Rewterz Threat Alert – JavaScript RAT Targeting Asian Government and Financial Sector

Severity

High

Analysis Summary

A new malicious campaign is discovered targeting verticals in the governmental monetary and financial sectors in Asia. This campaign poses as a central bank of an Asian nation to compel a victim to open a compressed attachment containing a malicious HTA file. Once the HTA file is executed, it contains heavily obfuscated JavaScript that ultimately installs and runs a remote access trojan or RAT. What makes this unique from other attacks in this space is that it utilizes JsOutProx malware family. It appears that the attackers are able to bypass spam filters by spoofing the email headers. A cursory analysis of the domains indicate that they originated from a well-known webhosting company with a large subnet. Investigating the headers, it was discovered that the attackers are utilizing the SMTP service of the webhosting company.

Impact

• Unauthorized Remote Access
• Security Bypass

Indicators of Compromise

Filename

• Information on Compliance Officer

Hostname

• posssdhm[.]ddns[.]net
• panarmjsdrew[.]gotdns[.]ch
• myabiggeojs[.]myftp[.]biz
• afghphae[.]gotdns[.]ch

SHA-256

• fdc61d1ae7f5e53fb4710910bae574a992419e27329693d69236ec1704ac66a4
• f7221949476533af9afe7b190db47697174cabc9af18c278022396e83e7b75cb
• f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a
• efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
• ec83164a482f5f6c6f98fcc47e489bc4443554253a32ddbd2344b70b09002d1c
• e9d605f9627072eee555b07e3c7797c4d61ded20c7292432565c098f183be9d2
• e94521788a9b229dc9f583cc6ab2514b2cbe4acbee7a282d6167c1ce45416de3
• df3acaf4dcc70a20c485b492958a9d598f43acb9563e0875d8759de62b268789
• dec809c248f4610bae9d577c23279ffa5e95bdb8612fe941aac60fc1e699343b
• cd16052de2b6f37853935bad389f6018f9106aec873da0e7a2a92da8eb953fd8
• c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165
• bbd835c18f2a5eb7a9c9eb967c9aab0c2eee67b03745a07c5cfa11ce272a559a
• b9bb827450cf3233c89ef3cc8ee38824faec9afb1fe1f5c2ab0f1738e0e844d1
• a72617c88b295c70ffcd652a569f5dd3b972a13a445936fed92f8d8eb018958a
• a68fe77207210679a5129b17b797d06fc4d75d6ecac0711e67abcaf18ed42275
• a22c763f9e222a8e039d39262f6ff30cce934c1181b0c1be9376b4f5f912e96a
• a1ca1638f3d760789231fc1b567824485b40f4101d6ee9ad4208308d166b87bd
• 9aa914e87dda1c3d1c182ed9c08229d10853a5e29b0795accf2a96abdc5fde88
• 96168c26e4c0ec1d84cdb2b912dadabdf2bb73ec14d758cc8a29fb39321b8bd6
• 92c02aa8d666c7b65f1cbb6c801f89bd47088129e899b352737258af28db0dba
• 8da0526fe5cff2c56be399b9bef560fec6160d8ce0dd7c8517054198c73e6788
• 891211a8dffa0a4b0147b9c1572916108cb8aa1d6055aa1164f16cc42a3e2c0c
• 886fe15d546c595be2e130d98d33ee777d550af69f1def97fedbfae49e3a637e
• 8609210993f4ebc6aa5332b0e5ebe67720b8721e27fcee79fc82a1c40b587a44
• 84ae04513a1e01e60dbc814cbd483ec397c9dba78cc5ba79a8e234ecc04b0ac3
• 83f2a34784c9c9abc2009b829e8345afb081817675bd0eb2799d2205d5ef69f9
• 7dd2d20bd40f45ecd74fef1c9238cdf3c9f446414fc82456d73f3148252adbd5
• 75e0d9f86c4ebea64bc842bb5f87164372c4b2996680fde42d5113ebbbbae3ff
• 750a4be535f1870464548cda125665422d5a52d83953c44942dfe90c5a146ad9
• 6bf0d9a7ca91f27a708c793832b0c7b6e3bc4c3b511e8b30e3d1ca2e3e2b90a7
• 698ced4170469c3084afbb0e21778477360d2ac10fb93b33ee3011870c7ca089
• 64b402cbe3a2ae21ce2bfcf70acf927db714f5ae4eb3ba0ffb73455b731e6a50
• 577a6b1294ec1386fd5d9058ad35296bfd74cd51ab8c1bd8f0b625bbb356f8d0
• 531bdc59bdddaf57aa80e2bd2664ee2e6df138a2374519d14d100cab8d21b5c5
• 459d04d2a7cb3399486dbe8095dac1f1e8132d514e4be631c3151f61e0d13506
• 43192b0a36d887844309b79dafa88bb2493539093d17bf7296e4bda2fe72dc49
• 4132f329b4cd47f4e4463963c40345f7a7bb04c5cb64887f3d78579028cb1474
• 3ad0b6e98e4415d7d4b319367aaee0930fbb8ef4f3dc8c29e93df3b906654b30
• 34c6c1a7a765441e5d01ffd8b839bb932fbee37b2d1a55d4cd7e77d61eebad6b
• 34b2b2c0187ebc29239578d78f062d8ebd9aab4bede9c9b6dee323653d2b058c
• 2cb5514d1720a32caa239e91ab6a7a3009a78fb1ce30246186ab6ec6e014041e
• 2ad94746fa52471bd0008285f2d03aab5afa2a8a75ee986ad4ec650aad43730c
• 2936937ebeead6d1c9b62739331fd975248e2998fcf13c94ee817bbfe501a64b
• 169c13fd68f9d1b86d77a0e2865050a8eed8bdb9420c3c65ff4cd29574db3217
• 03a80ceb3959f26b193175fc005bf418c4dc47b1e8d725e63a17a1418774b4b9

SHA1

• fa5e3d84c7f4dd9d5b7ea6ed3a9a1aede8b839d3
• d55a64035aaa75b403eb9c8ffa12f4c46f5b7ea2
• d075b92d91e659b3e17d00303ca2096056202201
• d06936a14ef75ca47fa384797ce1741bb5a7ab33
• caccce39e00f72698907a54157be7c452e755eca
• c8d9eacd908339c47860002af11eeb232d6e84e1
• c63f33fa2b308bd363f0733487422558b7053f3a
• c600126c4adb5333c2e44495d29d14f326437706
• c28e7299cacb6078dc8e7ed2cb6555df544a7053
• ab211bb31eeed26b688009e4bf6ba8fbe44a47a6
• a7b52e05f64b74fcd995aca863a608f0f1f5b134
• 94154b38e3320d480209eff693fcf6f9c050c77a
• 93db59b951ffb575e19e073285053522e2f4728f
• 7e87bd3a8371b9ba3d5b49ff0ba8b141acc32b77
• 7b82de930751e74be1c2d26fe3b9fe64d64b73e3
• 775de60a6f0558eb3ea29fe5c634ebe5344c8bbb
• 763b22306ce6c0e4236c44fa3ce9d2b93fd991e6
• 71f4236bfe11b8c826936f168421027d9c676d4e
• 6d0913f18d95054ba1c85c043c6741bb97e33849
• 6c7c5cce07ea8dd131aeb3deae8d3438a388651a
• 6b987cdda4ce770311e74f395b3ae9f5e4608088
• 6556c7995344ee5ef3d386069f109f49b6891e9b
• 63ed623933032ddb8c071a23ecc9ce4968e99947
• 60b073d85df2185d6adcde4b96dc1a3944744569
• 5bfb4fd8a848c3e2ffd521ad41e21729fe1784f3
• 59bc6746aa75a4b5de47c93bd76eb6ed87e54a1c
• 582ac627bb6d4b220f7616737d21363a2fe8d2bb
• 54792a4985d9eefe2c5d013f3953d5d1658e5b1e
• 52b2ce583c70dcb1c7215c881445b60ac64cd44d
• 522b1a188c131e8867192af07cfd72b39e0fe5fe
• 4fedc84c6c36ab2ad8efae607b7cdc7e9daa0a61
• 43cadc7520d5d170b08dc1b0a3cdab701cf46acc
• 42833ea0f7033f4fb7ead309480bdd629d029572
• 3ae86634f369f695e9ff4099184d49554fd5f135
• 360120448f2411ab6224448c5e119704fcc6c4b0
• 30c717d3b2e0fcda04122b214b1b44c07b9b8139
• 2af22c20220eca67ca413e3e4869f54ad0364aa4
• 243fb2480eb8a4a7e618fd02acb65048fb72fe72
• 22e65c42cb4382a428e9d5e92384e1b051bb6bb2
• 2119da3ec4f0584e0d436cbda7dedd26ab81d2c8
• 1e398ca427a70e731bb0b9a4e487aca124e60dc3
• 195c244a037815ec13d469e3b28e62a0e10bed56
• 12445f77f3e2e230e6496379adec7472fd95295a
• 0e6e08a7c8042a1161baf171041a34c9442c464d
• 0dc63f30b11f8734a1109acee163579168787f59
• 0a716bed3e668c0276910851465adb4fde6c0a49

Source IP

• 185[.]19[.]85[.]156

URL

• http[:]//posssdhm[.]ddns[.]net[:]9060/
• http[:]//panarmjsdrew[.]gotdns[.]ch
• http[:]//myabiggeojs[.]myftp[.]biz[:]9895/
• http[:]//afghphae[.]gotdns[.]ch[:]9060/

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.