AhnLab SEcurity intelligence Center (ASEC) has previously covered a case where Quasar RAT was distributed through private home trading systems (HTS) in the blog post “Quasar RAT Being Distributed by Private HTS Program“. The same threat actor has been continuously distributing malware, and attack cases have been confirmed even recently.
Similar to the previous case, the malware was distributed through an HTS named HPlus. The overall infection flow remains similar, but the initial distribution file, which was previously in the form of an NSIS installer, has now been replaced by an MSI format installer. In addition, the threat actor has recently been supporting remote assistance, and in the case the user requests remote assistance, the AnyDesk that had been installed together is executed when the “Remote Support” button is clicked.
Generally, the user executes the shortcut installed on the desktop after installation, which in turn runs the updater program “Asset.exe.” “Asset.exe” reads the “config.ini” file located in the same directory and connects to the updater server to perform updates using the FTP protocol. The threat actor modified the “config.ini” file and set it to an FTP server where the actual malware is uploaded, resulting in a compressed file containing malware being downloaded and installed.
Inside the downloaded compressed file, “StockProh.exe” functions as the launcher, similar to the previous instant, and “Socketmanager240714.exe” is the Quasar RAT that is executed along with the launcher.
In the past, scam groups had used their private HTS to steal the investments of their victims, but they have now recently been used to install malware into the PCs of their victims. Due to this, although the damages used to end after only taking the investments of their victims, threat actors are now able to take control of their victims’ PCs and do additional harm by also installing Quasar RAT and stealing personal data.
According to the Financial Supervisory Service, “institutional financial companies do not distribute private HTS through means such as messengers.” [1] Users must make sure to only install the HTS provided by institutional financial companies through their official websites. If a private HTS is installed through illegal investment companies that are aiming to make a profit, then not only could you lose your investments, but you could also have your system infected by a malware and have the personal data saved on your system stolen.
Therefore, users must update their installed software to the latest version to preemptively prevent vulnerability exploitations. Also, V3 should be updated to the latest version so that malware infection can be prevented.
File Detection
Trojan/Win.Injector.R657268 (2024.07.05.00)
Trojan/Win.Injector.R657891 (2024.07.11.02)
Trojan/Win.Injector.C5649697 (2024.07.14.03)
Trojan/Win.Launcher.R657892 (2024.07.11.02)
Trojan/Win.Launcher.R658117 (2024.07.14.03)
Behavior Detection
Fileless/MDP.Inject.M4878
Fileless/MDP.Inject.M4876
IOCs
MD5
3F1B0FF74433EC2ACEDD93A5BFEF8E0C
3E0963FC309A94F182A33037BEF8E44B
32CB22B72A50F887805541C4AFAA34A5
2652ADCC83237B04102CA1D47908FF6C
A439E91D29611FB87BE0CCE22AA4D442
C2s
43.201.97[.]239:24879
103.136.199[.]131:56001
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Private HTS Program Continuously Used in Attacks appeared first on ASEC BLOG.