Rewterz Threat Alert – Cardinal RAT Resurfaces with Fresher Attacks

Rewterz Threat Advisory – 2018’s Most Exploited Unpatched Vulnerabilities in Microsoft Products

March 20, 2019

Rewterz Threat Advisory – CVE-2019-6534 AVEVA Uncontrolled Search Path Element Vulnerability

March 21, 2019

Rewterz Threat Alert – Cardinal RAT Resurfaces with Fresher Attacks

Severity

Medium

Analysis Summary

A hideous malware family called Cardinal RAT has resurfaced after remaining undetected for over two years. The malware is delivered via a unique downloader named Carp Downloader. A series of attacks has been observed using an updated version of Cardinal RAT. A series of modifications have been made to the RAT, many of which are used to evade detection and hinder analysis.

Impact

Cardinal RAT

Indicators of Compromise

IP(s) / Hostname(s)	s[.]spotmacro[.]online secure[.]dropinbox[.]pw secure[.]spotoption[.]pw s[.]dropinbox[.]host
URLs	affiliatecollective[.]club https://gitlab.com/githubuser/testing/commits/master hxxps[:]//www[.]digitalpoint[.]com/members/bitbox123[.]922831/
Malware Hash (MD5/SHA1/SH256)	0097dd7676b810bd0c1c70d8c86604c830e1e8e88f6a13c3869747faba381076 00f93492edb3274f71686fa469f6c9031a94292a2776c623a1596f710bf4eaa1 0212334200668ac64cb63fc1a4f4ea17e956f6928a2211c945c2e07f1b25a3ef 02e85f39adf8613fd1be610e4e76f4fac08949f2e0198e8cf89a7c3a17cdd6d9 0438becfd66d728778f47d734d2f0bc4d1462d945cf4b6dde9fbf627eb0bb02d 057965e8b6638f0264d89872e80366b23255f1a0a30fd4efb7884c71b4104235 06151c14153e983ae7ab793c7cd0e5ac3faf8e200894955b02e1191429eff29a 06f1348c8a2ffab67627556075ddcad92998526d4d3802b9c2357d169531825f 0716f3f9cb0dead0c1f156a07adfeb3e0d72e4ea4af7b67238fae3e1ae670f90 08ce077e8d54db08ede1095d03286146d04e8cbce74ec91a9fc7b9d0a99ddb9f 0afec067628e901f7151861b0924ffb1909d21a707177b1e6cf2c8d491bb1a60 0fabc65c316e8d84493d07cd39bfdd59481af9f9a7ebc9103693f1788438a438 101af6fdb990e5e9584382a65f5cee7efd9e89c38e928beca18419bdf70ef076 10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f 1181f97071d8f96f9cdfb0f39b697204413cc0a715aa4935fe8964209289b331 137f9265cba1101ae5d63b94c6ad1b47c7d02f0ab4f54a1af3169422791790cf 154e3a12404202fd25e29e754ff78703d4edd7da73cb4c283c9910fd526d47db 16aab89d74c1eaaf1e94028c8ccceef442eb2cd5b052cba3562d2b1b1a3a4ba6 192b204dbc702d3762c953544975b61db8347a7739c6d8884bb4594bd816bf91 1977cedcfb8726dea5e915b47e1479256674551bc0fe0b55ddd3fa3b15eb82b2 1e8ed6e8d0b6fc47d8176c874ed40fb09644c058042f34d987878fa644f493cc 2016766acaeb1b89415fb6ef03f6ee815b8fe76b8955a6a41d2bbb28dfa74c28 20fec2d1824b585aa558b7cf9e9980acd665736ce9f7a124507cf46afb30c79f 211b7b7a4c4a07b9c65fae361570dbb94666e26f0cc0fa0b32df4b09fcee6de2 2247c528fc1b90b725d857cc5d45572e864c6c4948100458774f0ef6a8f11403 267b1df7bc64c1b93b604d964f52801733fdd43efaf7742810b9277f00ad17ff 268c3c9a98f2a15aaab9b0488225b0ba4e3d35efa30f6fed9052ffd31042bd7b 28e9e0fcc6899db7a16315d3dca38b6166ba318f8ca07b422ebadaab209b589b 2fbd3d2362acd1c8f0963b48d01f94c7a07aeac52d23415d0498c8c9e23554db 3ec85a019a480114856d3022961d7a55c1ae7cfa81b0073b2c1abcf99e0e541f 4045950ffa263b92774e92ab36b3ec52bf18f1c133b8d155819629d2ad4b3d1c 427b635915e0fe313ce58175faa1cc240ae26183fb88d05864bc20ef6d87aca3 43fb0b13f9872a54f91a7bf202b23a8a16de99d054a83ed08b9ea97f9e2675e8 440504899b7af6f352cfaad6cdef1642c66927ecce0cf2f7e65d563a78be1b29 448c33094322b200c53ff016fec29469b3e52def359430113115cc70d7f28704 4b0203492a95257707a86992e84b5085ce9e11810a26920dbb085005081e32d3 4b4c6b36938c3de0623feb92c0e1cb399d2dc338d2095b8ba84e862ef6d11772 4e953ea82b0406a5b95e31554628ad6821b1d91e9ada0d26179977f227cf01ad 4fde64e9391d36aaff700ce0be3df9e7e6303b6de114332286de694af33dd7da 5025aa0fc6d4ac6daa2d9a6452263dcc20d6906149fc0995d458ed38e7e57b61 508e25a0e729824f06f4960b635600acf3cab87ebb87854d1989ff0ba2f03e78 5665527ce54ed1a79ddb8e3c10499ac0b7af5c79a8cf5a37448baccbf6dba09f 571b58ba655463705f45d2541f0fde049c83389a69552f98e41ece734a59f8d4 5909b5999d3998f578a3acb4bf85e0b3fde102c417c40b6beed0dd3b8ceb51bf 5dcec8a061195bd4a2c3e96afecc48b1f0143b6ac4644c518ed8a923d2dcbe21 5dd162ab66f0c819ee73868c26ecd82408422e2b6366805631eab95ae32516f3 5e60f17396e2ddfce8e60c964056d63cc3b17646c31b4a4f934c2d1fb4f5ba71 6272ed2a9b69509ac16162158729762d30f9ca06146a1828ae17afedd5c243ef 647e379517fed71682423b0192da453ec1d61a633c154fdd55bab762bcc404f3 64a9bdf4ff33e8f2e74dc16d7dce0f392aa130ff9b99458778fd25d9aadff381 66f38591e8c80bb26623b0e6be5ab976fdf745c2afa020c7d98e2814960b5961 65b726aab53920c497f83eb1f3cbd6b7dbfc2074aab6761b7485aa98f2df139a 66f43e57648f01ea5f8d0d152db1df90c764eebeb701403936a15c47e2965353 6e2991e02d3cf17d77173d50cdaa766661a89721c3cc4050fba98bea0dbdb1a9 6ecd376cdc182bf157e59d500da6092891e6cd9a61305214e462d6e990e6e834 7220e659d59491db50661c54762b49bf6976acbeb723b5d59abde48301c86228 7482f8c86b63ce53edcb62fc2ff2dd8e584e2164451ae0c6f2b1f4d6d0cb6d9c 75996bbfcd2b343523ed79476f9516cc7d2b041c43841e5e735db4f22ae970c3 75ca794f265ebad84954f13480e0e31c17048d21c4b52e949864c951437d0c2c 778090182a10fde1b4c1571d1e853e123f6ab1682e17dabe2e83468b518c01df b742162197744a8caeb09f954213a3172ed699f8375f69c40b57b8c219c5e37c 78e2929e5dae8677f9db3aa7eaa96ad584c872343698e18f85349a027328b3ea 7f0c5e2850d10d4bf129e0d290010bedff44a0f506d92de79ef6d69fd78487e3 82017e34c232e05094c2bbed2e62f6b55c1ed8f645803784cac791cc4690beaf 84e705341a48c8c6552a7d3dd97b7cd968d2a9bc281a70c287df70813f5dca52 84f822d9cf575aeea867e9b73f88ad4d9244293e52208644e12ff2cf13b6b537 855cf3a6422b0bf680d505720fd07c396508f67518670b493dba902c3c2e5dfa 85f1053041ef7af8a1c3d941e18de21e7adc24537863063d127bab8a8d2dc64b 8bea55d2e35a2281ed71a59f1feb4c1cf6af1c053a94781c033a94d8e4c853e5 8d8ccaf5a241112d173147b6b08ad5b7953c940ff5928e3046781c1e58a9c73a 8db0118d4bbc10efd0fd6733d987ddeee7afc6c3ebe4ee1157ae9243aba362d9 8fababb509ad8230e4d6fa1e6403602a97e60dc8ef517016f86195143cf50f4e 943cef39e54457fcfa21f5a8ed0f04095c1d4b798453770be5dda5db7d5406ac 96067fc9b137ceecab2ff29ac56ff6897a7c73657ace7c40d70b7c1ebaaccf39 97c97ad2baef37eea023549131c192f441aa7976747166cd31095e7dad17948c 98200955db80cb5835158320ba94b2b55bc7028ea988b75f02adee3df40793f3 985d893426373d4e71386d731e5bc44c1c2ac93e0920dddeb4380929af43dfcb 997de4372efd576cdb55188a06e4699660a29c37e285e23cdd8a1a9585e6e789 9a2491d803407b8696d6b797f8b90d728a8db3583bf4c2977cbeef8be0eb7249 9c47b2af8b8c5f3c25f237dcc375b41835904f7cd99221c7489fb3563c34c9ab 9e6671a8af28e0ab6c37c044d85a2406b665a171ae3bef46f3e90d06e33027ae bae230d6a988723b33158bbeef4ab90b1bff7b521fed9cab0c5e1f5b69a01de5 bee6c5a506d6fb2cc129443c74b7676fbb9a79b53b92b2cac4c7fb8209592714 c2d944a939bdc810d603149c0685f0bcb55a84d1f3a6ea33e9debe893fd0a8dd ca2a01792873233693e17fe51c4c86c05d07e31f9b579ab0444dd89733633532 ca8af85f7eed79a73984b2dccd3dd2148865dfed7a009842be7372e6ce18037f cbcb627ff2220ed269aaa58203e7e89f1988210073d35f5f4019f8ecfd012f81 d562f01384b1d215758227fb2c165ed633fe9997096613fed8ce3bdf8963e4fd d5d885734969641f43c64edf9788837df0d3452413a7ef835f8910d56c60c91c d7996ac876fa0ece281e49e7955dfbbf4ef1239b1ee63a0e21d6c4ed4b7c6559 a05805bcec72fb76b997c456e0fd6c4b219fdc51cad70d4a58c16b0b0e2d9ba1 a1d5b7d69d85b1be31d9e1cb0686094cc7b1213079b2a66ace01be4bfe3fb7c3 a2dfe3a5a1e999af7f1920d28e05d8b0ce66c6e8b2947177878862ce1f870b17 a52ba498d304906d6c060e8c56ad7db50e1af0a781616c0aa35447c50c28bae9 a545288c4d491d510972d583b773f8a0c5dc355942e322cf767d33121c659c1c ae1a6c4f917772100e3a5dc1fab7de4a277876a6e626da114baf8179b13b0031 ae8fb2f138981f10092761768428fb312e3e49bc23d5b610e3127c1a387aede8 b01b7a5798f41a5fae54b4189db6f47c6110a0b53a4df32cb7d0f13503c5250c b4632dcf0b23467970ee7e0844e7c8a931dc3a0f549c0aa5e40e41c1b5b31fdc dab228c236d48fa1660bcec59e17e5004726741a85b0fbeef8300f29927c32d9 dd8fe0e27bf798cace40ac0d58b833ba3bbf16d80175296601585ed1964465ec dfa041f6cbe9d83cdaaed90466693efca33729c99fa43b29ab8e44bb27eb0a6b e017651dd9e9419a7f1714f8f2cdc3d8e75aebbe6d3cfbb2de3f042f39aec3bd e49e61da52430011f1a22084a601cc08005865fe9a76abf503a4a9d2e11a5450 e5e172cd93e97480a9982f821c8f1bdf9756803a3fb8a1a7a39e262cda192cb6 ea581e8e625a3748da9663414182d1b99f9c5ddb0b9db2fbf1059a28c69cc10c ebd4f45cbb272bcc4954cf1bd0a5b8802a6e501688f2a1abdb6143ba616aea82 edc49bf7ec508becb088d5082c78d360f1a7cad520f6de6d8b93759b67aac305 f027735c3db77e67cf7bada8862ddbb0d85a2caacbb4b2825e4acdfa863a14c9 f4f52c45ca3d4d4ce33981f660d23e8df4a9c0e345fdd6429d8b46f6c0528c38 f75883ff35104a032dd047ca39d35ec98601c76aa02f58ad655df6deaadecb55 f9bccd349cf841d0f25e81d80a1b4bf73dd960a1f3aa71029a18e36480c80392 fb63acfda1730132dbfbf1d46834d771156aac3f7c8e97ea136ca6edbe811fad fc5f7a21d953c394968647df6a37e1f61db04968ad1aca65ad8f261b363fa842 fd61a5cd1a83f68b75d47c8b6041f8640e47510925caee8176d5d81afac29134 fdee357557a69d3dfa629d0cbd585d9c5dadc526dfb424af56c8edcc7a67d556

Remediation

Block the threat indicators at their respective controls.

Rewterz Threat Advisory – 2018’s Most Exploited Unpatched Vulnerabilities in Microsoft Products

Rewterz Threat Advisory – CVE-2019-6534 AVEVA Uncontrolled Search Path Element Vulnerability

Rewterz Threat Alert – Cardinal RAT Resurfaces with Fresher Attacks

Security Operations Centers across the region

Saudi Arabia

UAE

Oman

Pakistan