Rewterz Threat Alert – MoDi RAT Spreading Via Email

Severity

Medium

Analysis Summary

Researchers discovered a unique reflective loader attack. The email, possibly part of a malspam campaign, is delivered to the potential victim’s inbox with a malicious attachment. When the victim opens the attachment, the VBS code connects to a remote website to retrieve an archive file, encountering a number of 302 redirects along the way. The ZIP archive is hosted on OneDrive and contains another VBS file. This second VBS file is extracted by the original and saved to disk. It then creates three registry blobs as well as creating a scheduled task to run the downloaded code at some point in the future. When the scheduled task runs, the VBS file launches PowerShell, writes output to the system clipboard, then pastes that clipboard content as commands into the PowerShell window. This write and then paste using the clipboard may be an attempt to evade security products by not invoking PowerShell with a suspicious command line. The PowerShell window retrieves a .NET decoder executable from one of the registry blobs and injects it into a system process. This code then retrieves the other two blobs and injects them as well. One of the two blobs retrieved from the registry is the payload MoDi RAT.

Impact

• Exposure of sensitive data 
• Information theft

Indicators of Compromise

MD5

• 695b21032e1ba37affa4f13d525798f9869ea794
• 0449ae73074153195368cfefd910946d540e59ff
• 00c8144d988385ad0d44a8871044185fa9bb78e4
• 17b85597c55e99d09c8ad5cf9631f0f1d5d82d0e
• a7967f4f66d4f9d3ac7187cab601abdc47e1c6c0
• 79bcda484419f0adc9648b581b10498c8415d89a

URL

• http[:]//vanesaescribano[.]com/services/coaching-personal
• http[:]//phix[.]es/impots-center

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders
• Never click on links/ attachments sent by unknown senders.