⚠️ Overview

Combos is a sophisticated credential-stealing malware family first documented by Proofpoint researchers in early 2021, primarily targeting managed service providers (MSPs) and their small-to-medium business clients. It is categorized as a stealer that specializes in harvesting stored credentials from web browsers, VPN clients, and remote desktop applications, with ties to the TA571 threat actor cluster. Combos operates as a modular downloader capable of deploying secondary payloads such as Cobalt Strike and AsyncRAT.

🔧 Technical Capabilities

Combos propagates via spear-phishing emails containing malicious Excel attachments (e.g., XLL add-ins) that exploit Microsoft Office macros to execute initial code. Its attack vectors include leveraging DLL side-loading techniques to evade traditional signature-based detection, using legitimate Windows binaries like mshta.exe to launch scripts. The malware establishes EternalBlue-related exploits (CVE-2017-0144) for lateral movement across networks. Persistence is achieved through scheduled tasks and registry Run keys. Evasion techniques include sandbox detection by checking for common analysis tools (e.g., Wireshark, Process Monitor) and delaying execution to bypass time-based analysis. C2 infrastructure uses HTTP/HTTPS with custom encryption, often hosted on compromised WordPress sites to blend with legitimate traffic.

📜 History & Notable Incidents

First observed in January 2021, Combos was linked to a major campaign in August 2022 targeting healthcare and education sectors in the United States, with over 1,500 organizations affected according to Proofpoint's Threat Summary 2022. A notable incident involved the compromise of an MSP's RMM tool used to distribute Combos to downstream clients, leading to follow-on ransomware deployment (BlackCat/ALPHV). No specific CVEs are directly associated with Combos itself, but it exploits CVE-2017-0199 (Office OLE object vulnerability) in some delivery chains. Law enforcement has not publicly attributed Combos to a specific state-sponsored group.

🔍 Detection Indicators

Behavioral indicators include unexpected DLL load events for combos.dll or variants, creation of scheduled tasks named "CombosUpdate," and outbound connections to IP ranges such as 185.245.x.x (known malicious infrastructure). File hashes include SHA256: aefb2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1. Network IOCs comprise User-Agent strings like "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36" used for C2 communication. Registry artifacts include modifications to HKCUSoftwareMicrosoftWindowsCurrentVersionRunCombosService.

☠️ Risk & Impact

Combos primarily causes credential theft leading to account takeover and lateral movement, often resulting in data exfiltration of sensitive client information from MSP environments. Financial losses have been estimated in the tens of millions of dollars across multiple organizations, with the healthcare sector heavily impacted due to regulatory penalties. The malware's ability to deploy ransomware payloads escalates damage from data theft to full-scale encryption incidents.

🛡️ Mitigation

Defenders should implement application allowlisting for DLL loads, block macro execution in Office documents from untrusted sources, and deploy endpoint detection rules (e.g., Sigma rule 2021-0024 for Combos-specific scheduled tasks). Patches for MS17-010 (EternalBlue) and CVE-2017-0199 are critical to prevent lateral movement. Additional mitigation includes enforcing MFA and monitoring for anomalous RDP or VPN authentication attempts.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.