• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Remcos RAT – Active IOCs
July 19, 2022
Rewterz Threat Advisory – CVE-2021-34538 – Apache Hive Vulnerability
July 20, 2022

Rewterz Threat Alert – UPAS Malware – Active IOCs

July 19, 2022

Severity

High

Analysis Summary

In June 2018, researchers found the UPAS Kit, a malicious programme connected to the Kronos Banking Trojan. The UPAS Kit has a history of usage in spam campaigns and can be discovered on malicious USB drives. The threat actors behind the UPAS Kit use it to cover up the presence of other malware, spread spyware, and install banking Trojans in place. Anti-VM (Anti Virtual Machine) functionalities of the malware are known to be supported in order to thwart examination in test environments.  The UPAS Kit can download payloads, run programs, and propagate to local network machines. The UPAS Kit malware spreads to other systems through infected USB drives. When a USB stick is put into a new device, the UPAS Kit malware overwrites the ‘autorun.inf file, which executes a secret EXE program.  UPAS Kit performs various similar tasks in order to be persistent. It first transfers itself to the % APPDATA % directory, labelled ‘Microsoft,’ as well as the % TEMP % directory. The duplicated file’s name will be the first seven characters of the global mutex name stated above for % APPDATA %, and the same for % TEMP %, but with “_l.exe” and “_a.exe” appended to it. The current file name will be compared to the newly produced name, and if the two do not match, the malware will be run from the new path. If the check is successful, the current file path is saved to the registry run-keys Software\Microsoft\Windows\CurrentVersion\Run. The virus will then return to the main function after determining the current system architecture using the function IsWow64Process, or GetNativeSystemInfo if the former is not accessible. The removal of this malware can be difficult, since it injects itself into a legitimate process. Therefore, security scans and patching is necessary along with the other remediations.

Impact

  • Information Theft
  • Exposure of Sensitive Information
  • Keylogging

Indicators of Compromise

MD5

  • 06cdd36673a29822360907f8abec6a59

SHA-256

  • 1e87d2cbc136d9695b59e67f37035a45a9ad30f5fccc216387a03c0a62afa9d4

SHA-1

  • a982b47cb7dd9db204ebf5f2952e45122cd1f9bc

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Upgrade your operating system.
  • Don’t open files and links from unknown sources.
  • Install and run anti-virus scans.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.