• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-18253 – ICS: ABB Relion 670 Series Path Traversal Vulnerability
November 27, 2019
Rewterz Threat Advisory – Kaspersky Password Manager Information Disclosure Vulnerability
November 27, 2019

Rewterz Threat Alert – Second Desktop Used By SectopRAT

November 27, 2019

Severity

Medium

Analysis Summary

First observed on November 15th, SectopRAT is a remote access malware product that brings up a second screen, not visible to the user, that can be used to surf the Internet by the attacker. SectopRAT’s code is .NET based and two samples, compiled on November 13th and 14th were found by G Data. To help avoid suspicion, the first sample was digitally signed by a Sectigo RSA Code Signing CA and had an Adobe Flash icon. The second sample used an icon that looks like a red floppy disk and was not digitally signed. To prevent tools like dnSpy from decompiling its code, ConfuserEx was used to obfuscate the control flow to the .NET assembly. Once a system has been infected, persistence is gained through the use of the RUN key in the registry. Although the code for SectopRAT looks to be hastily drawn together, some factions of the malware indicate that the author may have a level of system internals knowledge above that of a “greenhorn”. G Data speculates these versions of the code are merely test versions and that improved versions may be on the horizon.

Impact

The threat actor can surf the Internet using the infected machine.


Indicators of Compromise

SHA-256

  • b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a
  • 4409d2170aa9989c6a8dd32b617c51a7c3e328b3c86410813c016691b2bd7774
  • d5a3d47e1945e9d83a74a96f02a0751abd00078ee62e6d3a546a050e0db10d93

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.