

Rewterz Threat Alert – Malspam Campaign Distributing the NanoCore RAT Malware
April 16, 2019
Rewterz Threat Alert – AutoIt-Wrapped NanoCore RAT Malspam – Threat Indicators
April 16, 2019
Rewterz Threat Alert – Malspam Campaign Distributing the NanoCore RAT Malware
April 16, 2019
Rewterz Threat Alert – AutoIt-Wrapped NanoCore RAT Malspam – Threat Indicators
April 16, 2019Severity
Medium
Analysis Summary
A new password-and-data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate recently. Operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components. After initially targeting China, this group is now targeting victims worldwide.
The operation is capable of the following:
- Extracting cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
- Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.
- Send friend requests to other accounts, from the user’s Facebook account.
- Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well.
- Steal login credentials for the user’s account on Steam.
- Inject JavaScript adware in Internet Explorer.
- Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
- Exfiltrate browsing history.
- Silently display ads or muted YouTube videos to users via Chrome.
- Install Chrome if it is not already on the victim’s computer.
- Subscribe users to YouTube video channels.
- Download and execute any payload.
Impact
- Information Disclosure
- Credential Theft
- Malware Infection
Indicators of Compromise
URLs
- hxxp[:]//178[.]162[.]132[.]79/1[.]php
- hxxp[:]//178[.]162[.]132[.]79/t[.]php?info=
- hxxp[:]//80FD4C6BAC35BAB54608B2F60A9A1759[.]online/sta[.]php
- hxxp[:]//9D3C13FAF748710EBB5A8E1232B43CA7[.]online/sta[.]php
- hxxp[:]//a12[.]fun/json/json[.]php
- hxxp[:]//A4E43EDE382B7613F03D2997C80E2DA9[.]online/sta[.]php
- hxxp[:]//ab12[.]fun/chrome/
- hxxp[:]//ab12[.]fun/tool/
- hxxp[:]//count[.]b12[.]fun/jump[.]php
- hxxp[:]//D43AC96995C02E4A7CCECE3059730B95[.]online/sta[.]php
- hxxp[:]//dl[.]ossdown[.]fun/wcrx[.]dat
- hxxp[:]//EC33503163B5789F6786C0D82B479364[.]online/sta[.]php
- hxxp[:]//fffffk[.]xyz/down/m_inc[.]js
- hxxp[:]//hh1m[.]com/count/app/index[.]php
- hxxp[:]//info[.]d3pk[.]com
- hxxp[:]//info[.]d3pk[.]com/cams/
- hxxp[:]//info[.]d3pk[.]com/history/
- hxxp[:]//info[.]d3pk[.]com/history/index[.]php
- hxxp[:]//www[.]hh1m[.]com/fb/apk/index[.]php
- hxxp[:]//www[.]hh1m[.]com/fb/friend/index[.]php
- hxxps[:]//1898799673[.]rsc[.]cdn77[.]org/down/EdgeCookiesView[.]exe
- hxxps[:]//www[.]fffffk[.]xyz/chrome/index[.]php
- info[.]d3pk[.]com
- www[.]fffffk[.]xyz
- www[.]hh1m[.]com
- 1898799673[.]rsc[.]cdn77[.]org
- 80fd4c6bac35bab54608b2f60a9a1759[.]online
- 9d3c13faf748710ebb5a8e1232b43ca7[.]online
- a12[.]fun
- a4e43ede382b7613f03d2997c80e2da9[.]online
- ab12[.]fun
- b453a3c474be9c1bb54e927e99ca7cfa[.]online
- count[.]b12[.]fun
- d43ac96995c02e4a7ccece3059730b95[.]online
- dl[.]ossdown[.]fun
- downmsdn[.]com
- ec33503163b5789f6786c0d82b479364[.]online
Malware Hash (MD5/SHA1/SH256)
- 002995d7cf3409a414365a38a4c2a85c0f556917
- 0099920232f09ffa056afab1e284def0113c3a86
- 00fa9cfd8f9aef4122d6ad60bb4b58348b96bb99
- 0149d9ab48a69b3aed75896d072397ab3736f186
- 018bf40f69a94c696a42c302ce13f402b6107bc3
- 02a27930d3065cd4607282c06b6bda07f6262152e5404963932ab6121e9fea45
- 03585acad4ee56c9b994351c1f31f6d3de79d457
- 03b6ae2d686b636ef9d0274fac1f316773f4171d
- 061b9c2ad91d2b449660314bb874820929120163
- 085dac0dd86ccb60a680474475f9682e86fa16bc
- 0907c1bbc750fff8898479d42b9692113a470a7d
- 098e51e64a8b29dbc81754e1476a847887c507ac
- 0c0e3c6d7a627568e2cf2bd4cfc12d9ae2c6f354
- 0c4af9de278decc6c0285b87edaa7c1e14c9c6a1
- 0dbb1db25292280623061a0b5ebd373c249e11aa
- 0e163b5726cf1ed86babbb271b65477a8090d6fe
- 0ef014ea5e23975892cd977b56f1bcd8f8bd90ba
- 0f57980bd7a0cd8c45e274193a9dfcf8c6db6b04
- 10100da0167fb4c4608b1032beb0db523e27ab70
- 10ba4a84ae562251bd06ac1d1e67b845e3b4af95
- 11c8d8e3c6af7af14abd1bfd9e287c481e4be2d1
- 13117683d3bb87279ec84556f44adf618a8725db
- 13b5fe7385bebbed2abb227376d990368339079d
- 145f422c88a3c2d36aa01318557ec4dd6db7e9f6
- 14a6d1d780e71c8c872cb089a1cfd5bd74e23613
- 164fcaa69a3cdc8d98657f67d5e1272fdf1ad55d
- 1742ec2d427705b626339d58f531c85ab7ef5e4d
- 17a6cf59cca864b0c935585642dcaf2f50db1bac
- 18fb77c7604f2c74c0bc5556b30013319eb8d142
- 19e22391772b4504248edf8a649aaefea98f7bd6
- 19fbcd2c1d29b10fc003a41dc6000250f073e985
- 1a51bb680c61a7ef3e97658f978516c13031c0f6
- 1ad9f323eac2442bcb363f493ea4b1aa6ff1fb90
- 1b1037d7d32b1539862246f12a602836f8bf85df
- 1b5f6e98e93d0d3c0fd8d247b1874f0b4a965615
- 1be2161845f21ab88462b55b30a6d4713043471f
- 1e360760276e364929572cab11f0b652dd44bcca
- 1e8bc22034841cc0abbe26994198a1ce17625325
- 203226bea43a1726f41a0d3769de953faac2ef1c
- 2101269773f79bd57cc974683e0992f0ea822e63
- 21a7df672b090103ed9e9daa9ff4a66a4753f7a8
- 223315c933ac4f8d3639064866017f4d3778d3ee
- 22a23756d6d53d2ea70687b4be60824de6e986d3
- 2467e663ad2ce03f6eb8eb2faee51d3072e990b3
- 250be87b38be0506b2b73df6412fd366ac2e6398
- 273fe8d8b785538b717e0c0a9a91337126304cfc
- 29a4ce50c4a54a0e326e35cd90aa87e576d9ad0e
- 2bfcf5419b1d02b820ab5d4425c72b35ee0226bd
- 2c7c1c21cf15cc445d289fba13db5c9ced93297f
- 2cbb4f4a8f5079ed810870f72e35329c3959375a
- 2e2554cc2586060b4d59dcde1311182e2a93141e
- 2ea1af435cbe327b5eb667606af53feeddd8f951a33714c43451afb199567424
- 2f77512a36311f9ff7030d1fe2dc41e7f2c0528a
- 30fe7ec73791a397b9672acce17f7f7640afc523
- 316ee713fc950cf35c42a0180948dafeef6bd7c4
- 3354a7e80016b3997911a3dbbbf99aaf27ddce4e
- 33a8767713d8fc466e9406e0dd5050b7c699cb8d
- 34275a2f91de00b3fbf2f37deccee28a6a0eb638
- 35344ec2d3ab5d3173cfcbcf5118deee4cd360cc
- 375e306e319b150c21fb5f3879484df5b6d58222
- 37653ddd0b6fceb9e115ce1886eb68f63c2c69f3
- 3786e96dee2261c743e5be9bedc0a7756541415b
- 37a302e658d3c2d9032bf4718983049d258bc2a5
- 3820437e5b58a489351328451ca71e13ee787781
- 38c133bab6bf2b57db28d2f365e80ccc163031b5
- 39cec110694b2e172bedb35615f4ccf4bd19b5f8
- 39e9a3f66762c49a5b941033e9be285dc321f976
- 3b957bbfb4c391e0a3db8a8dd8cfd3664b8cde35
- 3bd27ed1228d9260d20cc41bb178d859a1aa5f89
- 3c0a297ed2968cb210d80e45e11ccaea9ad310b7
- 3c6968d3c833fc35f0e7fa53690189bab9c6a54c
- 3dbf6dfc744f4e9d6b69a01048e21867f6598f81
- 3e6d3f1ee95a389af01313c8be3e96cd6036430d
- 3e93e7f32935294e125ef37ea01bfc9bd14528de
- 40c13b19799cb6d73353e5cbc94866f8d833f62b
- 423f19339e6fb61114e440cce545732513acc5cc
- 42d4b87c9204619dc2389ebc96f801437376642c
- 42ead5e30474e37ea3ac5e2bafd0e91ae054e5a2
- 43d5e4513c494eeca0c69e2d9632d3c484778b74
- 43e18762d4db992b0dfbfe2ceb497ee601ee94da
- 43eb8493d125f2c789bf5a33526492dfea5d46d3
- 4529b32ef5adb9dd32a9df2ab6cf37e3e004a63f
- 45a2d243ff13ff44be57075f70db32c86b150c8f
- 4751feb72fe8cd668acbe7f6dc0a266b251db28a
- 4833898d833739fd3a87ab0e11eff7d1ae8bfe7c
- 491d29d109acedfbb542dbce11de6c3cd2c4fb2a
- 4b9252e71b7aa0b2933474521ff6cc84fc99e243
- 4be6fd50f2c87f64f267cbb74625544734c40bdf
- 4c721be25118174123023ded2d33cc51da6860ee
- 4e9aec406bef93bad6cefaa70ffbc7b9b12653ce
- 50bb128aa82205f0d736d56041182f205b7d21ce
- 5242e37acea10e65b7c0fb685b2bd9d8d7acf83f
- 529ec1364a8400bedbfafda24318bd3b6ad31aec
- 52c7fea4ec26545b3b2100fd80b03bc0961516ff
- 53f141268c4719181f44ad9906d03ee2b8df26ea
- 53fd8468ad2f920d63a024064ee28f8b4122a579
- 54422cc691b3135bc236ff369778584984527e11
- 54c7bc8b2c2b926faf001092ffed8d58436095c4
- 55223cdd868250796b780b2174d1c06a9589ddc8
- 579336561d995b990851f68266b366a6322745de
- 5852f0134980e086a2de8ea2672844e5f4676e31
- 5a5c668c12f8ac56aff6fa263576f45eaf7ab3b3
- 5adb29492620bff0f94ec207ec5a9938642e432c
- 5bf99110f417eead5aa978be51c96f9cb675ef3ec8c8fe025287a504f9d5222a
- 5c55bca95511e381ba33561f7dc62401cc1edf54
- 5dd507a3549b18ce12640c0daefa8ebace7f5c8a
- 6080dd6888b93ff5df749fd172a53bace05e7349
- 620200623842adbd1f9fef36a5b2982987949475
- 6403c2b07f1862d4c67983d2ffe4eed5ea596d11
- 64aed16ec1b23b025d65cfdf41199089a737a9c4
- 66584c5683626a8de43cd0369ea7ee83a3e06694
- 674758d91569eddb022bae68aaa7fbb4a5102f3a
- 6838801233c7dde5a9e4db389899aba110e87a51
- 69636467b76c00d71b4e867ddb3859f0f3628170
- 6a7b133477b581ec1da7777aebe9a5412af1d599
- 6a8eb6666101cf39230e2c4422f9356f592666b4
- 6b1f1adcc8700231f23ece4b2efd588fb4085579
- 6bc16fcabdfa7d14b923b9919c0409ae3421c5cd
- 6dfb9adc6008e67ae895fd247ab1181611827d3f
- 6e17d322be2ee7f73acb8b8db840a2c0c1b242f6
- 6e945841dcafe71190761c2b28f55ea53ead78b2
- 717b693d6963e71f20262e7301151960f29653a5
- 720b88eb9a29abe58f3841cd2ccac7f36a249c7c
- 72604350691afab6a017c3d2b5d4eab736d75cc0
- 7507c7c2b25877d2eff24c60abc2657d4470ff83
- 751c265f9f882f1c508e5c2596763826ad87d9a0
- 7722d0a4d3fc63ad5b87c329db98e01e5f6a503e
- 79e42bc7c9dcd5cc03c469679c033ce07aa1b516
- 7a6f052b5a7a99d86f38ed05969b6dfcfcef98d8
- 7b3e7232e3d6d6a9c7f4ef187c696d3f1e697cb1
- 7ea669e7be7a9048118570bd550e0d92727cc85a
- 80ba75808bc6b1251223bc8438fd8e68dd3c2446
- 80fd4c6bac35bab54608b2f60a9a1759
- 812f396d83754815369909ac9674666808ac9cb3
- 81e8a82ec1614633d86fde931c4978037eb9691f0215b78f4e9aaf841cbddd4d
- 825279952e9e1040819aaf37d1ca9b81d746e846
- 85155cd7ff66aa1d24e4d99e2a968b4de47381c8
- 857979cb9f178efff3d873db0aaa80286a1dab20
- 862eb48f84e09aa4f425404e6a250e7c25d2b20c
- 86c2c6d80a99747023980902663f7805390de69f
- 86d96958d96dbedb868d9a5f0961309403d3c836
- 87e7c72f630a5be1d3dc058ae8885fbe5528a750
- 881e9747b54e47276d72fb774c1cbbf51811b2e5
- 892babaef5817c093ced84439f4164c1c1b279c2
- 898b58a1688fcd857b758817e699c5a3e537233e
- 89edc1519c6de79dc6040eaa84905ccfbaeb192c
- 8bd50cdae0dd0a0c7618c6a882309991c5218bf5
- 8c5ec1b57714b84eaa1ba13e591c723bd86aeba4
- 8c8f0958b9d3d9ebf09c495341951867546d6171
- 8d287993f6e9143b506423be2b83ecba090c5f5c
- 8d85ff11433e2cc61711fc077805da81b7f2e01cbecd6ca66598e603f22f2b81
- 8dc13faec8c0d37cbda5b056e3c6d50dd3ac4d92
- 9179482e79e9e45606e808851e67684c07465def5cf8e242457a210b2938ed69
- 925465cf06b6cfee31a97346d5848f77276ec187
- 94ca2a0586a6a6afe5a3e5288aedfcce857011ed
- 94f9ed9b9b9c378e86519061954736f400e84047a93791ddb6fdd4a5e3fab1a1
- 950923875e8b441be6d5b97a6b66a4f972f32511
- 96fb67dff18857aae6414b87a10f8734b5f1624d
- 98a937467bf8345d6d4e1c73973204f69a292343
- 9992a6dc13bf2b46cc1aacf9a32ddf8f64fe35a8
- 9a65e1151a9aff484a43f587649c187bd2b30ee5
- 9ad0c6ef47ffeb05c30db440002578dfa0f0897d
- 9ceb7807fe917ba639c5b677f5bfc34b3b6ad395
- 9cef0d54c4ea08b6d3875032273aac1d4bf1cdc7
- 9d3c13faf748710ebb5a8e1232b43ca7
- 9d8387740b82b73c68c7dcb1008a0be5c6be0fca
- 9fed48ea3ca79d15554dc5cdab1d1cbf2e32c16d
- a0a1478b4bdab0a3ff60fd75ea0a41dab2b2ede1
- a1c04faac6009fdc3bc99a2478e1017e1baa6940
- a1edf8699d7272079776119f4934fd17529f05d9
- a3d824a853b57304e01e03d2f82ad7c2c6656d30
- a491de120143141b62cb36809621bb88f9f41565
- a4e43ede382b7613f03d2997c80e2da9
- a59f4bdf231472e96a9c18434d4a27fcc6c99dd5
- a6425a841562261bf877195b84ec412f154f8ffe
- a7f4d59f4a4be9dd15c0bf8f0e6cc0356725fa83
- a7f92ce1c9884f409da0f17dd1b6a8c528f34f49
- aa4421812ce473b4d3a2399895b1a37841cef61e
- ab9edf622d31ec3f42861450f3cd289459766ed1
- ad10ce10479333604de922fcf4c34667b47a9f48
- adab5775db72af85504ff16170226716c4e38bf6
- adc451203672857f71deb7ff4f1fee4db1a5527b
- aeb0c050022ce3bc6df081fdac9ec6086a543d07
- af0353f06b37a9ad9296f5ff1a991f69e69807fd
- b22dc33665ecff56f25cf7532babea88ff839df6
- b2922ed6e9027109e5da1545ee91f3e3727e6321
- b2c5f28cd3804a2e14b5d601cc42e5876ab86592
- b334270fde0597f3fd413aa929a63bd0beb3756e
- b45216f77aba691bbfccc4e2970741644ad3f59c
- b453a3c474be9c1bb54e927e99ca7cfa
- b4e5b70ab7cf432061f8e62e1cdd29de593b942f
- b6256b16e153a0b21fe822af4e00a1b7794f8e30
- b80045535d867663f79baf88f75306ed9abd6de8
- b8cc670da05aea7fb62db39070b9d5d258d9b45a
- b8fd9349bb6d08eeedc6e23752a076f723719a0d
- ba0c07cb86e48bb22747b0895c2f13339a5c91dd
- baa6180acfe58a500394fe5ffce56034247ffd04
- bb6423482d55bc6e65b98864b059aa5c89e0bacb
- bb65463738f32e86bc561aff7422196ab8c63089
- bc59855f21cf035b3f584ea72cc0b47058da093c
- bf3f562c1d2de5c2ec223fffcdd9ec7276809306
- bfffdbedce78b8adc2c6aa7fbb8987f47932cd76
- c06d0e4e5644274d3d377fb980bbfe6fd0e386bf
- c155f3a2840d01c2a333220cd022bf8ca7aab17c
- c253d4df5a889d9afb7d0564c3e3c1a8b552f998
- c4033b6195eda33abbdb1a7b8b86c3c812508180
- c40458804e0b6889543d0f35089816631228b9d4
- c482265189325f2d9dfaf4d5f07fb542ffbe6d2e
- c5d61af093eb3a2c1cd64f05cd35746a11a1a2ff744c1fefb6236b28ca7aeeb2
- c6eb3c0953b89572a80ee2e0022cda1168fa68ce
- c78475581c82498c7143e31c9750a2e9fe6778e6
- ccfc78d0d93b1ba6976aeb61cd0e366fb2e93063
- cd581856b734ac502561329ecbcbb674bc089919
- cd94f01d6c7727b3b3d54a6286390c87e4d779ff
- cf8b96ed57802f33746079ce2fceca21cc1866b7
- d074c19fb92231f6d880fb9a0b9108045b41010d
- d1adef5401f85b309d299ec13291fc3af613cf76
- d2260437d42b7443636da118bf2be52f1dbda75c
- d36b391d0f9378347a2b7e0d8100d8d1a368d305a4aa102865c714bea6bf0420
- d43ac96995c02e4a7ccece3059730b95
- d4b15134e444468340ddefbfed542fe77231659f
- d55e3f1596328c0f5516df3bb4f97cd7bdd20d76
- d6b3369fe9699239634cc51ce2e408e54982ab26
- d7030350d9660d17bae88472d3f142a31b2970eb
- d7b1349db15f0878ce0ae5385539b00bb49d4109
- d81bd037dfb18625611f573161208da1c5d8a57f
- d83182c88b801fb89a05e12bbe3962bd6abe8de9
- d9b346144720d01112841fd00870dbcf9a0d3589
- d9e4bb03ea0c65f1f4fc37841244aa672e524c03
- dbc5e40ed9c2ce0523a3fd450885d227ad62a3e4
- dd55aa6ba747579fe3b8fa774bb4dbfdba62a10a
- de0e75061fce22da5f74f9b42a77a358a5569322
- e074718f51fb3f28e4045695b30939ad520562de
- e10f554c9506c8a104e7e5e073ce25ec82e08aaad1ab7ebb7ee854d418ce2b17
- e2ccb5ad65cb34d255ec19216dc8c560cfde7372
- e4eb272fdec76863d5080fc3a75a5b4d559e86f8
- e5a66204b016b050d7e6eefb843c3a5ae854ced2
- e6c61befb9aeb111e2b638ac7b13e15ea9c81e28
- eaf3b60e1e91c5ec20211f5b510530f4252abfe7
- eb1489825494e1fc07ff387da64c7350a08e1837
- ec33503163b5789f6786c0d82b479364
- ecc307d32574178f8c421b7dbfcd1d36ba7c0b73
- ed16c74fcce7336bcfaad6fcfb07d16a3e5b7356
- ee23bd14fdc49b86ef548cb95e9b470ea743c6d3
- ef17fd80b9b3a670cc3d6f7074939feede486caf
- efbff707e249b125462fc0812d3c5dd7b2cfde57
- f01ea8ecdc527e5d339cfee98c87f1af58e05793
- f1b609b8544d2f691205dc46dd9a89fcb6b0f1ba
- f1d0b62d582d33340fc20c6bb44e3741e72cf674
- f1d237dce83f31edfe17816f3a5510dc99d8bf88
- f1e8c72582026b04d86e43faa2ec930c8bfba41b
- f26b00761192a64073fba1658ba966597b49ac602e496e54bfa56db53feae7c8
- f2cbc5192f591af0cf109baf05b53dd47ba29903
- f432fccd9589d7413d4a85f63cc285cc794d0565
- f6a7a53a84cf58ee02576b916c8e873892891c78
- f6c47a33376087981d4d0ced8eb37f6963e6df4beba8b0003ea2930170206acf
- f73fee78482856b8970d2d5bc70717c19edf46a1
- f810f5b549cebbf90f6995f59ce93fcd4b408f54
- f8a7a05d576905644486f53278a23c87e10d3f30
- f8bc2c734e1f59459f31d8689ad31cba36126fd4
- f921d1e94ba5f78661d03012b1307c0c7ddd5b77
- f95e474892df72578fc1084ad46b58531b0579a3
- f9af61875e011fc62194664a2a290be49d2cf805
- fa0403c3850351d0888bf85d25ea91f222019d6c
- fa6007c80b06d0f963861c0c7ec06e69df7573ec
- fb4155382bc915ef2cf092e385c7871b9f7be98b
- fc3a56ee96026aa1f7d786688bc92b5efbde6bdc
- fc7f2684440d372fa12d57a00d7dceedbc5b0367
- fe4f5f845b20a8cd337a96fe57e2d3091b2893e1
- ff29471f9fd4384f949ef167b024131dae1ddcae9dd35c70cc6ecc3ea761560a
Remediation
- Block the threat indicators at their respective controls.
- Do not save login credentials on these browsers.
- Install well-reputed and authentic Adblockers.