Rewterz Threat Alert – Predator the Thief – IOC’s

Thursday, January 9, 2020

Severity

Medium

Analysis Summary

A new release of the malware known as Predator the Thief, labeled as version 3.3.4. There have been small development differences between each minor version, making this latest version very different from previous versions. It is active from as early as December 2019. The recent campaign uses phishing documents designed to look like invoices, all pushing the same payload of Predator the Thief. 

Figure 1: Infection chain of recent Predator the Thief campaign

Infection chain of Predator the Thief

Figure 2: Example phishing document

nce the document is opened the malware performs the following operations:

1. AutoOpen macro runs the malware VBA script.

2. It downloads three files through PowerShell.

  • VjUea.dat: Legitimate AutoIt3.exe
  • SevSS.dat: Base64-encoded AutoIt script with certificate header.
  • apTz.dat: RC4-encrypted Predator the Thief
Figure 3: PowerShell for downloading files, compiling loader, and running loader to load Predator the Thief

3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script.

“SevSS.data” is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of Predator the Thief.

Figure 4: Certificate header and base64-encoded AutoIt script(.au3)

Impact

Data exfiltration

Indicators of Compromise

SHA-256

  • 670c3bb2d41335cee28f4fe90cf9a76a9b68a965e241df648a0198e0be6a9df1
  • 46710b47763f27a6ffb39055082fa22e3e5a2bd9ae602ea651aefe01079e0c8d
  • bcf6f482a8a7e81d3e96c54840d2d341d12923a3277688eddd2534d614dab70b
  • 67093ad07a8342c42b01dd1645dbd18ea82cc13081b5ba84fa87617675cc7054
  • 76a4e5baa3650dff80df493fa4aaf04d37bb5d20d7a569ec3bc550bdfb3c1991
  • 50f7c8b3c825930b242dceef47bec9e7039bff40362f960c84cd9ff9edafc94b
  • 759dc4b2ab45e6faf7a9f1325f75956c1954f3695400e66670f6950c06db44c2
  • 4792c8a417b7accd3092788504332881154785a9ee2db2e93e63306813497c7c
  • 35820393614d39e600b4afc3332de4547f25f4b5d076b43ea1af98020ec5a8f0
  • 91722acec748c76de9d98e1797186a03dc9ab2efbd065a0f04e7c04654644dba
  • 14b25649cf6f10670fc8e1afb923895ae0300a8feb78e5033488879d5206267b
  • b53dd972d466e2d2ded3ce8cc7af28eda77f2939de0d9c1fbd3663fd057ea87d
  • cb76b3ee29944a7d8b839025c1e9eae32b188443a7bf5cbfbf7eabe682424d92
  • 68875254237c6f887d0f9771b8f356381f8a0384841ae422ef2d49faf30932e9
  • 248ad207c6891d84765ea81d0aa3ca04bee69e0467dff8d693fa4eb76a491c16
  • 4cac9af0198fe82f5ae87ac19e964471f6e87461743a21054c2f063be9c2c514
  • 3118a980caf696fc5c84cb9ee88015f3a0cf205f021270b1f4f313bbae6b6464
  • caeb9b2518d47f3df6f2ec515ce314dca6993370b9e124479bff959075379a90
  • e5420cf530192596f2c388eeecfd8d6754af06939461629c94d509b991b967f4
  • c392229b34617ee5bc9e48bacde3fc8e9046eea51e6101624d312719e970dc00
  • 6215d8637357be64510af9daf778ce12bf8401cdd16216a24da257d42217c65b
  • c97d6c8075bd9c55fbdcadda6c69c21432d59e872acdc860228b2709edbb6e6c
  • 36fe75ca8ca8bcef475737dae530e50eb262484ba0cd4dac0081d8508412d0ad
  • dce3bb2609c710339569404f8dce4e0786521bb0de46ad9358fc27d5b687f043

URL

  • hxxp[:]//stranskl[.]site/
  • hxxp[:]//stranskl[.]site/apTz[.]dat
  • hxxp[:]//stranskl[.]site/VjUea[.]dat
  • hxxp[:]//stranskl[.]site/SevSS[.]dat
  • hxxp[:]//stranskl[.]site/api/check[.]get
  • hxxp[:]//stranskl[.]site/api/gate[.]get
  • hxxp[:]//corp2[.]site/
  • hxxp[:]//corp2[.]site/api/check[.]get
  • hxxp[:]//corp2[.]site/api/gate[.]get
  • hxxp[:]//tretthing[.]site/
  • hxxp[:]//tretthing[.]site/api/check[.]get
  • hxxp[:]//tretthing[.]site/api/gate[.]get

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 10, January 2020 Rewterz Threat Advisory – CVE-2020-1600 – Juniper Networks Junos OS Denial of Service in the RPD daemon
  • 10, January 2020 Rewterz Threat Alert – Bank of America Phishing Campaign
  • 10, January 2020 Rewterz Threat Alert – LiquorBot Botnet
  • 10, January 2020 Rewterz Threat Advisory – CVE-2019-16005 – Cisco Webex Video Mesh Node Command Injection Vulnerability

Copyright © Rewterz. All rights reserved.