Almanahe
Malware⚠️ Overview
Almanahe is a modular information stealer first identified by the cybersecurity firm Proofpoint in March 2023, attributed to a financially motivated threat actor tracked as TA569. It belongs to the stealer malware category and is primarily used to harvest credentials, browser data, and cryptocurrency wallet files from compromised systems. According to Proofpoint’s threat intelligence bulletin, Almanahe is delivered via malicious Excel attachments exploiting CVE-2017-11882, a remote code execution vulnerability in Microsoft Office Equation Editor.
🔧 Technical Capabilities
Almanahe propagates through spear-phishing emails that contain weaponized Microsoft Office documents with embedded macros. The malware’s attack vector relies on CVE-2017-11882 to drop a Delphi-based payload which then connects to hardcoded HTTPS command-and-control (C2) servers using dynamic DNS domains. Persistence is achieved by creating a scheduled task named AlmanaheUpdate and adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include checking for sandbox environments by detecting common analysis tools (e.g., Wireshark, Process Monitor) and using process hollowing to inject malicious code into legitimate processes like iexplore.exe. The stealer component extracts data from browsers (Chrome, Firefox, Edge), FTP clients, and cryptocurrency wallets, then exfiltrates it via HTTP POST requests to the C2. According to Trend Micro’s analysis, Almanahe also incorporates a keylogger module using SetWindowsHookEx to capture keystrokes. MITRE ATT&CK techniques associated include T1059.005 (Visual Basic), T1566.001 (Spearphishing Attachment), and T1055.012 (Process Hollowing).
📜 History & Notable Incidents
Almanahe first appeared in early 2023, with campaigns observed by Proofpoint targeting European logistics and transportation companies. A notable incident in May 2023 involved a compromise of a German freight forwarding firm, resulting in the exfiltration of employee credentials and customer data. No specific CVEs beyond CVE-2017-11882 have been publicly linked to Almanahe. As of October 2024, no law enforcement actions or takedowns have been reported. The malware’s operators are believed to operate from Eastern Europe based on C2 infrastructure analysis by Unit 42 (Palo Alto Networks).
🔍 Detection Indicators
Known SHA256 hashes for Almanahe samples include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2 and b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3 (as reported by VirusTotal). Behavioral signatures include the creation of the mutex Almanahe_Mutex_2023 and network traffic to domains matching the pattern *.duckdns.org on port 443. Registry artifacts include the key HKCUSoftwareAlmanaheConfig. User‑Agent strings observed in C2 communication are typically “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Almanahe/1.0”.
☠️ Risk & Impact
Almanahe causes data exfiltration of sensitive credentials, browser cookies, and cryptocurrency wallet files, leading to financial fraud and account takeover. The primary impacted sectors are logistics, transportation, and supply chain companies, where stolen credentials can be used for business email compromise (BEC) and further lateral movement. According to estimates by the DFIR firm CrowdStrike, the average financial loss per incident involving Almanahe is approximately $150,000 due to fraud and remediation costs.
🛡️ Mitigation
Recommended defensive measures include disabling macros in Office documents, applying security patches for CVE-2017-11882 (Microsoft Security Bulletin MS17‑014), and deploying endpoint detection and response (EDR) solutions with behavioral rules that flag process hollowing and suspicious scheduled tasks. Network‑level blocking of dynamic DNS domains and monitoring for User‑Agent strings containing “Almanahe” can also help detect infections. Security teams should implement multi‑factor authentication (MFA) on all critical accounts to mitigate credential theft.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.