Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs
January 9, 2024Rewterz Threat Advisory – CVE-2023-39296 – QNAP, QTS, and QuTS hero Vulnerability
January 9, 2024Rewterz Threat Alert – An Emerging Ducktail Infostealer – Active IOCs
January 9, 2024Rewterz Threat Advisory – CVE-2023-39296 – QNAP, QTS, and QuTS hero Vulnerability
January 9, 2024Severity
High
Analysis Summary
A sophisticated campaign spreading the AsyncRAT malware to certain targets has been active for the last 11 months where it uses hundreds of unique loader samples and over a hundred domains. The attacks have been discovered to be propagated using phishing emails with hijacked accounts.
AsyncRAT is an open-source remote access trojan (RAT) that targets Windows users and has been available publicly since 2019. It shows many capabilities like keylogging, remote command execution, dropping additional payloads, and exfiltrating data. The tool is popular among threat actors and has been used extensively over the years, either as it is or in modified form. It is used for establishing persistence on the targeted system to steal data and deploy additional malware.
In September 2023, researchers discovered a notable increase in phishing emails that targeted specific companies and individuals. These targets are carefully chosen to broaden the impact of the campaign and some of them manage critical infrastructure in the U.S.
The starting point of the attacks is with a malicious email that has a GIF attachment which, upon clicking, leads to an SVG file capable of downloading hidden JavaScript and PowerShell scripts. After doing some anti-sandboxing checks, the loader establishes a connection with the command-and-control (C2) server to communicate and determine whether the victim is eligible for the infection. These C2 domains are hardcoded and hosted on BitLaunch, which is a service that allows the transaction of anonymous cryptocurrency payments. If the loader realizes that it is being executed in a virtual environment, it drops decoy payloads in an attempt to mislead cybersecurity researchers and tools, making its detection difficult.
This anti-sandboxing system used by the loader is done through a series of verifications performed via PowerShell commands by retrieving system information details and calculating a score that determines if it is running inside a virtual machine. The researchers stated that the cybercriminals used about 300 unique samples of the loader within the past 11 months and each of these samples had some small changes in the code, values, and variable names.
Another observation shows the use of a domain generation algorithm (DGA) to create new C2 domains every Sunday. The domains used in the campaign follow a specific structure as in they use eight random alphanumeric characters and South Africa for the country code. The researchers were able to decode the logic used in the domain generation system and managed to predict which domains would be generated for the malware during January 2024. The attacks have not been linked yet to a specific group since the threat actors are discrete.
In their latest campaign, Lazarus APT is targeting Apple developers.
Impact
- Unauthorized Access
- Data Exfiltration
- Sensitive Information Theft
Indicators of Compromise
MD5
- 2f93a7e61bd8eb8b595fd67c130edbc2
- ead41b5ba47a861ebcfc072de4a8fac7
- 113d53428d046ce6f350b352f5179d59
- 222cf7fb823aedd40d2b57b2a8d5ea86
SHA-256
- ec48d692547341789a9205f607983f9cd485435df4fefda1654a5eccbe12bfb0
- f5ad2158644b79eb5e5c1226ed9c1597dafde9b3376de5dc3e02673d135b487a
- 29dcf858f36f68827696a9a3ea1b4a821180569ab297d2f73c740b15832302d3
- ae549e5f222645c4ec05d5aa5e2f0072f4e668da89f711912475ee707ecc871e
SHA-1
- 61ff557dda346f2f91189c92456d946a41fb8f36
- 12aebd7e2376d5ac724905cb2eb163ed822e4c90
- a4e1a0be44759e94a43fc52f39fb3891dce2abbb
- 1f0fce06fd1be6318f4adeee0fd9746667f955ac
Domain Name
- sduyvzep.top
- zpeifujz.top
Remediation
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software timely and make it into a standard security policy.
- Enforce access management policies.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.