Rewterz Threat Alert – RATs Wrapped and Hidden in PNG

March 5, 2020

Severity

High

Analysis Summary

A recent campaign is pushing 2 RATs, encrypted, packed, and hidden in PNG files – using disk image files again and redirectors as arrival vectors.

The first spam campaign is about fake harassment. The sender, claiming to be a school president, is informing his colleague that an anonymous email with video, supposedly in the attachment, shows sexual harassment occurred on their premises.

The attachment CONFIDENTIAL0056.zip is a ZIP archive. Inside it is a disk image file CONFIDENTIAL0056.iso which is the Universal Disk Format (UDF) file system format. The image file CONFIDENTIAL0056.iso contains a RAR self-extracting archive (RARSfx) file PRIORITY.scr. Once launched, the RARSfx will silently drop and install 3 files in the %temp% folder. First, a shortcut file Xnekm.lnk will be created. It points to and therefore runs an executable Zhknjdc.exe which is in a folder with the same name as the LNK file. Stored with the EXE file is an image file Zhkn.png.

A related spam campaign was spotted using fake purchase emails. The attachment PO-1109017834665.xlsx.html, disguised as an order slip, is an HTML redirector. It contains a META refresh tag that leads to the download of a RAR file. The HTML also has a hidden paragraph tag with random word padding causing the huge file size of the attachment.

The downloaded file PO-1109017834665.xlsx.rar is a RAR archive which contains 1 file PO-1109017834665.xlsx.exe – a Delphi compiled executable. The EXE’s behavior is almost the same with the EXE file dropped by RARSfx from the first campaign, except the associated PNG is located at its overlay, in other words appended to the end of the executable.

Impact

Unauthorized Remote Access
Code Execution
Theft of information

Indicators of Compromise

Domain Name

rneiko-elec[.]com
checker[.]rneiko-elec[.]com

Filename

CONFIDENTIAL0056[.]iso
PRIORITY[.]scr[.]rar
Xnekm[.]lnk
Zhknjdc[.]exe
Zhkn[.]png
Zhknasx[.]exe
Zhkn_eno[.]hta
Zhknwen[.]vbs
perfmon[.]exe
SSPICLI[.]dll
Clean[.]bat
Runex[.]bat
PO-1109017834665[.]xlsx[.]html
PO-1109017834665[.]xlsx[.]rar
PO-1109017834665[.]xlsx[.]exe

MD5

3ac401065eb9d48059c49dcdf33d2ca5
59e3864ca11e225e3aaa45563e79366a
d1b75a294c1a2587597f72219d83eadb
1dc7995611e26f0e9115a6cd24f0fd1a
53498948bc156c8668d68069a73b3dd0
03553ce35dfbcabb3ab0b97bd736dbc2
0ebe2999e11aef84f3ffd5214f229947
cef35f9517245d69437ef388ba63ab0f
0d897eb9c40f5f595119e5ecb26df68e

SHA-256

1e922165e003afe690f81475c957c3812e0f259ea096d227c6d83a8e74b9a83b
27b1d8628d1c3d7757c86044b9108a1531d92409f012c45c015eda488df11962
2dc4b6bb83457434e26df3164a9099e4177dd98c967d1ea76f3a3d1a2de8d0c6
38645d831c28a61afe81fd8c1a786a87ec10ca5059aac03c1f588dace99b5701
51dde941670399254ca3480ba22e8ea2aab6854f1ea52e519b28dc2e8d1c66ec
83ab486dcd157c14d78e8ba26a8ef4ced34eab344fff1d88558907474dff2d6a
a26c8cb3853fb5aaeb9a55bacd6eb452a42b0643b6fa8a9a2fc699b41ae51330
ab60d9d83563c90a10ddec762c39790300afcd4455d029eb6fa5e5c999478870
b00aedd64879c414c0cb28b3157be35c4a2ef66e5e93f47cbd65cab5810e4e6b
ead64a6e6cddf7f33f5f7f6b03236e395c2a6d2f94af85112b94c426b247354c
119704c353d172f06cf512500e42c94e7c8df9635d462ea0e92b45366f444466
0fc72c2cb306f98c12477023d3f7ac2e77948707cb1920b93c98949c2d5a38f9
09a5bd9a06840dfb8560ff097505d86d77af1f08877601893262bf14c58c43c5
64c812b78b0085eb9d04b66e5872bdbacdc230b0c29a0bd13b71190f3e610dd0

SHA1

c3b54681e8ac61e605bd399ac680ac15b5608033
9742aebce253bfcf3819e28fd5e6ca1e58c10bbf
92c8d3dc444e9e6c3b1a7cf94dbee02e4c7bda00
a224db9e9f2f347587dc398cb898057ce50326f5
aada5c5af3232a16f7906307326673c5749e3bbb

URL

http[:]//checker[.]rneiko-elec[.]com
http[:]//checker[.]rneiko-elec[.]com/
http[:]//checker[.]rneiko-elec[.]com[:]11012/
http[:]//checker[.]rneiko-elec[.]com[:]11012

Remediation

Block the threat indicators at their respective controls.
Do not respond to unexpected emails.
Do not download unexpected email attachments and do not click on URLs attached in untrusted emails.