Rewterz Threat Alert – Latest Attack Techniques From Qbot
August 31, 2020Rewterz Threat Advisory – CVE-2020-5621 – Multiple NETGEAR products cross-site request forgery
September 1, 2020Rewterz Threat Alert – Latest Attack Techniques From Qbot
August 31, 2020Rewterz Threat Advisory – CVE-2020-5621 – Multiple NETGEAR products cross-site request forgery
September 1, 2020Severity
High
Analysis Summary
Researchers have recently identified a new malspam campaign that delivers the Wacatac Trojan. Attackers compressed an executable in different types of archive file attachments. If potential victims extract and execute those attachments, they will most likely become infected. The campaign began on August 21, 2020 and is still ongoing up to today August 31. The involved spams attract victims’ attention using important banking information as an email subject. Many of them attach a RAR archive file, but it could also be an ACE archive.
On Windows platforms, if the victim opens it, regsvcs.exe will start and, in turn, trigger a process to gather the user’s personal information on the file system. Here’s the infection process.
At the same time, it also establishes a communication session between a remote controller (i.e. 220-cpanel-02.wlink.com.np or 250-cpanel-02.wlink.com.np) and the infected device via Extended Simple Mail Transfer Protocol (ESMTP). This connection is supposedly used by the remote controller(s) to take control of the infected device.
Impact
- Information theft
- Exposure of sensitive data
- Gain access of victim’s device
Indicators of Compromise
MD5
- 9bfc740fa669c4418d89fd5556ce5c43
- e7eed309f5a6bdb6d1384317e5801a85
SHA-256
- fab4c74418538e8284f7796ce0a281b88915e66d27e0e0b52507f843c0fbc3cd
- 94b6fee9a92b1f031ad025ceadcc8b44822777463c3bb13c8f89071cb0bc306a
SHA1
- 6cc4714eeaf98fa918d8147ec56ec14b4adabd6d
- e48806c057dc2045584d34695f0a02ee7fa29343
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on links/attachments sent by unknown senders.