Security researchers have recently discovered a sophisticated malware operation called the “Tsunami-Framework” that combines credential theft, cryptocurrency mining, and potential botnet capabilities.
The framework employs advanced evasion techniques to bypass security measures and maintain persistent access to infected systems.
Analysis of the framework indicates it may still be in testing phases, but already demonstrates concerning capabilities that could pose significant risks to organizations and individuals.
.png
)
The Tsunami-Framework achieves initial system access through a malicious loader called “BeaverTail-Payload,” delivered via third-party domains and private GitHub repositories.
Once executed, this loader deploys “InvisibleFerret” malware that establishes multiple persistence mechanisms across the target system.
The framework installs components with legitimate-sounding names such as “Windows Update Script.pyw” in Windows startup folders and “Runtime Broker.exe” in application directories.
To ensure continued operation, Tsunami creates scheduled tasks that activate when users log in and systematically disables security protections by adding numerous Windows Defender exclusions for its components.
The malware also configures Windows Firewall rules allowing its modules to communicate freely, often disguising its traffic under legitimate names like “Microsoft Edge WebEngine”.
Before fully activating, the malware lies dormant for periods of 1-5 minutes, helping it evade immediate detection by security monitoring tools.
Key technical details of the persistence and evasion mechanisms:
- Installs “Windows Update Script.pyw” in the Startup folder for automatic execution at logon
- Drops “Runtime Broker.exe” in the Applications directory and adds it to Windows Defender exclusions
- Uses PowerShell scripts to create scheduled tasks for secondary persistence
- Adds multiple Windows Defender and Firewall exclusions for its components, including: Startup scripts, Application executables, System dependencies, Common browser executables.
- Implements firewall rules under the guise of “Microsoft Edge WebEngine” to allow network traffic
- Sleeps for 1 or 5 minutes depending on the presence of a specific flag file, delaying full activation to avoid detection
Extensive Theft Capabilities and Command Infrastructure
Tsunami delivers an impressive array of malicious modules designed to extract valuable data from infected systems.
These include specialized credential stealers targeting multiple browsers (Chrome, Firefox, Edge, Opera GX, and Brave), cryptocurrency wallet theft tools, keyloggers, and a recently developed “SecretFileStealer” module that exfiltrates specific files of interest.
For covert communications, the framework deploys a Tor client and connects to a command-and-control server hosted at an onion domain, making traffic analysis extremely difficult.
Through multiple API endpoints, the malware can receive instructions and transmit stolen data while remaining hidden from conventional network monitoring.
Additionally, the framework includes cryptocurrency mining functionality with XMRig software configured to mine Monero, suggesting financial motivation behind the operation.
Detection Methods and Security Recommendations
Security researchers have developed specialized YARA rules to detect Tsunami framework components across networks.
These detection signatures identify specific code patterns and communication endpoints associated with the malware, providing defenders with tools to identify infections.
The rule targets unique strings embedded in the malware, including API endpoints and encoded URLs used for command and control.
Organizations should implement these detection rules and monitor systems for suspicious activities such as unexpected Windows Defender exclusions, unusual scheduled tasks, and unauthorized modifications to firewall rules.
Security teams should pay particular attention to applications mimicking legitimate Windows processes like “Runtime Broker” appearing in non-standard locations.
Given indications that this malware framework remains under active development, cybersecurity teams should prepare for potential new variants with expanded capabilities in the future.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
