

Rewterz Threat Advisory – CVE-2019-2729 – Oracle WebLogic Server Vulnerability
June 19, 2019
Rewterz Threat Alert – DHS Email Phishing Scam
June 20, 2019
Rewterz Threat Advisory – CVE-2019-2729 – Oracle WebLogic Server Vulnerability
June 19, 2019
Rewterz Threat Alert – DHS Email Phishing Scam
June 20, 2019Severity
Medium
Analysis summary
A campaign targeting companies from several verticals across the EMEA region. The campaign seemed to be related to the MenuPass (a.k.a. APT10/Stone Panda/Red Apollo) threat actor, and utilized an open-source backdoor named QuasarRAT to achieve persistence within an organization. We identified several distinct loader variants tailored to specific targets by leveraging machine learning (ML) to analyse our malware corpus.
QuasarRAT is a lightweight remote administration tool written in C#. It can collect system information, download and execute applications, upload files, log keystrokes, grab screenshots/camera captures, retrieve system passwords and run shell commands. The remote access Trojan (RAT) is loaded by a bespoke loader (a.k.a. DILLWEED). The encrypted QuasarRAT payload is stored in the Microsoft.NET directory, decrypted into memory, and instantiated using a CLR host application. In later variants an additional component is also used to install the RAT as a service (a.k.a DILLJUICE).
Impact
- Unauthorized system access
- Exposure of sensitive information
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)
- 0aa3d394712452bba79d7a524a54aa871856b4d340daae5bf833547da0f1d844
- 0eff243e1253e7b360402b75d7cb5bd2d3b608405daece432954379a56e27bff
- 1ddb533be5fa167c9a6fce5d1777690f26f015fcf4bd82efebd0c5c0b1e135f2
- 239e9bc49de3e8087dc5e8b0ce7494dabce974de220b0b04583dec5cd4af35e5
- 26866d6dcb229bf6142ddfdbf59bc8709343f18b372f3270d01849253f1caafb
- 31f0ff80534007c054dcdbaf25f2449ee7856aceac2962f4d8463f89f61bb3b0
- 41081e93880cc7eaacd24d5846ae15016eb599d745809e805deedb0b2f7d0859
- 56f727b3ced15e9952014fc449b496bfcf3714d46899b4bb289d285b08170138
- 6037b5ce5e7eda68972c7d6dfe723968bea7b40ac05b0f8c779a1f1d542b4ae4
- 721caf6de3086cbab5a3a468b21b039545022c39dc5de1d0f438c701ecc8e9df
- 7f7fc0db3ea3545f114ed41853e4dc3764addfa352c28b1f6643d3fdaf7076c5
- 9bbc5b8ad7fb4ce7044a2ced4433bf83b4ccc624a74f8bafb1c5932c76511308
- c8c707575bb87c17ec17c4517c99229a993f80a76261191b2b89d3cb88e24aea
- c8f2cc7c4fdf8a748cb45f6cfb21dd97655b49dd1e13dd8cc59a5eab69cc7017
- cc02561e5632a2c8b509761ee7a23a75e3899441f9c77d778d1a770f0f82a9b7
- cf08dec0b2d1e3badde626dbbc042bc507733e2454ae9a0a7aa256e04af0788d
- cf981bda89f5319a4a30d78e2a767c54dc8075dd2a499ddf79b25f12ec6edd64
- e24f56ed330e37b0d52d362eeb66c148d09c25721b1259900c1da5e16f70230a
- e8f00263b47b8564da9bc2029a18a0fec745377372f6f65a21aa2762fc626d4c
- f1c5a9ad5235958236b1a56a5aa26b06d0129476220c30baf0e1c57038e8cddb
- f8a7e8a52de57866c6c01e9137a283c35cd934f2f92c5ace489b0b31e62eebe7
- fe65e5c089f8a09c8a526ae5582aef6530e1139d4a995eb471349de16e76ec71
Remediation
Block all threat indicators at your respective controls