• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-2729 – Oracle WebLogic Server Vulnerability
June 19, 2019
Rewterz Threat Alert – DHS Email Phishing Scam
June 20, 2019

Rewterz Threat Alert – MenuPass QuasarRAT Backdoor – APT10 – Aiming for Unauthorized System Access

June 20, 2019

Severity

Medium

Analysis summary

A campaign targeting companies from several verticals across the EMEA region. The campaign seemed to be related to the MenuPass (a.k.a. APT10/Stone Panda/Red Apollo) threat actor, and utilized an open-source backdoor named QuasarRAT to achieve persistence within an organization. We identified several distinct loader variants tailored to specific targets by leveraging machine learning (ML) to analyse our malware corpus.

QuasarRAT is a lightweight remote administration tool written in C#. It can collect system information, download and execute applications, upload files, log keystrokes, grab screenshots/camera captures, retrieve system passwords and run shell commands. The remote access Trojan (RAT) is loaded by a bespoke loader (a.k.a. DILLWEED). The encrypted QuasarRAT payload is stored in the Microsoft.NET directory, decrypted into memory, and instantiated using a CLR host application. In later variants an additional component is also used to install the RAT as a service (a.k.a DILLJUICE).

Impact

  • Unauthorized system access
  • Exposure of sensitive information

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

  • 0aa3d394712452bba79d7a524a54aa871856b4d340daae5bf833547da0f1d844
  • 0eff243e1253e7b360402b75d7cb5bd2d3b608405daece432954379a56e27bff
  • 1ddb533be5fa167c9a6fce5d1777690f26f015fcf4bd82efebd0c5c0b1e135f2
  • 239e9bc49de3e8087dc5e8b0ce7494dabce974de220b0b04583dec5cd4af35e5
  • 26866d6dcb229bf6142ddfdbf59bc8709343f18b372f3270d01849253f1caafb
  • 31f0ff80534007c054dcdbaf25f2449ee7856aceac2962f4d8463f89f61bb3b0
  • 41081e93880cc7eaacd24d5846ae15016eb599d745809e805deedb0b2f7d0859
  • 56f727b3ced15e9952014fc449b496bfcf3714d46899b4bb289d285b08170138
  • 6037b5ce5e7eda68972c7d6dfe723968bea7b40ac05b0f8c779a1f1d542b4ae4
  • 721caf6de3086cbab5a3a468b21b039545022c39dc5de1d0f438c701ecc8e9df
  • 7f7fc0db3ea3545f114ed41853e4dc3764addfa352c28b1f6643d3fdaf7076c5
  • 9bbc5b8ad7fb4ce7044a2ced4433bf83b4ccc624a74f8bafb1c5932c76511308
  • c8c707575bb87c17ec17c4517c99229a993f80a76261191b2b89d3cb88e24aea
  • c8f2cc7c4fdf8a748cb45f6cfb21dd97655b49dd1e13dd8cc59a5eab69cc7017
  • cc02561e5632a2c8b509761ee7a23a75e3899441f9c77d778d1a770f0f82a9b7
  • cf08dec0b2d1e3badde626dbbc042bc507733e2454ae9a0a7aa256e04af0788d
  • cf981bda89f5319a4a30d78e2a767c54dc8075dd2a499ddf79b25f12ec6edd64
  • e24f56ed330e37b0d52d362eeb66c148d09c25721b1259900c1da5e16f70230a
  • e8f00263b47b8564da9bc2029a18a0fec745377372f6f65a21aa2762fc626d4c
  • f1c5a9ad5235958236b1a56a5aa26b06d0129476220c30baf0e1c57038e8cddb
  • f8a7e8a52de57866c6c01e9137a283c35cd934f2f92c5ace489b0b31e62eebe7
  • fe65e5c089f8a09c8a526ae5582aef6530e1139d4a995eb471349de16e76ec71

Remediation

Block all threat indicators at your respective controls

  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.