During a Threat Detection activity on customer infrastructure, we have observed an interesting MalSpam Campaign that spread, as a final payload, the Netwire or Quasar RAT.
Both are RATs (Remote Access Trojans), that usually allow the master to fully control the infected machines.
- E-Mail with link to Word Document
- The Word Document (Macro-enabled) downloads another doc from “fast-cargo .com”
- The newly downloaded Document (Macro-enabled) downloads a VBS script
- The VBS script downloads NetWire Remote Access Trojan
The NetWire version used by the attackers is the v1.7a R10.
schtasks.exe /Create /SC MINUTE /TN "Covering2" /TR "%APPDATA%\Laryngotome.exe"
EUCACS MISP EVENT:
STIX v1: misp.stix.event5503.xml
Final Payload – IOC
|Dropped file SHA256||98fac688969ed9ed79ff37ecf0d311895ff864d00613ce013f51ae67fb2ccb1a|
|Domain contacted||extensions14718sec. sytes. net|
|Domain contacted||extensions14718. sytes. net|
|IP contacted||212.7.208. 131|