Nowadays malware attacks work like a complex industry based on their own supply chains, data providers, access brokers and craftsmen developing and maintaining intrusion tools. During our monitoring operations we frequently face malware samples based on known families and code-bases, mangled and then used to conduct even more sophisticated attacks.
Recently, we intercepted a particularly representative attack campaign of this phenomenon. We found and analyzed a infection chain leveraging the WSH-RAT kit, a complete Remote Administration tool sold in the underground and frequently abused by criminal actors relying on off-the-shelf kits to build their offensive campaigns.
In this report, we dissect the entire infection chain of the malware in order to investigate the threat capabilities of one of the latest WSH-RAT versions, and how attackers weaponize it to survive the traditional perimetral defences.
The initial stage of the infection chain is weaponized RTF malicious document document having the following static information:
Hash
a4933a4607727ada5ae7ed0c79607911b7199876995e8e7dc835fe32437a6b06
Threat
RTF document weaponized with MS-17-12882
Brief Description
WSH RAT dropper
Ssdeep
384:HgTRA9Zw4Fg4+GUAhvasrLWRkpbaQL4IYbTiFxHGDb:ATRYw8kGNvaUfb4bTiHHGX
Table 1. Sample information
The exploit used to prepare the document is the “classic” MS-17-11882. It reveals to be also in 2021 one of the most active threats for the users.
Figure 1: Evidence of the exploit MS17-11882
The shellcode of the equation editor downloads the second component of the infection chain from a previously compromised WordPress website. This component is an executable file having the following static information:
Hash
a2b55ffb492faeced1033c534e4f462d3c0ac9f914f991361ba67067538a05d1
Threat
WSH RAT
Brief Description
WSH RAT .NET packer
Ssdeep
24576:Yma+QZG0nbLYR1yTb6h0BacWadNihTIvGn7Rk3w6hWNudTzIfAH:jcZnbLYXyTb6oacjosOu8O0G
Table 1. Sample information
Figure 2: Signature Evidence
This sample ..
Support the originator by clicking the read the rest link below.
