Rewterz Threat Alert – Rogue RAT used for Android Device Takeover, Data Theft and Malware Delivery
January 14, 2021Rewterz Threat Alert – New Variant of Ursnif Using Invoice Malspam
January 15, 2021Rewterz Threat Alert – Rogue RAT used for Android Device Takeover, Data Theft and Malware Delivery
January 14, 2021Rewterz Threat Alert – New Variant of Ursnif Using Invoice Malspam
January 15, 2021Severity
High
Analysis Summary
A new malicious campaign is discovered targeting verticals in the governmental monetary and financial sectors in Asia. This campaign poses as a central bank of an Asian nation to compel a victim to open a compressed attachment containing a malicious HTA file. Once the HTA file is executed, it contains heavily obfuscated JavaScript that ultimately installs and runs a remote access trojan or RAT. What makes this unique from other attacks in this space is that it utilizes JsOutProx malware family. It appears that the attackers are able to bypass spam filters by spoofing the email headers. A cursory analysis of the domains indicate that they originated from a well-known webhosting company with a large subnet. Investigating the headers, it was discovered that the attackers are utilizing the SMTP service of the webhosting company.
Impact
- Unauthorized Remote Access
- Security Bypass
Indicators of Compromise
Filename
- Information on Compliance Officer
Hostname
- posssdhm[.]ddns[.]net
- panarmjsdrew[.]gotdns[.]ch
- myabiggeojs[.]myftp[.]biz
- afghphae[.]gotdns[.]ch
SHA-256
- fdc61d1ae7f5e53fb4710910bae574a992419e27329693d69236ec1704ac66a4
- f7221949476533af9afe7b190db47697174cabc9af18c278022396e83e7b75cb
- f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a
- efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4
- ec83164a482f5f6c6f98fcc47e489bc4443554253a32ddbd2344b70b09002d1c
- e9d605f9627072eee555b07e3c7797c4d61ded20c7292432565c098f183be9d2
- e94521788a9b229dc9f583cc6ab2514b2cbe4acbee7a282d6167c1ce45416de3
- df3acaf4dcc70a20c485b492958a9d598f43acb9563e0875d8759de62b268789
- dec809c248f4610bae9d577c23279ffa5e95bdb8612fe941aac60fc1e699343b
- cd16052de2b6f37853935bad389f6018f9106aec873da0e7a2a92da8eb953fd8
- c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165
- bbd835c18f2a5eb7a9c9eb967c9aab0c2eee67b03745a07c5cfa11ce272a559a
- b9bb827450cf3233c89ef3cc8ee38824faec9afb1fe1f5c2ab0f1738e0e844d1
- a72617c88b295c70ffcd652a569f5dd3b972a13a445936fed92f8d8eb018958a
- a68fe77207210679a5129b17b797d06fc4d75d6ecac0711e67abcaf18ed42275
- a22c763f9e222a8e039d39262f6ff30cce934c1181b0c1be9376b4f5f912e96a
- a1ca1638f3d760789231fc1b567824485b40f4101d6ee9ad4208308d166b87bd
- 9aa914e87dda1c3d1c182ed9c08229d10853a5e29b0795accf2a96abdc5fde88
- 96168c26e4c0ec1d84cdb2b912dadabdf2bb73ec14d758cc8a29fb39321b8bd6
- 92c02aa8d666c7b65f1cbb6c801f89bd47088129e899b352737258af28db0dba
- 8da0526fe5cff2c56be399b9bef560fec6160d8ce0dd7c8517054198c73e6788
- 891211a8dffa0a4b0147b9c1572916108cb8aa1d6055aa1164f16cc42a3e2c0c
- 886fe15d546c595be2e130d98d33ee777d550af69f1def97fedbfae49e3a637e
- 8609210993f4ebc6aa5332b0e5ebe67720b8721e27fcee79fc82a1c40b587a44
- 84ae04513a1e01e60dbc814cbd483ec397c9dba78cc5ba79a8e234ecc04b0ac3
- 83f2a34784c9c9abc2009b829e8345afb081817675bd0eb2799d2205d5ef69f9
- 7dd2d20bd40f45ecd74fef1c9238cdf3c9f446414fc82456d73f3148252adbd5
- 75e0d9f86c4ebea64bc842bb5f87164372c4b2996680fde42d5113ebbbbae3ff
- 750a4be535f1870464548cda125665422d5a52d83953c44942dfe90c5a146ad9
- 6bf0d9a7ca91f27a708c793832b0c7b6e3bc4c3b511e8b30e3d1ca2e3e2b90a7
- 698ced4170469c3084afbb0e21778477360d2ac10fb93b33ee3011870c7ca089
- 64b402cbe3a2ae21ce2bfcf70acf927db714f5ae4eb3ba0ffb73455b731e6a50
- 577a6b1294ec1386fd5d9058ad35296bfd74cd51ab8c1bd8f0b625bbb356f8d0
- 531bdc59bdddaf57aa80e2bd2664ee2e6df138a2374519d14d100cab8d21b5c5
- 459d04d2a7cb3399486dbe8095dac1f1e8132d514e4be631c3151f61e0d13506
- 43192b0a36d887844309b79dafa88bb2493539093d17bf7296e4bda2fe72dc49
- 4132f329b4cd47f4e4463963c40345f7a7bb04c5cb64887f3d78579028cb1474
- 3ad0b6e98e4415d7d4b319367aaee0930fbb8ef4f3dc8c29e93df3b906654b30
- 34c6c1a7a765441e5d01ffd8b839bb932fbee37b2d1a55d4cd7e77d61eebad6b
- 34b2b2c0187ebc29239578d78f062d8ebd9aab4bede9c9b6dee323653d2b058c
- 2cb5514d1720a32caa239e91ab6a7a3009a78fb1ce30246186ab6ec6e014041e
- 2ad94746fa52471bd0008285f2d03aab5afa2a8a75ee986ad4ec650aad43730c
- 2936937ebeead6d1c9b62739331fd975248e2998fcf13c94ee817bbfe501a64b
- 169c13fd68f9d1b86d77a0e2865050a8eed8bdb9420c3c65ff4cd29574db3217
- 03a80ceb3959f26b193175fc005bf418c4dc47b1e8d725e63a17a1418774b4b9
SHA1
- fa5e3d84c7f4dd9d5b7ea6ed3a9a1aede8b839d3
- d55a64035aaa75b403eb9c8ffa12f4c46f5b7ea2
- d075b92d91e659b3e17d00303ca2096056202201
- d06936a14ef75ca47fa384797ce1741bb5a7ab33
- caccce39e00f72698907a54157be7c452e755eca
- c8d9eacd908339c47860002af11eeb232d6e84e1
- c63f33fa2b308bd363f0733487422558b7053f3a
- c600126c4adb5333c2e44495d29d14f326437706
- c28e7299cacb6078dc8e7ed2cb6555df544a7053
- ab211bb31eeed26b688009e4bf6ba8fbe44a47a6
- a7b52e05f64b74fcd995aca863a608f0f1f5b134
- 94154b38e3320d480209eff693fcf6f9c050c77a
- 93db59b951ffb575e19e073285053522e2f4728f
- 7e87bd3a8371b9ba3d5b49ff0ba8b141acc32b77
- 7b82de930751e74be1c2d26fe3b9fe64d64b73e3
- 775de60a6f0558eb3ea29fe5c634ebe5344c8bbb
- 763b22306ce6c0e4236c44fa3ce9d2b93fd991e6
- 71f4236bfe11b8c826936f168421027d9c676d4e
- 6d0913f18d95054ba1c85c043c6741bb97e33849
- 6c7c5cce07ea8dd131aeb3deae8d3438a388651a
- 6b987cdda4ce770311e74f395b3ae9f5e4608088
- 6556c7995344ee5ef3d386069f109f49b6891e9b
- 63ed623933032ddb8c071a23ecc9ce4968e99947
- 60b073d85df2185d6adcde4b96dc1a3944744569
- 5bfb4fd8a848c3e2ffd521ad41e21729fe1784f3
- 59bc6746aa75a4b5de47c93bd76eb6ed87e54a1c
- 582ac627bb6d4b220f7616737d21363a2fe8d2bb
- 54792a4985d9eefe2c5d013f3953d5d1658e5b1e
- 52b2ce583c70dcb1c7215c881445b60ac64cd44d
- 522b1a188c131e8867192af07cfd72b39e0fe5fe
- 4fedc84c6c36ab2ad8efae607b7cdc7e9daa0a61
- 43cadc7520d5d170b08dc1b0a3cdab701cf46acc
- 42833ea0f7033f4fb7ead309480bdd629d029572
- 3ae86634f369f695e9ff4099184d49554fd5f135
- 360120448f2411ab6224448c5e119704fcc6c4b0
- 30c717d3b2e0fcda04122b214b1b44c07b9b8139
- 2af22c20220eca67ca413e3e4869f54ad0364aa4
- 243fb2480eb8a4a7e618fd02acb65048fb72fe72
- 22e65c42cb4382a428e9d5e92384e1b051bb6bb2
- 2119da3ec4f0584e0d436cbda7dedd26ab81d2c8
- 1e398ca427a70e731bb0b9a4e487aca124e60dc3
- 195c244a037815ec13d469e3b28e62a0e10bed56
- 12445f77f3e2e230e6496379adec7472fd95295a
- 0e6e08a7c8042a1161baf171041a34c9442c464d
- 0dc63f30b11f8734a1109acee163579168787f59
- 0a716bed3e668c0276910851465adb4fde6c0a49
Source IP
- 185[.]19[.]85[.]156
URL
- http[:]//posssdhm[.]ddns[.]net[:]9060/
- http[:]//panarmjsdrew[.]gotdns[.]ch
- http[:]//myabiggeojs[.]myftp[.]biz[:]9895/
- http[:]//afghphae[.]gotdns[.]ch[:]9060/
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.