FedEx MalSpam pushing NetWire RAT – MISP Info

Overview

During a Threat Detection activity on customer infrastructure, we have observed an interesting MalSpam Campaign that spread, as a final payload, the Netwire or Quasar RAT.

Both are RATs (Remote Access Trojans), that usually allow the master to fully control the infected machines.

Infection Chain:

  1. E-Mail with link to Word Document
  2. The Word Document (Macro-enabled) downloads another doc from “fast-cargo .com”
  3. The newly downloaded Document (Macro-enabled) downloads a VBS script
  4. The VBS script downloads NetWire Remote Access Trojan

The NetWire version used by the attackers is the v1.7a R10.

Persistence mechanism:

schtasks.exe /Create /SC MINUTE /TN "Covering2" /TR "%APPDATA%\Laryngotome.exe"

 

EUCACS MISP EVENT:

MISP Event: misp.event.5503.5aa6a37e-5ff4-43e3-902b-621bd45b5092.xml

STIX v1: misp.stix.event5503.xml

 

Final Payload – IOC

Dropped file SHA256 98fac688969ed9ed79ff37ecf0d311895ff864d00613ce013f51ae67fb2ccb1a
Domain contacted extensions14718sec. sytes. net
Domain contacted extensions14718. sytes. net
IP contacted 212.7.208. 131

Threat related to: https://www.zscaler.com/blogs/research/malicious-rtf-document-leading-netwiredrc-and-quasar-rat