2020-11-03 Node.JS QRAT

Summary ======== Looking through some of the email filters today looking for anything interesting, I ran into some emails that all had the same characteristics. All the emails were Fedex themed and had an attachment named “IMG-10227821963777100026367819.zip.” Once the file had been unzipped, it was actually a JAR file (IMG-10227821963777100026367819.jar).…
2020-09-22 Deobfuscating Emotet Script
2020-07-31 Deobfuscating IcedID Macro Script
2020-07-17 ZLoader Malspam (Excel 4 Macros)
2020-05-27 Netsupport RAT Malspam
2020-04-06 Qealler RAT Malspam

Meta ===== From: Bharti Ladwa Subject: EFT Supplier Number: 0003697 Link in the email: hxxps://jfreecss.co.uk/ Malware type: Qealler ———————- Basically this is a Java RAT. Below are some additional resources that explain how this type of malware works. http://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer http://securityboulevard.com/2019/10/hiding-in-plain-sight-new-adwind-jrat-variant-uses-normal-java-commands-to-mask-its-behavior/ http://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/ Earlier today I came across a phishing email that…
2020-03-25 Agent Telsa Malspam – Covid-19 Themed

Meta ===== From: World Health Organization Subject: COVID 19: Passaggi Medici Per Essere Sicuri Link in the email: hxxps://onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21177&authkey=AIGcwdd1XE_CXLM Unlike the other one that I documented here I could not find any method of persistence in this infection. Also, once the EXE from the ISO has been extracted and executed,…
2020-03-23 Agent Telsa Malspam

Meta ===== From: Procurement – site@hamnc.com Subject: Purchase Order Attachment: Company Profile, Product Specification And Trial Order.pdf.img Running this in my VM I am seeing the usual call to get the external IP address of the system (api.ipify.org) and then the data exfil via mail.gandi.net over port 587 (TCP). The…
2020-03-20 More Predator The Thief Malspam – Covid-19 Themed
Meta ===== From: *.xyz Subject: Various Covid-19 Attachment: covidXX_form.zip This looks to be related to Predator the Thief malspam based on the final script that gets executed which looks very close to the sample that I posted about over here. The zip file and VBScript can be found in my…