Rewterz Threat Alert – Raddex Malware Targeting Arabic-speakers, Linked to Golden RAT
June 19, 2020Rewterz Threat Alert – Dark Crystal RAT – IoCs
June 19, 2020Rewterz Threat Alert – Raddex Malware Targeting Arabic-speakers, Linked to Golden RAT
June 19, 2020Rewterz Threat Alert – Dark Crystal RAT – IoCs
June 19, 2020Severity
High
Analysis Summary
Cobalt group is currently found targeting financial organizations around the world. It has modified its flagship tools CobInt and COM-DLL-Dropper in conjunction with the more_eggs JavaScript backdoor, but also started using new methods to deliver malware and bypass security in the initial stages of the kill chain. The more_eggs JavaScript backdoor is detected by the ETPro ruleset, including in public sandboxes, whereas CobInt traffic does not trigger security mechanisms. In addition, CobInt downloads the main library from the command and control (C2) server directly to memory, while COM-DLL-Dropper saves to disk the obfuscated more_eggs, which is then executed in memory. Therefore, COM-DLL-Dropper leaves more artifacts on the infected machine.
Impact
- Security bypass
- Financial loss
Indicators of Compromise
Domain Name
- timeswindows[.]com
- telekom-support[.]info
- ecb-european[.]eu
Hostname
- origin[.]cdn77[.]kz
- download[.]sabaloo[.]com
- maps[.]doaglas[.]com
MD5
- 6ec0edd1889897ff9b4673600f40f92f
- 36399ebf94f66529dc72d8b2844f43dd
- 862c19b2b4b6a7c97fb8627303b8f5d7
- f2712de0c8575ff32828c83cfbf75d4b
- 152cd7014811ae8980981a825e5843b0
- 600154fcb03e775f007ef7b1547b169c
- 47e7212b097b5cffa60903055e3c4d5a
- a3391d1d3482553545d7c0111984abb6
SHA-256
- 9e8a99ad401ef5d2bb3aea3a463d85220f0e6724f91a3c2ffd195d0b8628bf9d
- 64d16900fce924da101744edce28b9ee648192486d9062c427c17589b5f204fb
- 3382a75bd959d2194c4b1a8885df93e8770f4ebaeaff441a5180ceadf1656cd9
- 33ba8cd251512f90b7249930aee22d3f47255420a8d41e1326169e0f948cc7d0
- 0c85c1045899291cba47c7171599446642b87015a76d5b22f8cc51f4a6e45a90
- c1a633a940fc4c595ebbe36823fee1b02bfd755615c51799c9f4e4320b597af1
- b83d2c4f5c2bb562981a104d4e49cf25291096d37a4161c32a76e369d1a931e8
- 7122cf59f8a59f9a44f20fd4c83451c5c4313e0021d3f1ba9c2b1a4f39801db1
- 2d02bbae38f4dba5485fbc2e38640898907ecdd6b9ee43501d1ee951653ab36f
- 0aee265a022ee84e9c8b653e960559c9761a7362e1c345019a552188114b7e80
SHA1
- 8ada87f00ed3afdd4dbdb07879ba6ebe4a2a9ffa
- e288b0410fb95060ce8c5527673978cb2ceffe05
- e80ef396462fe651c3cdeb91651ac27799d2dab5
- 384a13abe42d249e354cd415c4bcbf01086deafb
- 90f7d0b0f90aeadaeff1adf45db5dcc598dec8c4
- 4d50f1cae2acc8c92ff1f678fc1fdfdd1e770f24
- b912f222e79feadbcefe2d6ead5fab74b15b1f40
- dfcd5692729e859f074b95720505f711ba7d14ac
- 1a371353c6a46ddea19d520d8ce3b5599a8ee9f1
- d3fc5f848d630ca2dc8e99b0d4dfe704b8ec1832
Source IP
- 45[.]80[.]69[.]34
Remediation
Block the threat indicators at their respective controls.