Threat Report

Monday June 18, 2018

In this week’s report we are covering two very malicious programs. One being a custom remote access trojan (RAT) called UBoatRAT is being distributed via Google Drive links. The malware obtains a command and control (C2) address from GitHub, and uses Microsoft Windows Background Intelligent Transfer Service (BITS) for maintaining persistence. The other is MirageFox, a new tool produced by APT15 that looks to be an upgraded version of a RAT believed to originate in 2012, known as Mirage. The new malware was tracked by the researchers as MirageFox, the name comes from a string found in one of the components that borrows code from both Mirage and Reaver.

The RAT is usually delivered by a ZIP archive hosted on Google Drive containing a malicious executable disguised as a folder or Excel spreadsheet. Once installed, UBoatRAT checks for virtualization software and tries to obtain a domain name from the network. The malware only performs malicious activities on a machine when it is able to join an Active Directory (AD) domain. The malware is also programmed to detect virtualization software (VMWare, VirtualBox or QEmu) that would indicate a research environment. Since June, the GitHub “uuu” repository the C2 links to has been deleted and replaced by “uj”, “hhh” and “enm”, according to researcher Hayashi. The GitHub user name behind the repository is “elsa999”. For more information there are a few links below:

Links:

Tech Target

Threat Post

Some Mitigation Strategies:

Malware: MirageFox

The China-linked APT15 group (aka Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) has developed a new strain of malware borrowing the code from one of the tool he used in past operations. APT15 is known for committing cyberespionage against companies and organizations located in many different countries, targeting different sectors such as the oil industry, government contractors, military, and more. The attackers utilizes Windows commands to conduct reconnaissance activities, the lateral movement was conducted by using a combination of net command, mounting the C$ share of hosts and manually copying files to or from compromised hosts.

Links:

Security Affairs

Intezer

Virus Total

Some Mitigation Strategies:

Patrick Snyder

Patrick Snyder
Triage Tyrant

Fearlessly leading our SOC, Patrick investigates and triages customer alerts, living on HungryMan meals and Texas toast to fuel his work with minimal interruption. A call from Patrick is both fruitful and entertaining. Patrick brings his talents to the Perch nest with nearly 20 years of experience in Information Technology eight of those focused on creating security content and security operations management. When he's not triaging your alerts, Patrick writes greeting cards for embarrassing occasions, and polishes his marionette skills.

LinkedIn