Suspicious File Download From File Sharing Domain Via Wget.EXE
This brief details a high-severity threat involving the use of `wget.exe` to download suspicious files from known file-sharing domains, a technique observed in campaigns by threat actors such as FIN7 and Mint Sandstorm, enabling initial malware delivery and subsequent system compromise.
This threat brief focuses on the abuse of wget.exe, a legitimate command-line utility, by malicious actors to download suspicious files from various public file-sharing and content delivery network (CDN) domains. This technique is commonly employed during the execution phase of an attack to deliver malware, additional tools, or configuration files to compromised systems, often bypassing traditional network security controls. Prominent threat actors, including FIN7 and Mint Sandstorm (also known as Phosphorus/APT35), have been observed leveraging this method in their campaigns. For instance, FIN7 utilized such downloads in their attacks targeting Veeam servers, while Mint Sandstorm employed similar tactics in campaigns against high-profile individuals in universities and research organizations in early 2024. Detection of wget.exe making connections to domains like githubusercontent.com, anonfiles.com, or mega.nz for executable or script file types is a critical indicator of potential malicious activity.
Impact
Successful exploitation via suspicious file downloads using wget.exe can lead to severe consequences. Attackers can deliver a variety of payloads, including remote access trojans (RATs), ransomware, information stealers, or custom backdoors, leading to full system compromise. This can result in unauthorized data exfiltration, disruption of operations, financial theft (as seen with FIN7), or corporate espionage (as seen with Mint Sandstorm). The long-term impact includes significant financial losses, reputational damage, and extensive recovery efforts. The scope of targeting for actors employing this technique can range from specific high-value individuals and organizations to broader campaigns.
Recommendation
- Deploy the Sigma rule
Suspicious File Download From File Sharing Domain Via Wget.EXEto your SIEM/detection platform and tune it for your environment. - Enable
process_creationlogging on all Windows endpoints to capturewget.exeexecution details, including command-line arguments. - Review network traffic logs for connections to the domains listed in the
iocssection and consider blocking or alerting on outbound connections from sensitive systems to these domains.
Detection coverage 1
Suspicious File Download From File Sharing Domain Via Wget.EXE
highDetects potentially suspicious file downloads from file sharing domains using wget.exe, often indicative of malware delivery or C2 operations.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
36
domain
| Type | Value |
|---|---|
| domain | githubusercontent.com |
| domain | 0x0.st |
| domain | anonfiles.com |
| domain | bashupload.com |
| domain | cdn.discordapp.com |
| domain | chunk.io |
| domain | ddns.net |
| domain | dl.dropboxusercontent.com |
| domain | ghostbin.co |
| domain | github.com |
| domain | glitch.me |
| domain | gofile.io |
| domain | hastebin.com |
| domain | mediafire.com |
| domain | mega.nz |
| domain | onrender.com |
| domain | pages.dev |
| domain | paste.ee |
| domain | pastebin.com |
| domain | pastebin.pl |
| domain | pastetext.net |
| domain | pixeldrain.com |
| domain | privatlab.com |
| domain | privatlab.net |
| domain | send.exploit.in |
| domain | sendspace.com |
| domain | storage.googleapis.com |
| domain | storjshare.io |
| domain | supabase.co |
| domain | temp.sh |
| domain | transfer.sh |
| domain | trycloudflare.com |
| domain | ufile.io |
| domain | w3spaces.com |
| domain | workers.dev |
| domain | x0.at |