Rewterz Threat Alert – Spoofing Visa application with HTTP status-based Trojan

Severity

High

Analysis Summary

A new Trojan (unnamed) being spread as a visa application. The legitimate application is encrypted within the dropper used to spread the Trojan. This particular malware contains a 32 and 64-bit next stage malware. Using little known HTTP status codes, the malware operators are able to command the Trojan on its next steps. The malware is able to acquire the target’s geolocation, gather host and network data, keylogging, and screenshots. The Trojan is self-propagating and has a dynamically resolving address to further complicate analysis. In order to exfiltrate data to the C2, the malware uses RSA encryption. Additionally, the Trojan is able to hide data locally using LZNT1 and a one-byte XOR encryption. At this time, it is unknown how the malware is added to systems, however, the analysis revealed the first stage dropper was downloaded from a shared directory on the local area network. The Trojan is able to use .DOC and .PDF files as transport for delivery of the main module. It is within this module where the HTTP status-based Trojan resides. As long as the C2 supports TLS in its configuration, communications will be over HTTPS and port 443. If TLS is not supported, all communication is over HTTP and port 80.

Impact

• Information theft
• Exposure of sensitive data 

Indicators of Compromise

IP

• 95[.]183[.]49[.]10
• 95[.]183[.]49[.]29
• 200[.]63[.]45[.]35

MD5

• A6AFA05CBD04E9AF256D278E5B5AD050
• 1BB03CBAD293CA9EE3DDCE6F054FC325

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Search for IOCs in your existing enivronment.