Rewterz Threat Alert – Malspam Campaign Distributing the NanoCore RAT Malware

April 16, 2019

Rewterz Threat Alert – AutoIt-Wrapped NanoCore RAT Malspam – Threat Indicators

April 16, 2019

Rewterz Threat Alert – A Cross Platform, Rootkit-Enabled Spyware Operation Targeting Victims Worldwide

April 16, 2019

Severity

Medium

Analysis Summary

A new password-and-data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate recently. Operators of this rootkit-enabled spyware are continuously testing new components on already-infected users and regularly making minor improvement to old components. After initially targeting China, this group is now targeting victims worldwide.

The operation is capable of the following:

Extracting cookies and steal login credentials from Google Chrome, Chromium, Mozilla Firefox, Opera, Microsoft Edge, Internet Explorer, Baidu Browser and Yandex Browser.
Steal a user’s payment accounts from his Facebook, Amazon and Airbnb webpages.
Send friend requests to other accounts, from the user’s Facebook account.
Send phishing messages to the victim’s Facebook friends containing malicious APKs used to infect Android users as well.
Steal login credentials for the user’s account on Steam.
Inject JavaScript adware in Internet Explorer.
Install Chrome/Opera extensions to inject JavaScript adware on these browsers as well.
Exfiltrate browsing history.
Silently display ads or muted YouTube videos to users via Chrome.
Install Chrome if it is not already on the victim’s computer.
Subscribe users to YouTube video channels.
Download and execute any payload.

Impact

Information Disclosure
Credential Theft
Malware Infection

Indicators of Compromise

URLs

hxxp[:]//178[.]162[.]132[.]79/1[.]php
hxxp[:]//178[.]162[.]132[.]79/t[.]php?info=
hxxp[:]//80FD4C6BAC35BAB54608B2F60A9A1759[.]online/sta[.]php
hxxp[:]//9D3C13FAF748710EBB5A8E1232B43CA7[.]online/sta[.]php
hxxp[:]//a12[.]fun/json/json[.]php
hxxp[:]//A4E43EDE382B7613F03D2997C80E2DA9[.]online/sta[.]php
hxxp[:]//ab12[.]fun/chrome/
hxxp[:]//ab12[.]fun/tool/
hxxp[:]//count[.]b12[.]fun/jump[.]php
hxxp[:]//D43AC96995C02E4A7CCECE3059730B95[.]online/sta[.]php
hxxp[:]//dl[.]ossdown[.]fun/wcrx[.]dat
hxxp[:]//EC33503163B5789F6786C0D82B479364[.]online/sta[.]php
hxxp[:]//fffffk[.]xyz/down/m_inc[.]js
hxxp[:]//hh1m[.]com/count/app/index[.]php
hxxp[:]//info[.]d3pk[.]com
hxxp[:]//info[.]d3pk[.]com/cams/
hxxp[:]//info[.]d3pk[.]com/history/
hxxp[:]//info[.]d3pk[.]com/history/index[.]php
hxxp[:]//www[.]hh1m[.]com/fb/apk/index[.]php
hxxp[:]//www[.]hh1m[.]com/fb/friend/index[.]php
hxxps[:]//1898799673[.]rsc[.]cdn77[.]org/down/EdgeCookiesView[.]exe
hxxps[:]//www[.]fffffk[.]xyz/chrome/index[.]php
info[.]d3pk[.]com
www[.]fffffk[.]xyz
www[.]hh1m[.]com
1898799673[.]rsc[.]cdn77[.]org
80fd4c6bac35bab54608b2f60a9a1759[.]online
9d3c13faf748710ebb5a8e1232b43ca7[.]online
a12[.]fun
a4e43ede382b7613f03d2997c80e2da9[.]online
ab12[.]fun
b453a3c474be9c1bb54e927e99ca7cfa[.]online
count[.]b12[.]fun
d43ac96995c02e4a7ccece3059730b95[.]online
dl[.]ossdown[.]fun
downmsdn[.]com
ec33503163b5789f6786c0d82b479364[.]online

Malware Hash (MD5/SHA1/SH256)

002995d7cf3409a414365a38a4c2a85c0f556917
0099920232f09ffa056afab1e284def0113c3a86
00fa9cfd8f9aef4122d6ad60bb4b58348b96bb99
0149d9ab48a69b3aed75896d072397ab3736f186
018bf40f69a94c696a42c302ce13f402b6107bc3
02a27930d3065cd4607282c06b6bda07f6262152e5404963932ab6121e9fea45
03585acad4ee56c9b994351c1f31f6d3de79d457
03b6ae2d686b636ef9d0274fac1f316773f4171d
061b9c2ad91d2b449660314bb874820929120163
085dac0dd86ccb60a680474475f9682e86fa16bc
0907c1bbc750fff8898479d42b9692113a470a7d
098e51e64a8b29dbc81754e1476a847887c507ac
0c0e3c6d7a627568e2cf2bd4cfc12d9ae2c6f354
0c4af9de278decc6c0285b87edaa7c1e14c9c6a1
0dbb1db25292280623061a0b5ebd373c249e11aa
0e163b5726cf1ed86babbb271b65477a8090d6fe
0ef014ea5e23975892cd977b56f1bcd8f8bd90ba
0f57980bd7a0cd8c45e274193a9dfcf8c6db6b04
10100da0167fb4c4608b1032beb0db523e27ab70
10ba4a84ae562251bd06ac1d1e67b845e3b4af95
11c8d8e3c6af7af14abd1bfd9e287c481e4be2d1
13117683d3bb87279ec84556f44adf618a8725db
13b5fe7385bebbed2abb227376d990368339079d
145f422c88a3c2d36aa01318557ec4dd6db7e9f6
14a6d1d780e71c8c872cb089a1cfd5bd74e23613
164fcaa69a3cdc8d98657f67d5e1272fdf1ad55d
1742ec2d427705b626339d58f531c85ab7ef5e4d
17a6cf59cca864b0c935585642dcaf2f50db1bac
18fb77c7604f2c74c0bc5556b30013319eb8d142
19e22391772b4504248edf8a649aaefea98f7bd6
19fbcd2c1d29b10fc003a41dc6000250f073e985
1a51bb680c61a7ef3e97658f978516c13031c0f6
1ad9f323eac2442bcb363f493ea4b1aa6ff1fb90
1b1037d7d32b1539862246f12a602836f8bf85df
1b5f6e98e93d0d3c0fd8d247b1874f0b4a965615
1be2161845f21ab88462b55b30a6d4713043471f
1e360760276e364929572cab11f0b652dd44bcca
1e8bc22034841cc0abbe26994198a1ce17625325
203226bea43a1726f41a0d3769de953faac2ef1c
2101269773f79bd57cc974683e0992f0ea822e63
21a7df672b090103ed9e9daa9ff4a66a4753f7a8
223315c933ac4f8d3639064866017f4d3778d3ee
22a23756d6d53d2ea70687b4be60824de6e986d3
2467e663ad2ce03f6eb8eb2faee51d3072e990b3
250be87b38be0506b2b73df6412fd366ac2e6398
273fe8d8b785538b717e0c0a9a91337126304cfc
29a4ce50c4a54a0e326e35cd90aa87e576d9ad0e
2bfcf5419b1d02b820ab5d4425c72b35ee0226bd
2c7c1c21cf15cc445d289fba13db5c9ced93297f
2cbb4f4a8f5079ed810870f72e35329c3959375a
2e2554cc2586060b4d59dcde1311182e2a93141e
2ea1af435cbe327b5eb667606af53feeddd8f951a33714c43451afb199567424
2f77512a36311f9ff7030d1fe2dc41e7f2c0528a
30fe7ec73791a397b9672acce17f7f7640afc523
316ee713fc950cf35c42a0180948dafeef6bd7c4
3354a7e80016b3997911a3dbbbf99aaf27ddce4e
33a8767713d8fc466e9406e0dd5050b7c699cb8d
34275a2f91de00b3fbf2f37deccee28a6a0eb638
35344ec2d3ab5d3173cfcbcf5118deee4cd360cc
375e306e319b150c21fb5f3879484df5b6d58222
37653ddd0b6fceb9e115ce1886eb68f63c2c69f3
3786e96dee2261c743e5be9bedc0a7756541415b
37a302e658d3c2d9032bf4718983049d258bc2a5
3820437e5b58a489351328451ca71e13ee787781
38c133bab6bf2b57db28d2f365e80ccc163031b5
39cec110694b2e172bedb35615f4ccf4bd19b5f8
39e9a3f66762c49a5b941033e9be285dc321f976
3b957bbfb4c391e0a3db8a8dd8cfd3664b8cde35
3bd27ed1228d9260d20cc41bb178d859a1aa5f89
3c0a297ed2968cb210d80e45e11ccaea9ad310b7
3c6968d3c833fc35f0e7fa53690189bab9c6a54c
3dbf6dfc744f4e9d6b69a01048e21867f6598f81
3e6d3f1ee95a389af01313c8be3e96cd6036430d
3e93e7f32935294e125ef37ea01bfc9bd14528de
40c13b19799cb6d73353e5cbc94866f8d833f62b
423f19339e6fb61114e440cce545732513acc5cc
42d4b87c9204619dc2389ebc96f801437376642c
42ead5e30474e37ea3ac5e2bafd0e91ae054e5a2
43d5e4513c494eeca0c69e2d9632d3c484778b74
43e18762d4db992b0dfbfe2ceb497ee601ee94da
43eb8493d125f2c789bf5a33526492dfea5d46d3
4529b32ef5adb9dd32a9df2ab6cf37e3e004a63f
45a2d243ff13ff44be57075f70db32c86b150c8f
4751feb72fe8cd668acbe7f6dc0a266b251db28a
4833898d833739fd3a87ab0e11eff7d1ae8bfe7c
491d29d109acedfbb542dbce11de6c3cd2c4fb2a
4b9252e71b7aa0b2933474521ff6cc84fc99e243
4be6fd50f2c87f64f267cbb74625544734c40bdf
4c721be25118174123023ded2d33cc51da6860ee
4e9aec406bef93bad6cefaa70ffbc7b9b12653ce
50bb128aa82205f0d736d56041182f205b7d21ce
5242e37acea10e65b7c0fb685b2bd9d8d7acf83f
529ec1364a8400bedbfafda24318bd3b6ad31aec
52c7fea4ec26545b3b2100fd80b03bc0961516ff
53f141268c4719181f44ad9906d03ee2b8df26ea
53fd8468ad2f920d63a024064ee28f8b4122a579
54422cc691b3135bc236ff369778584984527e11
54c7bc8b2c2b926faf001092ffed8d58436095c4
55223cdd868250796b780b2174d1c06a9589ddc8
579336561d995b990851f68266b366a6322745de
5852f0134980e086a2de8ea2672844e5f4676e31
5a5c668c12f8ac56aff6fa263576f45eaf7ab3b3
5adb29492620bff0f94ec207ec5a9938642e432c
5bf99110f417eead5aa978be51c96f9cb675ef3ec8c8fe025287a504f9d5222a
5c55bca95511e381ba33561f7dc62401cc1edf54
5dd507a3549b18ce12640c0daefa8ebace7f5c8a
6080dd6888b93ff5df749fd172a53bace05e7349
620200623842adbd1f9fef36a5b2982987949475
6403c2b07f1862d4c67983d2ffe4eed5ea596d11
64aed16ec1b23b025d65cfdf41199089a737a9c4
66584c5683626a8de43cd0369ea7ee83a3e06694
674758d91569eddb022bae68aaa7fbb4a5102f3a
6838801233c7dde5a9e4db389899aba110e87a51
69636467b76c00d71b4e867ddb3859f0f3628170
6a7b133477b581ec1da7777aebe9a5412af1d599
6a8eb6666101cf39230e2c4422f9356f592666b4
6b1f1adcc8700231f23ece4b2efd588fb4085579
6bc16fcabdfa7d14b923b9919c0409ae3421c5cd
6dfb9adc6008e67ae895fd247ab1181611827d3f
6e17d322be2ee7f73acb8b8db840a2c0c1b242f6
6e945841dcafe71190761c2b28f55ea53ead78b2
717b693d6963e71f20262e7301151960f29653a5
720b88eb9a29abe58f3841cd2ccac7f36a249c7c
72604350691afab6a017c3d2b5d4eab736d75cc0
7507c7c2b25877d2eff24c60abc2657d4470ff83
751c265f9f882f1c508e5c2596763826ad87d9a0
7722d0a4d3fc63ad5b87c329db98e01e5f6a503e
79e42bc7c9dcd5cc03c469679c033ce07aa1b516
7a6f052b5a7a99d86f38ed05969b6dfcfcef98d8
7b3e7232e3d6d6a9c7f4ef187c696d3f1e697cb1
7ea669e7be7a9048118570bd550e0d92727cc85a
80ba75808bc6b1251223bc8438fd8e68dd3c2446
80fd4c6bac35bab54608b2f60a9a1759
812f396d83754815369909ac9674666808ac9cb3
81e8a82ec1614633d86fde931c4978037eb9691f0215b78f4e9aaf841cbddd4d
825279952e9e1040819aaf37d1ca9b81d746e846
85155cd7ff66aa1d24e4d99e2a968b4de47381c8
857979cb9f178efff3d873db0aaa80286a1dab20
862eb48f84e09aa4f425404e6a250e7c25d2b20c
86c2c6d80a99747023980902663f7805390de69f
86d96958d96dbedb868d9a5f0961309403d3c836
87e7c72f630a5be1d3dc058ae8885fbe5528a750
881e9747b54e47276d72fb774c1cbbf51811b2e5
892babaef5817c093ced84439f4164c1c1b279c2
898b58a1688fcd857b758817e699c5a3e537233e
89edc1519c6de79dc6040eaa84905ccfbaeb192c
8bd50cdae0dd0a0c7618c6a882309991c5218bf5
8c5ec1b57714b84eaa1ba13e591c723bd86aeba4
8c8f0958b9d3d9ebf09c495341951867546d6171
8d287993f6e9143b506423be2b83ecba090c5f5c
8d85ff11433e2cc61711fc077805da81b7f2e01cbecd6ca66598e603f22f2b81
8dc13faec8c0d37cbda5b056e3c6d50dd3ac4d92
9179482e79e9e45606e808851e67684c07465def5cf8e242457a210b2938ed69
925465cf06b6cfee31a97346d5848f77276ec187
94ca2a0586a6a6afe5a3e5288aedfcce857011ed
94f9ed9b9b9c378e86519061954736f400e84047a93791ddb6fdd4a5e3fab1a1
950923875e8b441be6d5b97a6b66a4f972f32511
96fb67dff18857aae6414b87a10f8734b5f1624d
98a937467bf8345d6d4e1c73973204f69a292343
9992a6dc13bf2b46cc1aacf9a32ddf8f64fe35a8
9a65e1151a9aff484a43f587649c187bd2b30ee5
9ad0c6ef47ffeb05c30db440002578dfa0f0897d
9ceb7807fe917ba639c5b677f5bfc34b3b6ad395
9cef0d54c4ea08b6d3875032273aac1d4bf1cdc7
9d3c13faf748710ebb5a8e1232b43ca7
9d8387740b82b73c68c7dcb1008a0be5c6be0fca
9fed48ea3ca79d15554dc5cdab1d1cbf2e32c16d
a0a1478b4bdab0a3ff60fd75ea0a41dab2b2ede1
a1c04faac6009fdc3bc99a2478e1017e1baa6940
a1edf8699d7272079776119f4934fd17529f05d9
a3d824a853b57304e01e03d2f82ad7c2c6656d30
a491de120143141b62cb36809621bb88f9f41565
a4e43ede382b7613f03d2997c80e2da9
a59f4bdf231472e96a9c18434d4a27fcc6c99dd5
a6425a841562261bf877195b84ec412f154f8ffe
a7f4d59f4a4be9dd15c0bf8f0e6cc0356725fa83
a7f92ce1c9884f409da0f17dd1b6a8c528f34f49
aa4421812ce473b4d3a2399895b1a37841cef61e
ab9edf622d31ec3f42861450f3cd289459766ed1
ad10ce10479333604de922fcf4c34667b47a9f48
adab5775db72af85504ff16170226716c4e38bf6
adc451203672857f71deb7ff4f1fee4db1a5527b
aeb0c050022ce3bc6df081fdac9ec6086a543d07
af0353f06b37a9ad9296f5ff1a991f69e69807fd
b22dc33665ecff56f25cf7532babea88ff839df6
b2922ed6e9027109e5da1545ee91f3e3727e6321
b2c5f28cd3804a2e14b5d601cc42e5876ab86592
b334270fde0597f3fd413aa929a63bd0beb3756e
b45216f77aba691bbfccc4e2970741644ad3f59c
b453a3c474be9c1bb54e927e99ca7cfa
b4e5b70ab7cf432061f8e62e1cdd29de593b942f
b6256b16e153a0b21fe822af4e00a1b7794f8e30
b80045535d867663f79baf88f75306ed9abd6de8
b8cc670da05aea7fb62db39070b9d5d258d9b45a
b8fd9349bb6d08eeedc6e23752a076f723719a0d
ba0c07cb86e48bb22747b0895c2f13339a5c91dd
baa6180acfe58a500394fe5ffce56034247ffd04
bb6423482d55bc6e65b98864b059aa5c89e0bacb
bb65463738f32e86bc561aff7422196ab8c63089
bc59855f21cf035b3f584ea72cc0b47058da093c
bf3f562c1d2de5c2ec223fffcdd9ec7276809306
bfffdbedce78b8adc2c6aa7fbb8987f47932cd76
c06d0e4e5644274d3d377fb980bbfe6fd0e386bf
c155f3a2840d01c2a333220cd022bf8ca7aab17c
c253d4df5a889d9afb7d0564c3e3c1a8b552f998
c4033b6195eda33abbdb1a7b8b86c3c812508180
c40458804e0b6889543d0f35089816631228b9d4
c482265189325f2d9dfaf4d5f07fb542ffbe6d2e
c5d61af093eb3a2c1cd64f05cd35746a11a1a2ff744c1fefb6236b28ca7aeeb2
c6eb3c0953b89572a80ee2e0022cda1168fa68ce
c78475581c82498c7143e31c9750a2e9fe6778e6
ccfc78d0d93b1ba6976aeb61cd0e366fb2e93063
cd581856b734ac502561329ecbcbb674bc089919
cd94f01d6c7727b3b3d54a6286390c87e4d779ff
cf8b96ed57802f33746079ce2fceca21cc1866b7
d074c19fb92231f6d880fb9a0b9108045b41010d
d1adef5401f85b309d299ec13291fc3af613cf76
d2260437d42b7443636da118bf2be52f1dbda75c
d36b391d0f9378347a2b7e0d8100d8d1a368d305a4aa102865c714bea6bf0420
d43ac96995c02e4a7ccece3059730b95
d4b15134e444468340ddefbfed542fe77231659f
d55e3f1596328c0f5516df3bb4f97cd7bdd20d76
d6b3369fe9699239634cc51ce2e408e54982ab26
d7030350d9660d17bae88472d3f142a31b2970eb
d7b1349db15f0878ce0ae5385539b00bb49d4109
d81bd037dfb18625611f573161208da1c5d8a57f
d83182c88b801fb89a05e12bbe3962bd6abe8de9
d9b346144720d01112841fd00870dbcf9a0d3589
d9e4bb03ea0c65f1f4fc37841244aa672e524c03
dbc5e40ed9c2ce0523a3fd450885d227ad62a3e4
dd55aa6ba747579fe3b8fa774bb4dbfdba62a10a
de0e75061fce22da5f74f9b42a77a358a5569322
e074718f51fb3f28e4045695b30939ad520562de
e10f554c9506c8a104e7e5e073ce25ec82e08aaad1ab7ebb7ee854d418ce2b17
e2ccb5ad65cb34d255ec19216dc8c560cfde7372
e4eb272fdec76863d5080fc3a75a5b4d559e86f8
e5a66204b016b050d7e6eefb843c3a5ae854ced2
e6c61befb9aeb111e2b638ac7b13e15ea9c81e28
eaf3b60e1e91c5ec20211f5b510530f4252abfe7
eb1489825494e1fc07ff387da64c7350a08e1837
ec33503163b5789f6786c0d82b479364
ecc307d32574178f8c421b7dbfcd1d36ba7c0b73
ed16c74fcce7336bcfaad6fcfb07d16a3e5b7356
ee23bd14fdc49b86ef548cb95e9b470ea743c6d3
ef17fd80b9b3a670cc3d6f7074939feede486caf
efbff707e249b125462fc0812d3c5dd7b2cfde57
f01ea8ecdc527e5d339cfee98c87f1af58e05793
f1b609b8544d2f691205dc46dd9a89fcb6b0f1ba
f1d0b62d582d33340fc20c6bb44e3741e72cf674
f1d237dce83f31edfe17816f3a5510dc99d8bf88
f1e8c72582026b04d86e43faa2ec930c8bfba41b
f26b00761192a64073fba1658ba966597b49ac602e496e54bfa56db53feae7c8
f2cbc5192f591af0cf109baf05b53dd47ba29903
f432fccd9589d7413d4a85f63cc285cc794d0565
f6a7a53a84cf58ee02576b916c8e873892891c78
f6c47a33376087981d4d0ced8eb37f6963e6df4beba8b0003ea2930170206acf
f73fee78482856b8970d2d5bc70717c19edf46a1
f810f5b549cebbf90f6995f59ce93fcd4b408f54
f8a7a05d576905644486f53278a23c87e10d3f30
f8bc2c734e1f59459f31d8689ad31cba36126fd4
f921d1e94ba5f78661d03012b1307c0c7ddd5b77
f95e474892df72578fc1084ad46b58531b0579a3
f9af61875e011fc62194664a2a290be49d2cf805
fa0403c3850351d0888bf85d25ea91f222019d6c
fa6007c80b06d0f963861c0c7ec06e69df7573ec
fb4155382bc915ef2cf092e385c7871b9f7be98b
fc3a56ee96026aa1f7d786688bc92b5efbde6bdc
fc7f2684440d372fa12d57a00d7dceedbc5b0367
fe4f5f845b20a8cd337a96fe57e2d3091b2893e1
ff29471f9fd4384f949ef167b024131dae1ddcae9dd35c70cc6ecc3ea761560a

Remediation

Block the threat indicators at their respective controls.
Do not save login credentials on these browsers.
Install well-reputed and authentic Adblockers.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

GuLoader Malspam Campaign – Active IOCs

CVE-2024-31869 – Apache Airflow Vulnerability

Over 250 Victims Paid $42 Million Ransom to Akira Ransomware – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

GuLoader Malspam Campaign – Active IOCs

CVE-2024-31869 – Apache Airflow Vulnerability

Over 250 Victims Paid $42 Million Ransom to Akira Ransomware – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us

Rewterz Threat Alert – Malspam Campaign Distributing the NanoCore RAT Malware

Rewterz Threat Alert – AutoIt-Wrapped NanoCore RAT Malspam – Threat Indicators