• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Agent Tesla Malware – IOCs
July 20, 2020
Rewterz Threat Alert – Emotet Malware – IOCs
July 20, 2020

Rewterz Threat Alert – Kattana Trading Application Bundled with Malware

July 20, 2020

Severity

High

Analysis Summary

Using a legitimate application to hide malware is not a new phenomenon. One of the latest campaigns involves a cryptocurrency trading application rebranded under several names. Using names such as Cointrazer, Cupatrade, Licatrade, and Trezarus, the Kattana cryptocurrency trading application has been repurposed for nefarious purposes such as stealing browser cookies, cryptocurrency wallets, and screen captures. The company behind the legitimate application published a warning about lures to downloading the trojanized application. The threat actors behind the campaign have set up copycat websites to make their applications look legitimate. The websites contain a ZIP archive which wraps the trojanized program. Researchers analyzed the Licatrade malware and found it straightforward. Other samples have the same basic functionality. Last-modified dates on the files seem to indicate the campaigns started on or around that date, April 15, 2020. The malware sends a simple report to a C2 server over HTTP and connects to a remote host via TCP which provides a remote shell to the attacker. Persistence is accomplished via Launch Agent. Reverse shells are connected through different ports dependent on how the shells were started. The TCP connections stay open and await further commands. In the analysis, operators manually inspected the machine after a period of time, which the researchers were able to observe. If a compromised system is deemed interesting, exfiltration begins by compressing files and uploading them to another server over HTTP.

Impact

Exposure of sensitive data

Indicators of Compromise

SHA1

  • 2AC42D9A11B67E8AF7B610AA59AADCF1BD5EDE3B
  • 560071EF47FE5417FFF62CB5C0E33B0757D197FA
  • 4C688493958CC7CCCFCB246E706184DD7E2049CE
  • 9C0D839D1F3DA0577A123531E5B4503587D62229
  • DA1FDA04D4149EBF93756BCEF758EB860D0791B0
  • F6CD98A16E8CC2DD3CA1592D9911489BB20D1380
  • 575A43504F79297CBFA900B55C12DC83C2819B46
  • B8F19B02F9218A8DD803DA1F8650195833057E2C
  • AF65B1A945B517C4D8BAAA706AA19237F036F023

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Always download legitimate/ recommended applications.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.