Rewterz Threat Alert – Wacatac Spreads Its Attacks Using Archive Attachments

Severity

High

Analysis Summary

Researchers have recently identified a new malspam campaign that delivers the Wacatac Trojan. Attackers compressed an executable in different types of archive file attachments. If potential victims extract and execute those attachments, they will most likely become infected. The campaign began on August 21, 2020 and is still ongoing up to today August 31. The involved spams attract victims’ attention using important banking information as an email subject. Many of them attach a RAR archive file, but it could also be an ACE archive.

On Windows platforms, if the victim opens it, regsvcs.exe will start and, in turn, trigger a process to gather the user’s personal information on the file system. Here’s the infection process.

At the same time, it also establishes a communication session between a remote controller (i.e. 220-cpanel-02.wlink.com.np or 250-cpanel-02.wlink.com.np) and the infected device via Extended Simple Mail Transfer Protocol (ESMTP). This connection is supposedly used by the remote controller(s) to take control of the infected device.

Impact

• Information theft
• Exposure of sensitive data
• Gain access of victim’s device

Indicators of Compromise

MD5

• 9bfc740fa669c4418d89fd5556ce5c43
• e7eed309f5a6bdb6d1384317e5801a85

SHA-256

• fab4c74418538e8284f7796ce0a281b88915e66d27e0e0b52507f843c0fbc3cd
• 94b6fee9a92b1f031ad025ceadcc8b44822777463c3bb13c8f89071cb0bc306a

SHA1

• 6cc4714eeaf98fa918d8147ec56ec14b4adabd6d
• e48806c057dc2045584d34695f0a02ee7fa29343

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.