Rewterz Threat Alert – APT C-23 aka AridViper Active in Middle East Region – Active IOCs
November 25, 2021Rewterz Threat Alert – MasterFred Banking Trojan – Active IOCs
November 25, 2021Rewterz Threat Alert – APT C-23 aka AridViper Active in Middle East Region – Active IOCs
November 25, 2021Rewterz Threat Alert – MasterFred Banking Trojan – Active IOCs
November 25, 2021Severity
Medium
Analysis Summary
The JavaScript malware called RATDispenser is a stealthy new loader that is infecting RATs (Remote Access Trojans) on windows devices to initiate phishing attacks.
The novel loader establishes distribution partnerships with a minimum of 8 malware families that are designed to steal information and to give control over the infected devices. It is used as a first-stage malware dropper in 94% of the cases analyzed. Since this loader uses JavaScript attachments, the detection rates are lower, compared to when Microsoft Office documents are used.
The Infection Cycle
The infection begins with a phishing email containing a malicious JavaScript attachment named with a ‘.TXT.js’ double-extension. Since the extensions are hidden by default on email, the recipient may be tricked into downloading the files to their computer.
The file will only be decoded upon being double-clicked and launched. Until then the heavily obfuscated file passes through the security software undetected. Upon launching a VBScript file is written to the %TEMP% folder where it is executed to download the RAT.
Based on scans by VirusTotal, this method evades detection around 89% of the time.
“Although JavaScript is a less common malware file format than Microsoft Office documents and archives, in many cases it is more poorly detected. From our set of 155 RATDispenser samples, 77 were available on VirusTotal which allowed us to analyze their detection rates,” explained the report by HP.
The eight Identified families of malware are:
- Ratty.
- GuLoader
- Panda Stealer
- Remcos
- Formbook
- AdWind
- WSHRAT (Houdini)
- STRRAT
Impact
- Information Theft
- Infostealer
- Keylogging
Indicators of Compromise
Domain Name
- leksuq35[.]top
- morfay06[.]top
- moryby04[.]top
- bazpmo44[.]top
- rixoxeu90[.]top
- tynwyl15[.]top
- kelekt53[.]top
- morput04[.]top
- butcuv02[.]top
- butezm09[.]top
- kelgjz75[.]top
- butomp10[.]top
- butleq11[.]top
MD5
- 33c35b3b7f3a5cc2c4e4d0dbfccb095c
- dc608a56e771ae91bd039bb70a518f07
- 51a94ad3e6bc53a45180e8175a515b3c
- 6dcc18d5147c9219b9ab16d097794b1a
- b5098da5e971f5e35b2f3234bce9d96c
- cba37c0712bc06f6a4b10d400a8fbcb8
- 6609872d415547f78e7b30d06bdefd7c
- 3262e8fe3f51222859d517546aa20d83
- dce3c63969a27fa6f5ef2ec923b89066
SHA-256
- 00853f4f702bf8a3c82edbd1892c19aaa612f03d4541625068c01d0f56d4415b
- 80d4596f204f77e0998da6a989ec0ae0a74a1d3a2bf2c0fbbee4bad08de7c35c
- 0e253db72238440495f0c714f5492d3ef1d3d5b72218bf99839a9b893f5f2828
- 2461685f501bc94474109190aafd21d05c682270ff9f8495a405de801d8781ef
- 282f406e96c437c3990b2074a1b14338085b49339726dd840474702370f20507
- 34879874a21c0f125ff31a7211630d486c8c9099a0a132cccdd4605eb6e8eaba
- b42c6b4dd02bc3542a96fffe21c0ab2ae21ddba4fef035a681b5a454607f6e92
- e3e738aff246098c72814f000210b2b131ac3b1b4c9720205d5175fbd98393ff
- c4a507c126e7d8a26bb804242d92d84f39b1f1fc9504f82b6c02c64420f20e65
SHA-1
- e300ed54740d0714b821e1e45bff708abbece38b
- 8e558750053a1e639a1a3d1c7dbd45fd2d02ca6e
- d77d51c7fe4f213fce833134beb480cbb01fda38
- 197d0841a1ee8e9be882d1d5a02b43059d1b0e0b
- ed9beb1fda29eaf2576e21a5e243f4721b3056a6
- c4bad4df242d398a6c916049bf628190634941c1
- 7640ee4b15e9613cba555c0528492b5ae78fd7e7
- 1c62336a2641eb7b718fc3094787d3f560eb7117
- 5b23f6c8520a64dadfe5a55ac509496a35e647eb
Remediation
- Enable the blocking of executable attachments, such as .js, .exe, .bat, .com files on your email gateways.
- Change the default file handler for JS files, allow only digitally signed scripts to run, or disable the WSH (Windows Script
- Host).
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.