanti-vpn[.]org- Fake Ivanti download domain
- Urls:
hxxps://github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip- GitHub URL hosting the malicious ZIPhxxp://194[.]76[.]226[.]93:8080/iost/income_shit- C2 exfiltration URL
- Registry Keys:
RunOnce- Windows Run/RunOnce registry key abused to maintain persistence for Pulse.exe
- File Paths:
%CommonFiles%\Pulse Secure\Pulse.exe- Path of the malicious executable masquerading as the legitimate VPN client%CommonFiles%\Pulse Secure\dwmapi.dll- Path of the malicious in-memory loader DLL%CommonFiles%\Pulse Secure\inspector.dll- Path of the malicious Hyrax infostealer DLLC:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat- Legitimate VPN configuration file targeted for data extractionProgram Files (x86)\Common Files\Pulse Secure- Directory structure created to blend in with legitimate VPN software
- Other:
Taiyuan Lihua Near Information Technology Co., Ltd.- Revoked digital certificate subject name used to sign malicious MSI and DLL binaries