March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – Agent Tesla Malware – IOCs
July 20, 2020
Rewterz Threat Alert – Emotet Malware – IOCs
July 20, 2020
Rewterz Threat Alert – Agent Tesla Malware – IOCs
July 20, 2020
Rewterz Threat Alert – Emotet Malware – IOCs
July 20, 2020
Severity
High
Analysis Summary
Using a legitimate application to hide malware is not a new phenomenon. One of the latest campaigns involves a cryptocurrency trading application rebranded under several names. Using names such as Cointrazer, Cupatrade, Licatrade, and Trezarus, the Kattana cryptocurrency trading application has been repurposed for nefarious purposes such as stealing browser cookies, cryptocurrency wallets, and screen captures. The company behind the legitimate application published a warning about lures to downloading the trojanized application. The threat actors behind the campaign have set up copycat websites to make their applications look legitimate. The websites contain a ZIP archive which wraps the trojanized program. Researchers analyzed the Licatrade malware and found it straightforward. Other samples have the same basic functionality. Last-modified dates on the files seem to indicate the campaigns started on or around that date, April 15, 2020. The malware sends a simple report to a C2 server over HTTP and connects to a remote host via TCP which provides a remote shell to the attacker. Persistence is accomplished via Launch Agent. Reverse shells are connected through different ports dependent on how the shells were started. The TCP connections stay open and await further commands. In the analysis, operators manually inspected the machine after a period of time, which the researchers were able to observe. If a compromised system is deemed interesting, exfiltration begins by compressing files and uploading them to another server over HTTP.
Impact
Exposure of sensitive data
Indicators of Compromise
SHA1
- 2AC42D9A11B67E8AF7B610AA59AADCF1BD5EDE3B
- 560071EF47FE5417FFF62CB5C0E33B0757D197FA
- 4C688493958CC7CCCFCB246E706184DD7E2049CE
- 9C0D839D1F3DA0577A123531E5B4503587D62229
- DA1FDA04D4149EBF93756BCEF758EB860D0791B0
- F6CD98A16E8CC2DD3CA1592D9911489BB20D1380
- 575A43504F79297CBFA900B55C12DC83C2819B46
- B8F19B02F9218A8DD803DA1F8650195833057E2C
- AF65B1A945B517C4D8BAAA706AA19237F036F023
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Always download legitimate/ recommended applications.