Rewterz Threat Alert – Ursnif Banking Trojan aka Gozi – Active IOCs

February 4, 2023

Rewterz Threat Alert – Chaos Ransomware – Active IOCs

February 5, 2023

Rewterz Threat Alert – Nanocore Rat – Active IOCs

February 4, 2023

Severity

High

Analysis Summary

The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums. The malware has a variety of functions such as a keylogger, a password stealer which can remotely pass along data to the malware operator. It also has the ability to tamper and view footage from webcams, screen locking, downloading and theft of files, and more.The current NanoCore RAT is now being spread through malspam campaign which utilizes social engineering in which the email contains a fake bank payment receipt and request for quotation. The emails also contain malicious attachments with .img or .iso extension. The .img and .iso files are used by disk image files to store raw dumps of either magnetic disk or optical disc. Another version of NanoCore is also distributed in phishing campaigns leveraging specially-crafted ZIP files which is designed to bypass secure email gateways. The malicious ZIP file can be extracted by certain versions of PowerArchiver, WinRar, and older 7-Zip. The stolen information is sent to the command and control (C&C) servers of the malware attacker.

Impact

Credential Theft
Unauthorized Access
Theft of Sensitive Information
File manipulation
Remote command execution
Keylogger

Indicators of Compromise

MD5

1ea95595f303fb17be17261db7f1664b
22ac18e335309b69e2fb038278e14da8
6f3d3aa0154d1cf56ffa79164484111c
72150cf6f2f7157f3e90801cf9dedb07
86f1beb3e7b96aabd772ded24a748e66
a976d46490f4a90f39623d4be9e6a4a1
eff125471aa1220d8c37b64942de8b7f

SHA-256

e9c4a144deb1483f4edc2af3ba374c764285b92330789609f86821a7a10ea2bc
4e2a31d854b37aa44ae33c062e8877117f54988e8ed81c535612c1cf13f09810
b0d3ac937d0e9a52366fac09e78baa1c0b244476bc84949146094f6d035221c3
57cf94df08299565cbb786176e3d1bc4a4b9f16ce12af02dc2ac62d67809e54c
4e9e2c41ff2460da83543aeb49e72d75c02bdb962e0454a7ee1d6304b0d23be1
7108d4253409f66f60a12693c4f014a7e6eda540db5d15d55988b4b31f1b4e9f
6929211005bc0cfd3a5edcbc17838cbd8cf51675a59659ec3636c6f8d6019f69

SHA-1

b57a39427240985a469325fe9fcd2f086c5400e1
dc2254c9fb58d1482528af87cea54ba0851a3f65
187538e3a43b94b222d345434f1558e863929163
108ccf9fe74715de7f204082f1cfde94b2f20e57
c26fb398eabbd80acd40df5141d8ece79bef5e88
eaf0b9186d518c539ddfc04611245733a0824ccb
0e65c9bc601ec683f7ae390962e4ca0f50147cc4

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.

Platform

Managed Security Services

Managed Penetration Testing

Assess

Transform

Train

Respond

Resources

SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, the Middle East, and Africa – Active IOCs

Strela Stealer Malware Targets Microsoft Outlook Users for Credential Theft – Active IOCs

EncryptHub: A Multi-Stage Malware Breach Impacting 600 Organizations – Active IOCs

Threat Insights

About Us

Our Leadership

CSR

Connect with Us