Request a Demo
Rewterz
Rewterz Threat Advisory – Update fixes IE 0-day RCE vulnerability and 74 other flaws in Microsoft Products
November 13, 2019
Rewterz
Rewterz Threat Advisory – CVE-2019-11135 – Intel CPUs Vulnerable to Variant 2 of #ZombieLoad Attack
November 14, 2019

Rewterz Threat Alert – RevengeRAT Being Distributed via Malspam Campaigns

Severity

High

Analysis Summary

A multi-stage vbs downloader is found being delivered to targets via malspam campaigns which was used to distribute RevengeRAT and WSHRAT. This infection starts from an MHT file contained in a zip document sent over email, which communicates back to the following open directory server: http://newdocreviewonline.3utilities[.]com/

Contained on this server are two files, Review.php, which downloads Microsoft.hta. This file is a JavaScript file full of URL encoded characters:

Decoding the characters shows an html file with some VBScript code inside of it that essentially creates a new script called A6p.vbs (stored in AppData/Local) which it then uses to pull down and execute the stage2, a new script called Microsoft.vbs. This stage2 is downloaded from:

https://scisolinc[.]com/wp-includes/Text/microsoft.vbs and is heavily obfuscated.

The RevengeRAT is known for targeting government entities, financial services organizations, information technology service providers and consultancies.

Impact

  • Unauthorized Remote Access
  • Credential Theft
  • Data Manipulation
  • Financial loss

Indicators of Compromise

Domain Name

newdocreviewonline.3utilities[.]com

MD5

  • e3edfe91e99ba731e58fc2ad33f2fd11
  • b7927fd753061058bc67178c3bddf110
  • 2433eaa83c9cdf9d1fbd33490f17067a
  • d6a5cc000867f5778c3f761ea5a35d63
  • d85f8899ff755d4e46ee47305937ec57

SHA256

  • 9ada62e4b06f7e3a61d819b8a74f29f589b645a7a32fd6c4e3f4404672b20f24
  • d86081a0795a893ef8dc251954ec88b10033166f09c1e65fc1f5368b2fd6f809
  • c229c614c9bd2b347fd24ad12e3c157c686eb86bc0a02df1c7080cf40b659e10
  • ced8be6a20b38f5f4d5af0f031bd69863a60be53b9d6434deea943bf668ac8d8
  • 68dc6680befd948e2476fba139a53b7cce5471efe3aa3cadcb2feed714073091

SHA1

  • 2108e82d020ef7a0bcb61df031b96cad2232e892
  • cc34ab40bb24dd840395a68273c427fc9b50d264
  • 7fc512ac0768b3e6b224453f6c4578218857b3c1
  • d6040c2fc8b6006acfa1612ecaa36bb7740bc28e
  • 1f503a1551d2598c5e65e95297454e19e9ccbfbb

Source IP

  • 193.56.28[.]134
  • 185.84.181[.]102

URL

  • hxxp[:]//newdocreviewonline[.]3utilities[.]com/
  • hxxp[:]//newdocreviewonline.3utilities[.]com/2/
  • hxxp[:]//newdocreviewonline.3utilities[.]com/1/
  • hxxp[:]//newdocreviewonline.3utilities[.]com/microsoft[.]hta
  • hxxps[:]//scisolinc[.]com/wp-includes/Text/microsoft[.]vbs
  • hxxp[:]//britianica.uk[.]com:4132
  • hxxp[:]//185.84.181[.]102[:]5478

Remediation

  • Block the threat indicators at their respective controls.
  • Do not respond to emails coming from untrusted sources.
  • Do not download files/visit links attached in untrusted emails.