Rewterz Threat Alert – Rogue RAT used for Android Device Takeover, Data Theft and Malware Delivery

January 14, 2021

Rewterz Threat Alert – New Variant of Ursnif Using Invoice Malspam

January 15, 2021

Rewterz Threat Alert – JavaScript RAT Targeting Asian Government and Financial Sector

January 15, 2021

Severity

High

Analysis Summary

A new malicious campaign is discovered targeting verticals in the governmental monetary and financial sectors in Asia. This campaign poses as a central bank of an Asian nation to compel a victim to open a compressed attachment containing a malicious HTA file. Once the HTA file is executed, it contains heavily obfuscated JavaScript that ultimately installs and runs a remote access trojan or RAT. What makes this unique from other attacks in this space is that it utilizes JsOutProx malware family. It appears that the attackers are able to bypass spam filters by spoofing the email headers. A cursory analysis of the domains indicate that they originated from a well-known webhosting company with a large subnet. Investigating the headers, it was discovered that the attackers are utilizing the SMTP service of the webhosting company.

Impact

Unauthorized Remote Access
Security Bypass

Indicators of Compromise

Filename

Information on Compliance Officer

Hostname

posssdhm[.]ddns[.]net
panarmjsdrew[.]gotdns[.]ch
myabiggeojs[.]myftp[.]biz
afghphae[.]gotdns[.]ch

SHA-256

fdc61d1ae7f5e53fb4710910bae574a992419e27329693d69236ec1704ac66a4
f7221949476533af9afe7b190db47697174cabc9af18c278022396e83e7b75cb
f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
ec83164a482f5f6c6f98fcc47e489bc4443554253a32ddbd2344b70b09002d1c
e9d605f9627072eee555b07e3c7797c4d61ded20c7292432565c098f183be9d2
e94521788a9b229dc9f583cc6ab2514b2cbe4acbee7a282d6167c1ce45416de3
df3acaf4dcc70a20c485b492958a9d598f43acb9563e0875d8759de62b268789
dec809c248f4610bae9d577c23279ffa5e95bdb8612fe941aac60fc1e699343b
cd16052de2b6f37853935bad389f6018f9106aec873da0e7a2a92da8eb953fd8
c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165
bbd835c18f2a5eb7a9c9eb967c9aab0c2eee67b03745a07c5cfa11ce272a559a
b9bb827450cf3233c89ef3cc8ee38824faec9afb1fe1f5c2ab0f1738e0e844d1
a72617c88b295c70ffcd652a569f5dd3b972a13a445936fed92f8d8eb018958a
a68fe77207210679a5129b17b797d06fc4d75d6ecac0711e67abcaf18ed42275
a22c763f9e222a8e039d39262f6ff30cce934c1181b0c1be9376b4f5f912e96a
a1ca1638f3d760789231fc1b567824485b40f4101d6ee9ad4208308d166b87bd
9aa914e87dda1c3d1c182ed9c08229d10853a5e29b0795accf2a96abdc5fde88
96168c26e4c0ec1d84cdb2b912dadabdf2bb73ec14d758cc8a29fb39321b8bd6
92c02aa8d666c7b65f1cbb6c801f89bd47088129e899b352737258af28db0dba
8da0526fe5cff2c56be399b9bef560fec6160d8ce0dd7c8517054198c73e6788
891211a8dffa0a4b0147b9c1572916108cb8aa1d6055aa1164f16cc42a3e2c0c
886fe15d546c595be2e130d98d33ee777d550af69f1def97fedbfae49e3a637e
8609210993f4ebc6aa5332b0e5ebe67720b8721e27fcee79fc82a1c40b587a44
84ae04513a1e01e60dbc814cbd483ec397c9dba78cc5ba79a8e234ecc04b0ac3
83f2a34784c9c9abc2009b829e8345afb081817675bd0eb2799d2205d5ef69f9
7dd2d20bd40f45ecd74fef1c9238cdf3c9f446414fc82456d73f3148252adbd5
75e0d9f86c4ebea64bc842bb5f87164372c4b2996680fde42d5113ebbbbae3ff
750a4be535f1870464548cda125665422d5a52d83953c44942dfe90c5a146ad9
6bf0d9a7ca91f27a708c793832b0c7b6e3bc4c3b511e8b30e3d1ca2e3e2b90a7
698ced4170469c3084afbb0e21778477360d2ac10fb93b33ee3011870c7ca089
64b402cbe3a2ae21ce2bfcf70acf927db714f5ae4eb3ba0ffb73455b731e6a50
577a6b1294ec1386fd5d9058ad35296bfd74cd51ab8c1bd8f0b625bbb356f8d0
531bdc59bdddaf57aa80e2bd2664ee2e6df138a2374519d14d100cab8d21b5c5
459d04d2a7cb3399486dbe8095dac1f1e8132d514e4be631c3151f61e0d13506
43192b0a36d887844309b79dafa88bb2493539093d17bf7296e4bda2fe72dc49
4132f329b4cd47f4e4463963c40345f7a7bb04c5cb64887f3d78579028cb1474
3ad0b6e98e4415d7d4b319367aaee0930fbb8ef4f3dc8c29e93df3b906654b30
34c6c1a7a765441e5d01ffd8b839bb932fbee37b2d1a55d4cd7e77d61eebad6b
34b2b2c0187ebc29239578d78f062d8ebd9aab4bede9c9b6dee323653d2b058c
2cb5514d1720a32caa239e91ab6a7a3009a78fb1ce30246186ab6ec6e014041e
2ad94746fa52471bd0008285f2d03aab5afa2a8a75ee986ad4ec650aad43730c
2936937ebeead6d1c9b62739331fd975248e2998fcf13c94ee817bbfe501a64b
169c13fd68f9d1b86d77a0e2865050a8eed8bdb9420c3c65ff4cd29574db3217
03a80ceb3959f26b193175fc005bf418c4dc47b1e8d725e63a17a1418774b4b9

SHA1

fa5e3d84c7f4dd9d5b7ea6ed3a9a1aede8b839d3
d55a64035aaa75b403eb9c8ffa12f4c46f5b7ea2
d075b92d91e659b3e17d00303ca2096056202201
d06936a14ef75ca47fa384797ce1741bb5a7ab33
caccce39e00f72698907a54157be7c452e755eca
c8d9eacd908339c47860002af11eeb232d6e84e1
c63f33fa2b308bd363f0733487422558b7053f3a
c600126c4adb5333c2e44495d29d14f326437706
c28e7299cacb6078dc8e7ed2cb6555df544a7053
ab211bb31eeed26b688009e4bf6ba8fbe44a47a6
a7b52e05f64b74fcd995aca863a608f0f1f5b134
94154b38e3320d480209eff693fcf6f9c050c77a
93db59b951ffb575e19e073285053522e2f4728f
7e87bd3a8371b9ba3d5b49ff0ba8b141acc32b77
7b82de930751e74be1c2d26fe3b9fe64d64b73e3
775de60a6f0558eb3ea29fe5c634ebe5344c8bbb
763b22306ce6c0e4236c44fa3ce9d2b93fd991e6
71f4236bfe11b8c826936f168421027d9c676d4e
6d0913f18d95054ba1c85c043c6741bb97e33849
6c7c5cce07ea8dd131aeb3deae8d3438a388651a
6b987cdda4ce770311e74f395b3ae9f5e4608088
6556c7995344ee5ef3d386069f109f49b6891e9b
63ed623933032ddb8c071a23ecc9ce4968e99947
60b073d85df2185d6adcde4b96dc1a3944744569
5bfb4fd8a848c3e2ffd521ad41e21729fe1784f3
59bc6746aa75a4b5de47c93bd76eb6ed87e54a1c
582ac627bb6d4b220f7616737d21363a2fe8d2bb
54792a4985d9eefe2c5d013f3953d5d1658e5b1e
52b2ce583c70dcb1c7215c881445b60ac64cd44d
522b1a188c131e8867192af07cfd72b39e0fe5fe
4fedc84c6c36ab2ad8efae607b7cdc7e9daa0a61
43cadc7520d5d170b08dc1b0a3cdab701cf46acc
42833ea0f7033f4fb7ead309480bdd629d029572
3ae86634f369f695e9ff4099184d49554fd5f135
360120448f2411ab6224448c5e119704fcc6c4b0
30c717d3b2e0fcda04122b214b1b44c07b9b8139
2af22c20220eca67ca413e3e4869f54ad0364aa4
243fb2480eb8a4a7e618fd02acb65048fb72fe72
22e65c42cb4382a428e9d5e92384e1b051bb6bb2
2119da3ec4f0584e0d436cbda7dedd26ab81d2c8
1e398ca427a70e731bb0b9a4e487aca124e60dc3
195c244a037815ec13d469e3b28e62a0e10bed56
12445f77f3e2e230e6496379adec7472fd95295a
0e6e08a7c8042a1161baf171041a34c9442c464d
0dc63f30b11f8734a1109acee163579168787f59
0a716bed3e668c0276910851465adb4fde6c0a49

Source IP

185[.]19[.]85[.]156

URL

http[:]//posssdhm[.]ddns[.]net[:]9060/
http[:]//panarmjsdrew[.]gotdns[.]ch
http[:]//myabiggeojs[.]myftp[.]biz[:]9895/
http[:]//afghphae[.]gotdns[.]ch[:]9060/

Remediation

Block the threat indicators at their respective controls.
Do not download files attached in untrusted emails.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs

Rewterz Threat Advisory – CVE-2023-30440 – IBM PowerVM Hypervisor Vulnerability

Rewterz Threat Advisory – CVE-2023-33246 – Apache RocketMQ Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us