MechaFlounder

MechaFlounder is a malicious software, or malware, believed to be used by the Chafer group as a secondary payload that is downloaded from a first-stage payload to execute post-exploitation activities on compromised hosts. The malware begins its operation by entering a continuous communication loop with its command and control (C2) server. It uses the Browser class in the mechanize module, which partially explains the origin of its name, to upload specific files from the compromised system to the C2 server. Interestingly, the "&m=d" parameter seen in the initial download URL of the MechaFlounder payload is frequently found in URLs related to both Chafer and OilRig threat groups. The payload, known as MechaFlounder, was developed by Chafer using a blend of actor-developed code and code snippets freely available online in development communities. This Python-based payload (SHA256: 0282b7705f13f9d9811b722f8d7ef8fef907bee2ef00bf8ec89df5e7d96d81ff) was bundled as a portable executable using the PyInstaller tool. Notably, the lsass.exe file downloaded from this domain is a previously unreported python-based payload currently being tracked as MechaFlounder. The MechaFlounder Trojan provides sufficient functionality for the Chafer actors to achieve their objectives. Specifically, it supports file upload and download, as well as command execution functionality. Its creation signifies an advanced level of threat posed by the Chafer group, highlighting the importance of robust cybersecurity measures. As the situation evolves, tracking and understanding the nature of MechaFlounder remains critical to mitigating potential damages.