Rewterz Threat Alert – Spoofing Visa application with HTTP status-based Trojan
May 18, 2020Rewterz Threat Alert – New Phishing Campaign Targets Users with Bogus Microsoft Teams Notification
May 19, 2020Rewterz Threat Alert – Spoofing Visa application with HTTP status-based Trojan
May 18, 2020Rewterz Threat Alert – New Phishing Campaign Targets Users with Bogus Microsoft Teams Notification
May 19, 2020Severity
Medium
Analysis Summary
Researchers has identified five separate campaigns that have been run between November of 2019 and January 2020 that shared similar payloads, packing code, and command and control servers. Users in Europe, the Middle East, and the Republic of Korea were the victims of these campaigns. They have dubbed the threat-group behind these attacks “RATicate”. The group’s latest campaign, according to researchers, uses the COVID-19 pandemic as a lure to gain victims. This campaign abused the Nullsoft Scriptable Install System (NSIS) to generate the malware installers for this campaign. Of the multiple files dropped by this installer, only two were key to the infection. It is believed that the additional files are used to confuse analysts and throw off sandbox analysis. Some of the RATs and info-stealers installed during this campaign included Lokibot, Betabot, Formbook, and AgentTesla. In total, Researchers discovered thirty-eight NSIS installer samples they believed were part of this campaign. The infection vector was via an email sent to potential victims. Attached was either an archive file with the NSIS installer or a weaponized XLS / RTF document that downloaded the NSIS installer. These activated when the victim clicked on the attachment.
Impact
- Information theft
- Exposure of sensitive data
Indicators of Compromise
SHA-256
- 62b925870b591e72d98fc370c7943c8afd97e99f264919907469876c2c1a6e22
- 3c5d30e50426186a45c6cee71e34b97fecace53bf5cfe092317d12cc73454de5
- 87efed1d252426d609deebe96c92cfe417b72aec54c39cb7c61d8aa80f8630ae
- 42fc44622a1e2e6569d0c41f7f6919aa4847bcc8042688fbdf15ea510563990a
- 9a31bd14db9289028a7d833d2ca28131bb2c2a505ad3a69064b97453f5f34ceb
- 70de9b2eef65e71737558999d8f5ee00ff6ed100d7ddbb5bbc2b5f16f1bb6cdf
- 9d7861c14680bd8eb5ec6641f1761df8a8bcdad9fc1fdc6028f17bf1dc9a384f
- c0a74e429d67691c69c38044d241e7c860a76b8579ffacd7991ed32953cfcd0c
- a2ba22c9e4ca97ac1f6c117bba4090f2cdb9cedcad30e68666bd67183ef102f3
- 74aaf71f2ec7afb5d61a3f25b3878a327ada4b8d29c62ca23a3d0cbbe134c4f1
- ea51d9b9becc292d654db7773c3a60e5a92c9e51c03a812f9ccf4ecfd296ddbe
- a773ca3d514b7232932f451539adc94d0933ce313328ed9f48ed5f1ebf4f555e
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.