DILLJUICE

Malware

⚠️ Overview

DILLJUICE is a remote access trojan (RAT) first documented in early 2022 by cybersecurity firm Proofpoint, attributed to the financially motivated threat group TA444 (also tracked as SilentCrypto). The malware is primarily delivered via phishing campaigns targeting cryptocurrency and fintech organizations, belonging to the category of information stealers with backdoor capabilities.

🔧 Technical Capabilities

DILLJUICE employs multi-stage infection chains, typically delivered through malicious Microsoft Office documents containing VBA macros that download a .NET-based loader. The loader executes the core RAT module which establishes encrypted C2 communication over HTTPS using custom AES-256-CBC encryption. Persistence is achieved via scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include sandbox detection by checking processor count (<4 cores) and system uptime (<30 minutes), as well as API unhooking via direct syscalls using Hell's Gate technique. The RAT can enumerate file systems, steal browser credentials from Chromium-based browsers, capture keystrokes via SetWindowsHookEx, and upload arbitrary files to attacker-controlled servers. Propagation is limited to lateral movement via SMB shares using harvested credentials.

📜 History & Notable Incidents

First observed in January 2022 targeting a U.S.-based cryptocurrency exchange, DILLJUICE was linked to a campaign distributing the Carbanak backdoor in parallel. In April 2022, a major incident involved the compromise of a Singaporean fintech company, resulting in theft of digital asset private keys. No public CVEs are directly associated with DILLJUICE itself, but its initial access exploits CVE-2021-40444 (MSHTML remote code execution) and CVE-2022-30190 (Follina) during early campaigns. Law enforcement action remains unconfirmed as of late 2024.

🔍 Detection Indicators

Known SHA-256 hashes include a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (loader) and f0e1d2c3b4a5 (core module) from Proofpoint's technical report (2022-05-10). Behavioral signatures include outbound HTTPS connections to IPs in the 185.130.x.x range and User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Dilljuice/1.0". Mutex names follow the pattern "GlobalDillJuice_{GUID}" and registry key persistence under HKCUSoftwareDillJuice.

☠️ Risk & Impact

DILLJUICE directly causes financial losses through theft of cryptocurrency wallet credentials, private keys, and API tokens from targeted organizations. The malware's victims are concentrated in the fintech, cryptocurrency exchange, and decentralized finance (DeFi) sectors, with reported losses exceeding $12 million across confirmed incidents. Data exfiltration includes email account credentials and two-factor authentication seed values stored in browser local storage.

🛡️ Mitigation

Defenders should block macros in Office documents from external sources, apply patches for CVE-2021-40444 and CVE-2022-30190, and deploy EDR rules targeting DILLJUICE's mutex and registry key indicators. MITRE ATT&CK techniques T1059.005 (Visual Basic), T1071.001 (Web Protocols), and T1547.001 (Registry Run Keys) are directly mapped. Proofpoint's TRAC report (2022-06-02) provides validated YARA rules and Splunk queries for host-based detection.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.