The RAR archive contained a covert alternate data stream (ADS) file with PowerShell code, a Windows shortcut file posing as a PDF, and a fake file regarding a World Bank public effort for infrastructure development in Madagascar. The New Technology File System (NTFS), which Windows uses to attach and read data streams to files, introduces a feature known as ADS. Threat actors can use it to covertly hide the existence of a dangerous payload inside the file record of a harmless file by smuggling extra data into it without changing its size or appearance.

While the second ADS contains a Base64-encoded PowerShell script to open the lure document and set up a scheduled task responsible for fetching the final-stage payloads from the domain jacknwoods[.]com, the first data stream contains code to retrieve a decoy file hosted on the World Bank site if the victim launches the LNK file. WmRAT and MiyaRAT both have standard remote access trojan (RAT) features that let the malware gather host information, upload or download files, take screenshots, obtain geolocation information, list files and directories, and execute arbitrary commands using PowerShell or cmd.exe.

Because MiyaRAT has been used selectively in a small number of campaigns, it is thought that its use is limited to high-value targets. These campaigns are most likely intelligence-gathering operations to further the objectives of a South Asian administration. To install harmful backdoors inside target businesses and obtain access to sensitive data and intellectual property, they consistently use scheduled activities to interact with their staging domains.

Impact

• Unauthorized Access
• Sensitive Data Theft
• Code Execution
• Data Exfiltration
• Cyber Espionage

Indicators of Compromise

Domain Name

• academymusica.com

IP

• 38.180.142.228
• 96.9.215.155

MD5

• 5b232b7417cb3965a942201de88f5055
• ecea1286158a462f7e3abfc13b6ed36e
• 7c96a61ae944b68d72a30f0483e25017

SHA-256

• f6c77098906f5634789d7fd7ff294bfd95325d69f1be96be1ee49ff161e07733
• 10cec5a84943f9b0c635640fad93fd2a2469cc46aae5e43a4604c903d139970f
• c7ab300df27ad41f8d9e52e2d732f95479f4212a3c3d62dbf0511b37b3e81317

SHA1

• f01472fd8ffbcd0c2b54075ee01bde6a2cc4f4e6
• 37c5abc5cc561431f1801f91460f0b496bb4e61f
• dd2f8bf8d9f0b787267eccaad64d30d101e6b838

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Along with network and system hardening, code hardening should be implemented within the organization to secure its websites and software. Use testing tools to detect any vulnerabilities in the deployed codes.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using a multi-layered protection is necessary to secure vulnerable assets.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Enable two-factor authentication.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.