Rewterz Threat Advisory – CVE-2019-2729 – Oracle WebLogic Server Vulnerability

June 19, 2019

Rewterz Threat Alert – DHS Email Phishing Scam

June 20, 2019

Rewterz Threat Alert – MenuPass QuasarRAT Backdoor – APT10 – Aiming for Unauthorized System Access

June 20, 2019

Severity

Medium

Analysis summary

A campaign targeting companies from several verticals across the EMEA region. The campaign seemed to be related to the MenuPass (a.k.a. APT10/Stone Panda/Red Apollo) threat actor, and utilized an open-source backdoor named QuasarRAT to achieve persistence within an organization. We identified several distinct loader variants tailored to specific targets by leveraging machine learning (ML) to analyse our malware corpus.

QuasarRAT is a lightweight remote administration tool written in C#. It can collect system information, download and execute applications, upload files, log keystrokes, grab screenshots/camera captures, retrieve system passwords and run shell commands. The remote access Trojan (RAT) is loaded by a bespoke loader (a.k.a. DILLWEED). The encrypted QuasarRAT payload is stored in the Microsoft.NET directory, decrypted into memory, and instantiated using a CLR host application. In later variants an additional component is also used to install the RAT as a service (a.k.a DILLJUICE).

Impact

Unauthorized system access
Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

0aa3d394712452bba79d7a524a54aa871856b4d340daae5bf833547da0f1d844
0eff243e1253e7b360402b75d7cb5bd2d3b608405daece432954379a56e27bff
1ddb533be5fa167c9a6fce5d1777690f26f015fcf4bd82efebd0c5c0b1e135f2
239e9bc49de3e8087dc5e8b0ce7494dabce974de220b0b04583dec5cd4af35e5
26866d6dcb229bf6142ddfdbf59bc8709343f18b372f3270d01849253f1caafb
31f0ff80534007c054dcdbaf25f2449ee7856aceac2962f4d8463f89f61bb3b0
41081e93880cc7eaacd24d5846ae15016eb599d745809e805deedb0b2f7d0859
56f727b3ced15e9952014fc449b496bfcf3714d46899b4bb289d285b08170138
6037b5ce5e7eda68972c7d6dfe723968bea7b40ac05b0f8c779a1f1d542b4ae4
721caf6de3086cbab5a3a468b21b039545022c39dc5de1d0f438c701ecc8e9df
7f7fc0db3ea3545f114ed41853e4dc3764addfa352c28b1f6643d3fdaf7076c5
9bbc5b8ad7fb4ce7044a2ced4433bf83b4ccc624a74f8bafb1c5932c76511308
c8c707575bb87c17ec17c4517c99229a993f80a76261191b2b89d3cb88e24aea
c8f2cc7c4fdf8a748cb45f6cfb21dd97655b49dd1e13dd8cc59a5eab69cc7017
cc02561e5632a2c8b509761ee7a23a75e3899441f9c77d778d1a770f0f82a9b7
cf08dec0b2d1e3badde626dbbc042bc507733e2454ae9a0a7aa256e04af0788d
cf981bda89f5319a4a30d78e2a767c54dc8075dd2a499ddf79b25f12ec6edd64
e24f56ed330e37b0d52d362eeb66c148d09c25721b1259900c1da5e16f70230a
e8f00263b47b8564da9bc2029a18a0fec745377372f6f65a21aa2762fc626d4c
f1c5a9ad5235958236b1a56a5aa26b06d0129476220c30baf0e1c57038e8cddb
f8a7e8a52de57866c6c01e9137a283c35cd934f2f92c5ace489b0b31e62eebe7
fe65e5c089f8a09c8a526ae5582aef6530e1139d4a995eb471349de16e76ec71

Remediation

Block all threat indicators at your respective controls

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

Rewterz Threat Alert – Agent Tesla Malware – Active IOCs

Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs

Rewterz Threat Advisory – CVE-2023-40363 – IBM InfoSphere Information Server Vulnerability

Threat Insights

About Us

Our Leadership

CSR

Connect with Us