Rewterz Threat Alert – Remcos RAT – Active IOCs
July 19, 2022Rewterz Threat Advisory – CVE-2021-34538 – Apache Hive Vulnerability
July 20, 2022Rewterz Threat Alert – Remcos RAT – Active IOCs
July 19, 2022Rewterz Threat Advisory – CVE-2021-34538 – Apache Hive Vulnerability
July 20, 2022Severity
High
Analysis Summary
In June 2018, researchers found the UPAS Kit, a malicious programme connected to the Kronos Banking Trojan. The UPAS Kit has a history of usage in spam campaigns and can be discovered on malicious USB drives. The threat actors behind the UPAS Kit use it to cover up the presence of other malware, spread spyware, and install banking Trojans in place. Anti-VM (Anti Virtual Machine) functionalities of the malware are known to be supported in order to thwart examination in test environments. The UPAS Kit can download payloads, run programs, and propagate to local network machines. The UPAS Kit malware spreads to other systems through infected USB drives. When a USB stick is put into a new device, the UPAS Kit malware overwrites the ‘autorun.inf file, which executes a secret EXE program. UPAS Kit performs various similar tasks in order to be persistent. It first transfers itself to the % APPDATA % directory, labelled ‘Microsoft,’ as well as the % TEMP % directory. The duplicated file’s name will be the first seven characters of the global mutex name stated above for % APPDATA %, and the same for % TEMP %, but with “_l.exe” and “_a.exe” appended to it. The current file name will be compared to the newly produced name, and if the two do not match, the malware will be run from the new path. If the check is successful, the current file path is saved to the registry run-keys Software\Microsoft\Windows\CurrentVersion\Run. The virus will then return to the main function after determining the current system architecture using the function IsWow64Process, or GetNativeSystemInfo if the former is not accessible. The removal of this malware can be difficult, since it injects itself into a legitimate process. Therefore, security scans and patching is necessary along with the other remediations.
Impact
- Information Theft
- Exposure of Sensitive Information
- Keylogging
Indicators of Compromise
MD5
- 06cdd36673a29822360907f8abec6a59
SHA-256
- 1e87d2cbc136d9695b59e67f37035a45a9ad30f5fccc216387a03c0a62afa9d4
SHA-1
- a982b47cb7dd9db204ebf5f2952e45122cd1f9bc
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Upgrade your operating system.
- Don’t open files and links from unknown sources.
- Install and run anti-virus scans.