Rewterz

Rewterz Threat Alert – APT Group SideWinder

January 8, 2020
Rewterz

Rewterz Threat Alert – Snake Ransomware Targeting Business Networks

January 8, 2020

Rewterz Threat Alert – NetWire RAT Delivered via IMG Attachment

Severity

Medium

Analysis Summary

A series of sales-themed emails with IMG attachments. with purpose to deliver the NetWire RAT. A total of 15 emails carrying the same attachment were observed coming from two unique senders. 

image-1578466479.png

Email 1

image-1578466504.png

Email 2

In both cases, the referenced attachment is an IMG file named “Sales_Quotation_SQUO00001760.img.” Opening this file extracts an executable that we identified to be the NetWire RAT. Once executed, the malware establishes persistence via a scheduled task. Additionally, Registry keys are created to store the C2 server IP and install data of the RAT. Communication with the C2 server is performed over port 3012.\

Impact

Exposure of sensitive information

Indicators of Compromise

Email Subject

  • Enquiry Requirement
  • RFQ : REQUIREMENT

From Email

  • kumarmanthan[@]raptorsupplies[.]com
  • sale[@]machinesalerswaz[.]com

SHA-256

  • 01b4694a473b86231293cc81b67be7bc813cd7ce58af39b72ea9e06652528444
  • a943161c1b1e9ff7b2844a413c57f60641da782cf208c799bb4f13191fe7397d

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.

Reading this advisory was a good start.

Make it a habit.

Rewterz publishes threat advisories ahead of mainstream cybersecurity media, informed by an AI-Native Autonomous SOC that sees regional threat actor activity in real time. Subscribe to receive each new advisory as it publishes, plus a monthly Middle East threat landscape brief drawn from our own SOC telemetry. For teams evaluating their detection coverage, a 30-minute consultation with a senior analyst is also available, at your pace, when you're ready.