A significant uptick in activity from the Tsunami malware family has cybersecurity experts on high alert, as threat actors continue to refine this multipurpose attack platform.
Active campaigns, notably the “Contagious Interview” operation, have been observed leveraging the Tsunami Framework to target both common and obscure cryptocurrencies, while simultaneously exfiltrating sensitive credential data from infected systems.
This wave of attacks highlights the convergence of crypto-mining and information-stealing functionalities, underscoring the technical sophistication and adaptability of this evolving threat.
New Multi-Module Tsunami Framework Targets Crypto Assets and Credentials
Recent technical analyses reveal that the initial compromise is typically achieved through a multi-stage infection chain.
Attackers deploy malicious loaders, such as the BeaverTail payload, via external domains and private GitHub repositories.
Upon execution, these loaders unpack additional malware-specifically, the InvisibleFerret module-using Python-based launchers with carefully crafted configurations.
These scripts install not only a local Python interpreter (to fulfill version dependencies) but also two key persistent components: the “Tsunami-Injector” and “Tsunami-Installer.”
Notably, the Injector masquerades as a legitimate Windows update script and is placed in the system’s Startup folder to ensure execution with every system reboot, while the Installer is hidden within application directories and granted privilege by creating Windows Defender and Firewall exclusions.
One distinct aspect of this campaign is its heavy use of obfuscation and redundancy.
The loader maintains an encrypted list of over a thousand Pastebin URLs, seeking configuration updates and new payload download links.
According to the Report, these URLs are protected by XOR encryption (using the key “!!!HappyPenguin1950!!!”) and are dynamically decrypted and checked for fresh instructions.
Once an updated installer is located, the Tsunami-Installer (written in .NET) orchestrates further persistence by littering the system with exceptions in security controls and deploying a multi-stage PowerShell routine to disable both Windows Defender and the Firewall.
Depending on the existence of a specific flag file (“TsuAmFlag.txt”), the installer modulates its activity in an attempt to evade detection-lying dormant for varied intervals.
Persistent Evasion Techniques and Evolving Payloads Observed
Crucially, the Tsunami Installer integrates a Tor client, which is reverse-engineered from a compressed, resource-packed payload.
This Tor module is immediately employed to establish encrypted communications with a hardcoded Onion address (“n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion”), through which it downloads client modules.
The modularity of Tsunami is a defining trait: the client features an expansive suite of plugins, including credential stealers for major browsers (Chrome, Edge, Firefox, Opera, Brave), keyloggers, cookie extractors, Discord account grabbers, and several cryptomining platforms targeting Monero and Ethereum (leveraging XMRig and other tools).
The “SecretFileStealer” module showcases recent development, automatically uploading files meeting attacker-specified conditions configured by the C2.
Persistence and data exfiltration are further reinforced through scheduled tasks and regular C2 beacons.
The malware’s command-and-control infrastructure exposes multiple RESTful endpoints to facilitate exfiltration of credentials, browser session data, environment fingerprints, and periodic telemetry.
Moreover, forensic analysis of configuration files (notably “xmrig_config.json”) suggests that some Tsunami deployments are presently in a testing phase, as reflected by a “rig-id” set to “test.”
From a defensive standpoint, the attack chain aligns with a broad set of MITRE ATT&CK techniques, including scheduled tasks for persistence, script interpreters for execution, credential dumping, cookie theft, and resource hijacking for cryptomining.
The sophisticated interplay between info-stealing and resource hijacking in a single, actively maintained framework renders Tsunami a formidable challenge for incident responders.
Security teams are urged to monitor for the indicators of compromise (IOCs) detailed below and to review any anomalous use of Python or .NET binaries, especially those masquerading as legitimate Windows components or attempting to circumvent system defenses.
Indicators of Compromise (IOCs)
| Value | Type | Comment |
|---|---|---|
| 3f424b477ac16463e871726cbb106d41574d2d0e910dee035fbd23241515e770 | SHA256 | Tor.exe |
| b25e1a54e9c53bf6367c449be46f32241d1fd9bf76be9934d42c121105fb497d | SHA256 | AMD_Compute_Mode_Enabler.reg |
| bb3af0c03e6b0833fa268d98e5a8b19e78fb108a830b58b2ade50c57e9fc9bed | SHA256 | ETHW_Miner.exe |
| f96744a85419907e7c442b13beeefb6f985f3905a992dfefee03820ec6570fea | SHA256 | ldbdump.exe |
| 2883b1ae430003f3eff809f0461e18694ee1e2bc38c98f9eff22a50b5043a770 | SHA256 | XMRig.exe |
| 94186315edde9ab18d6772449bb0b33a37490c336fccbc81bc7a6b6b728232b1 | SHA256 | xmrig_config.json |
| 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 | SHA256 | XMRig_Driver.sys |
| C:\Tsunami\Tsunami Stable\Tsunami Client\obj\Release\net6.0\win-x64\Runtime Broker.pdb | PDB Path | Debug Path |
| 3769508daa5ee5955c7d0a5493b0a159e874745e575ac6ea1a5b544358132086 | SHA256 | Packed Sample from Onion |
| 28660b81fd4898da3b9a861af716dc2ed60dd6a6eb582782e9d8451b1f257630 | SHA256 | Unpacked Sample from Onion |
| 23.254.229[.]101 | IPv4 | Associated C2 Node |
| http://23.254.229[.]101/cat-video | URL | Hosts Tsunami Installer |
| n34kr3z26f3jzp4ckmwuv5ipqyatumdxhgjgsmucc65jac56khdy5zqd.onion | Onion Domain | Core Command & Control |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
