Malicious RTF document leading to NetwiredRC and Quasar RAT

Malware authors use a variety of clever methods to lure users into executing malicious documents. But the ThreatLabZ team recently observed a social engineering campaign with a unique approach. In these cases, malicious RTF documents basically force users to execute an embedded VBA macro, which starts the infection cycle by dropping Quasar RAT and NetWiredRC payloads. The malicious RTF documents contain Excel sheets that include a macro, which downloads the additional payload on execution. The RTF document has the .doc extension and, while opening it in Microsoft Word, a macro warning popup (Fig. 1) is shown, with which a user can enable or disable the macro. However, with this malicious RTF document, Word shows repeated macro warning popups even if the user has clicked the “Disable Macros” button during the first warning.     Fig1: Macro warning popup   There is no way to stop these popups except to click on all of them or to force-quit Word. The current malicious RTF shows the macro warning popup 10 times, since this malicious RTF document has 10 embedded Excel sheets (see Fig....
Read more

Cobian RAT – A backdoored RAT

Introduction The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family, which we analyzed in this report.        Figure 1: Cobian RAT command-and-control server application As shown in Figure 1, the Cobian RAT control panel and features are similar to that of njRAT and H-Worm. It is noteworthy that the author identified njRAT as the “theme.” Crowdsourcing botnet model? As we analyzed the builder, we noticed a particularly interesting function: the builder kit is injected with a backdoor module which retrieves C&C information from a predetermined URL (pastebin) that is controlled by the original author. This allows the original author to control the systems infected by the malware payloads that were generated using this backdoored builder kit. Figure 2 (click to enlarge): Crowdsourced botnet model – Cobian RAT As shown in Figure 2, the original author of the RAT builder kit is relying on second-level operators to build the RAT payload...
Read more