Rewterz Threat Alert – Predator the Thief – IOC’s

Severity

Medium

Analysis Summary

A new release of the malware known as Predator the Thief, labeled as version 3.3.4. There have been small development differences between each minor version, making this latest version very different from previous versions. It is active from as early as December 2019. The recent campaign uses phishing documents designed to look like invoices, all pushing the same payload of Predator the Thief. 

Infection chain of Predator the Thief

nce the document is opened the malware performs the following operations:

1. AutoOpen macro runs the malware VBA script.

2. It downloads three files through PowerShell.

• VjUea.dat: Legitimate AutoIt3.exe
• SevSS.dat: Base64-encoded AutoIt script with certificate header.
• apTz.dat: RC4-encrypted Predator the Thief

3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script.

“SevSS.data” is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of Predator the Thief.

Impact

Data exfiltration

Indicators of Compromise

SHA-256

• 670c3bb2d41335cee28f4fe90cf9a76a9b68a965e241df648a0198e0be6a9df1
• 46710b47763f27a6ffb39055082fa22e3e5a2bd9ae602ea651aefe01079e0c8d
• bcf6f482a8a7e81d3e96c54840d2d341d12923a3277688eddd2534d614dab70b
• 67093ad07a8342c42b01dd1645dbd18ea82cc13081b5ba84fa87617675cc7054
• 76a4e5baa3650dff80df493fa4aaf04d37bb5d20d7a569ec3bc550bdfb3c1991
• 50f7c8b3c825930b242dceef47bec9e7039bff40362f960c84cd9ff9edafc94b
• 759dc4b2ab45e6faf7a9f1325f75956c1954f3695400e66670f6950c06db44c2
• 4792c8a417b7accd3092788504332881154785a9ee2db2e93e63306813497c7c
• 35820393614d39e600b4afc3332de4547f25f4b5d076b43ea1af98020ec5a8f0
• 91722acec748c76de9d98e1797186a03dc9ab2efbd065a0f04e7c04654644dba
• 14b25649cf6f10670fc8e1afb923895ae0300a8feb78e5033488879d5206267b
• b53dd972d466e2d2ded3ce8cc7af28eda77f2939de0d9c1fbd3663fd057ea87d
• cb76b3ee29944a7d8b839025c1e9eae32b188443a7bf5cbfbf7eabe682424d92
• 68875254237c6f887d0f9771b8f356381f8a0384841ae422ef2d49faf30932e9
• 248ad207c6891d84765ea81d0aa3ca04bee69e0467dff8d693fa4eb76a491c16
• 4cac9af0198fe82f5ae87ac19e964471f6e87461743a21054c2f063be9c2c514
• 3118a980caf696fc5c84cb9ee88015f3a0cf205f021270b1f4f313bbae6b6464
• caeb9b2518d47f3df6f2ec515ce314dca6993370b9e124479bff959075379a90
• e5420cf530192596f2c388eeecfd8d6754af06939461629c94d509b991b967f4
• c392229b34617ee5bc9e48bacde3fc8e9046eea51e6101624d312719e970dc00
• 6215d8637357be64510af9daf778ce12bf8401cdd16216a24da257d42217c65b
• c97d6c8075bd9c55fbdcadda6c69c21432d59e872acdc860228b2709edbb6e6c
• 36fe75ca8ca8bcef475737dae530e50eb262484ba0cd4dac0081d8508412d0ad
• dce3bb2609c710339569404f8dce4e0786521bb0de46ad9358fc27d5b687f043

URL

• hxxp[:]//stranskl[.]site/
• hxxp[:]//stranskl[.]site/apTz[.]dat
• hxxp[:]//stranskl[.]site/VjUea[.]dat
• hxxp[:]//stranskl[.]site/SevSS[.]dat
• hxxp[:]//stranskl[.]site/api/check[.]get
• hxxp[:]//stranskl[.]site/api/gate[.]get
• hxxp[:]//corp2[.]site/
• hxxp[:]//corp2[.]site/api/check[.]get
• hxxp[:]//corp2[.]site/api/gate[.]get
• hxxp[:]//tretthing[.]site/
• hxxp[:]//tretthing[.]site/api/check[.]get
• hxxp[:]//tretthing[.]site/api/gate[.]get

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.