This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
      • Netwitness XDR
      • EC-Council Training
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
    • Role-Based Training
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • NetWitness Community
  • Blog
  • MalSpam Delivers RAT SpyWare Quasar 9-27-2017

MalSpam Delivers RAT SpyWare Quasar 9-27-2017

RajasSave
Respected Contributor RajasSave Respected Contributor
Respected Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Printer Friendly Page
  • Report Inappropriate Content
‎2017-10-02 10:37 AM

On September 27th, malspam delivered a malicious RTF document that tries to exploit Microsoft Office/WordPad via a Remote Code Execution (RCE) Vulnerability in the Windows API, CVE-2017-0199.

VirusTotal Analysis of delivered document confirms presence of RTF exploit.

 

docVT2.PNG

docVT1.PNG

After opening the document in a vulnerable Microsoft Word application, users are warned that the document is attempting to download externally linked files.

screen_1.png

 

Upon clicking "Yes", and a direct to IP connection to 173.44.42[.]164 is established and the following network events take place.

nwtree.1PNG.PNG

  

As shown above, "3Pxi69djmwiIKmc.hta" (VirusTotal and Hybrid-Analysis) was the first download.  This file creates two XMLHTTP objects using VBScript which helps to connect and download VBS file which acts as Trojan Downloader.  It also creates Shell object to execute HTA file as Internet Explorer Application.

nwhta1.PNG

 

Next, a VBS script, "Km1Dizoq3Jxz.vbs", (VirusTotal  and Hybrid Analysis) uses obfuscated code to create paths from which executable “UvnG1Oz9d0.exe” is downloaded and executed.

vbsscriptnw.PNG

 

In the same session, "nJwsm39La.html” then deletes both the VBS and executable file.

filevbs.PNG

vbsdeletenw.PNG

 

VirusToatal Analysis of the payload, “UvnG1Oz9d0.exe”, (VirusTotal  and Hybrid-Analysis) confirms that it is Quasar Spyware, a Remote Access Trojan (RAT).

exenw.PNG

 

Once the download is complete, the binary is executed and post-infection traffic started.

quasar-traffic-1.png

quasar-traffic-2.png

 

Current RSA NetWitness detection populates following meta for the download sessions:

meta3.PNG

meta2.PNG

 

You can also check FirstWatch recent threat advisory on the recent uptick in malspam attempting to exploit CVE-2017-0199, https://community.rsa.com/community/products/netwitness/blog/2017/08/31/malspam-and-cve-2017-0199

 

Thanks go to Ahmed Sonbol and Kevin Stear for contributing to this threat advisory.

 

FirstWatch_banner.png

  • cve-2017-0199
  • Exploit
  • firstwatch
  • malspam
  • Malware
  • NetWitness
  • netwitness packet
  • netwitness*
  • NW
  • NWP
  • rat
  • rsa firstwatch
  • RSA NetWitness
  • RSA NetWitness Platform
  • Security
  • spyware
1 Like
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • FirstWatch Threat Spotlight: Brute Ratel C4
  • Hunting Misconfigured Web Applications
  • Examining APT27 and the HyperBro RAT
  • FirstWatch Threat Spotlight: DarkTortilla
  • Sliver C2 – Network and Endpoint Detection with NetWitness Platform
  • Configure Channel Filter Settings on Endpoint Windows Log Policy
  • NetWitness Platform XDR version 12.1 -- Threat-Centric Content Bundles
  • Phase II Content Hygiene Initiative Complete: EDR (Endpoint) Application Rule Hygiene Initiative
  • FirstWatch Threat Spotlight: BlackCat Ransomware
  • FirstWatch Spotlight: Cyclops Blink – Sandworm’s Newest Addition to The Arsenal
Labels
  • Announcements 58
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 61
  • Tutorials 25
  • Use Cases 23
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.