Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
Rewterz Threat Alert – Cryptocurrency Business Continued to be Targeted by Lazarus
January 8, 2020
Rewterz
Rewterz Threat Advisory – CVE-2020-6377 – Google Chrome Audio Code Execution Vulnerability
January 9, 2020

Rewterz Threat Alert – Predator the Thief – IOC’s

Severity

Medium

Analysis Summary

A new release of the malware known as Predator the Thief, labeled as version 3.3.4. There have been small development differences between each minor version, making this latest version very different from previous versions. It is active from as early as December 2019. The recent campaign uses phishing documents designed to look like invoices, all pushing the same payload of Predator the Thief. 

Figure 1: Infection chain of recent Predator the Thief campaign

Infection chain of Predator the Thief

Figure 2: Example phishing document

nce the document is opened the malware performs the following operations:

1. AutoOpen macro runs the malware VBA script.

2. It downloads three files through PowerShell.

  • VjUea.dat: Legitimate AutoIt3.exe
  • SevSS.dat: Base64-encoded AutoIt script with certificate header.
  • apTz.dat: RC4-encrypted Predator the Thief
Figure 3: PowerShell for downloading files, compiling loader, and running loader to load Predator the Thief

3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script.

“SevSS.data” is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of Predator the Thief.

Figure 4: Certificate header and base64-encoded AutoIt script(.au3)

Impact

Data exfiltration

Indicators of Compromise

SHA-256

  • 670c3bb2d41335cee28f4fe90cf9a76a9b68a965e241df648a0198e0be6a9df1
  • 46710b47763f27a6ffb39055082fa22e3e5a2bd9ae602ea651aefe01079e0c8d
  • bcf6f482a8a7e81d3e96c54840d2d341d12923a3277688eddd2534d614dab70b
  • 67093ad07a8342c42b01dd1645dbd18ea82cc13081b5ba84fa87617675cc7054
  • 76a4e5baa3650dff80df493fa4aaf04d37bb5d20d7a569ec3bc550bdfb3c1991
  • 50f7c8b3c825930b242dceef47bec9e7039bff40362f960c84cd9ff9edafc94b
  • 759dc4b2ab45e6faf7a9f1325f75956c1954f3695400e66670f6950c06db44c2
  • 4792c8a417b7accd3092788504332881154785a9ee2db2e93e63306813497c7c
  • 35820393614d39e600b4afc3332de4547f25f4b5d076b43ea1af98020ec5a8f0
  • 91722acec748c76de9d98e1797186a03dc9ab2efbd065a0f04e7c04654644dba
  • 14b25649cf6f10670fc8e1afb923895ae0300a8feb78e5033488879d5206267b
  • b53dd972d466e2d2ded3ce8cc7af28eda77f2939de0d9c1fbd3663fd057ea87d
  • cb76b3ee29944a7d8b839025c1e9eae32b188443a7bf5cbfbf7eabe682424d92
  • 68875254237c6f887d0f9771b8f356381f8a0384841ae422ef2d49faf30932e9
  • 248ad207c6891d84765ea81d0aa3ca04bee69e0467dff8d693fa4eb76a491c16
  • 4cac9af0198fe82f5ae87ac19e964471f6e87461743a21054c2f063be9c2c514
  • 3118a980caf696fc5c84cb9ee88015f3a0cf205f021270b1f4f313bbae6b6464
  • caeb9b2518d47f3df6f2ec515ce314dca6993370b9e124479bff959075379a90
  • e5420cf530192596f2c388eeecfd8d6754af06939461629c94d509b991b967f4
  • c392229b34617ee5bc9e48bacde3fc8e9046eea51e6101624d312719e970dc00
  • 6215d8637357be64510af9daf778ce12bf8401cdd16216a24da257d42217c65b
  • c97d6c8075bd9c55fbdcadda6c69c21432d59e872acdc860228b2709edbb6e6c
  • 36fe75ca8ca8bcef475737dae530e50eb262484ba0cd4dac0081d8508412d0ad
  • dce3bb2609c710339569404f8dce4e0786521bb0de46ad9358fc27d5b687f043

URL

  • hxxp[:]//stranskl[.]site/
  • hxxp[:]//stranskl[.]site/apTz[.]dat
  • hxxp[:]//stranskl[.]site/VjUea[.]dat
  • hxxp[:]//stranskl[.]site/SevSS[.]dat
  • hxxp[:]//stranskl[.]site/api/check[.]get
  • hxxp[:]//stranskl[.]site/api/gate[.]get
  • hxxp[:]//corp2[.]site/
  • hxxp[:]//corp2[.]site/api/check[.]get
  • hxxp[:]//corp2[.]site/api/gate[.]get
  • hxxp[:]//tretthing[.]site/
  • hxxp[:]//tretthing[.]site/api/check[.]get
  • hxxp[:]//tretthing[.]site/api/gate[.]get

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.