2017-12-22 - MALSPAM USES CVE-2017-0199 TO DISTRIBUTE REMCOS RAT

ASSOCIATED FILES:

 

NOTES:


Shown above:  Flowchart for today's infection.

 

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following domains and URLs:

 

IMAGES


Shown above:  Screenshot of the email.

 


Shown above:  The attached .doc file is actually an RTF that uses CVE-2017-0199.  I clicked my way "yes" to an infection!

 


Shown above:  The exectuable for Remcos RAT needed my permission to run.

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTPS traffic as seen in Fiddler.

 


Shown above:  Post-infection traffic from the Remcos RAT-infected host.

 


Shown above:  Randomly-named key with binary data in the Windows registry.

 


Shown above:  Updated key in the Windows registry to keep the infection persistent.

 


Shown above:  Folder in the user's AppData/Local/Temp directory.

 


Shown above:  File run by the AutoIT script engine, vje=wtl, as seen in a text editor.

 

INDICATORS

EMAIL DATA:

 

TRAFFIC:

 

MALWARE AND ARTIFACTS FROM THE INFECTED WINDOWS HOST:

 

WINDOWS REGISTRY UPDATES:

 

FINAL NOTES

Once again, here are the associated files:

Zip and saz files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.