March 12, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Troldesh Ransomware Dropped via PHP Files
August 19, 2019Rewterz Threat Alert – Fake NordVPN Website Used by Hackers to Deliver Banking Trojan
August 20, 2019Rewterz Threat Alert – Troldesh Ransomware Dropped via PHP Files
August 19, 2019Rewterz Threat Alert – Fake NordVPN Website Used by Hackers to Deliver Banking Trojan
August 20, 2019
Severity
Medium
Analysis Summary
An Excel file discovered that purports to be a tax calculator from the Indian “Income Tax Department” but installs an xRAT Trojan. Once the Excel file is opened, if macros are enabled, base64-encoded data is downloaded, which will ultimately become an executable file that in turn downloads xRAT and other files. Once active, xRAT commences encrypted communications with its C&C server using TCP port 63989. The Portmap service is utilized to hide the actual C&C server address.
Impact
Financial loss
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 8b295dd23cddbe8076f0bd651efe03c8d207823920a5c4dbefa328fda6898d83
- 94687352179d4f60ddc8a18026da4cf356cc47a56e058b4210e9b4f935231576
- a070e0ae6edf52b3d1a393a21d33c8aa0f2a30fe113a973dbae892b3f5cadd28
- 63517ec73dfa0629d344b6803ed2a4465f9338592d9c64a14c89bb0da849961c
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.