Powerratankba Malware

There are public reports about spreading of malware named as Powerratankba malware. The malware is used by the attacker for stealing the victim information which they use in a later stage for performing malicious activity. The Mode of spreading of this malware is through dropper which gets downloaded on the victim machine via malicious link lurking victim to apply for a job.

• Once this dropper reach on the victim machine, it decodes the PowerShell script from it saved at the location C:\\users\\public\\REG_TIME.ps and executes it.
• After that it will build the connection with C2 controlled by attacker to download Powerratankba malware, used by attacker for gathering the victim system information.
• Powerratankba Malware use the victim legitimate service like Windows Management Instrumentation (WMI) to obtain the IP address, Operating system information, username and registry for proxy details, files open etc. from the victim machine to remain undetected for long time.
• Finally, Powerratankba malware download its final payload at location C:\windows\temp\REG_WINDEF.ps1 and register it as a service. The malware also adds itself at startup location to maintain its persistence in victim machine.

Indicators of Compromise:

Command and Control Server

• hxxps://ecombox[dot]store
• hxxps://bodyshoppechiropractic[dot]com

Hashes

• f12db45c 32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9
• 0f56ebca33efe0a2755d3b380167e1f5eab4e6180518c03b28d5cffd5b675d26
• a1f06d69bd6379e310b10a364d689f21499953fa1118ec699a25072779de5d9b
• 20d94f7d8ee2c4367443a930370d5685789762b1d11794810dc0ac6c626ad78e

File Location

• C:\windows\temp\REG_WINDEF.ps1
• Autostart setting %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\WIN_REG.exe
• C:\windows\temp\tmp0914.tmp
• C:\\users\\public\\REG_TIME.ps1

Best Practise and Recommendations:

• Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through the browser.
• Restrict execution of Power shell /WSCRIPT in enterprise environment.Ensure installation and use of the latest version (currently v5.0) of PowerShell with enhanced logging enabled. Script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  Reference: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
• Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
• Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.

References:

• https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/