Rewterz Threat Alert – Formbook Harvests Financial Data using Phishing
September 25, 2019Rewterz Threat Alert – Phishing Attack Uses Google Redirects to Evade Detection
September 26, 2019Rewterz Threat Alert – Formbook Harvests Financial Data using Phishing
September 25, 2019Rewterz Threat Alert – Phishing Attack Uses Google Redirects to Evade Detection
September 26, 2019Severity
Medium
Analysis Summary
Quasar is a publicly-available Remote Access Tool (RAT) for Windows hosts. This RAT is being distributed as malware through malicious spam (malspam). This is an invoice themed malspam posing to be coming from Emirates Industrial City. Below is a screenshot of the email from isc institute.
Impact
- Unauthorized Access
- Remote Code Execution
Indicators of Compromise
IP(s) / Hostname(s)
- 192[.]3[.]204[.]194
- 45[.]74[.]60[.]135
URLs
- hxxs[:]//www[.]tradersbolt[.]com/126/invoice1[.]exe
- mail[.]totallyanonymous[.]com
- www[.]tradersbolt[.]com
- ip-api[.]com
- greatest.ddns[.]net
- puu[.]sh
- icanhazip[.]com
Email Address
- tpwilkins[@]yahoo[.]co[.]jp
- alsaqr3[@]eim.ae
Email Subject
- Hello [Target’s name] Urgent Account details confirmation for payment
Malware Hash (MD5/SHA1/SH256)
- abc980ebd2463ff522ff090914cc21d02915f643f385ee0ea0af23d51a18e47f
- 36bbba67af90faf31808412008c61db3
- 065ac3f23800921135b1794706aca86ab59c94ab463c5c17a4d3535bf9aab828
- 101e6dfba90b9b82a23caf5e47f72e97
- 389863b056fa0c3d4ebf130103445bc56769824f1e6cecea9c950744b80752b0
- 28a627d45425192d6f28fd0d324445d7
- edcbbb59405b2bb97269ed5db32a15b57154221adb9504ff828ee367953cccc1
- dd53b81b262364cd0051cdeb3bd54c7d
Remediation
- Block the threat indicators at their respective controls.
- Do not download email attachments coming from untrusted sources.