ISRStealer | Nanocore RAT

Alert ID: 
JMCIRT-AL-2019.029
Alert Date: 
Tuesday, May 28, 2019
Threat Level: 
High

 

ISRStealer Email Campaign


Original release date: May 23, 2019
Jamaica CIRT has become aware of a new phishing email campaign


Overview
The email attempts to entice a user into opening an attachment (Purchase order #693641_3451483.zip) claiming to be a legitimate purchase order. Within the body of the email, they are instructed to download the attachment to view the order. The infection process begins once the victim has opened it (containing the ISRStealer info-stealer / Keylogger Trojan).  The email comes from "Distribution Division <joanne.pun@gmail.com>", and the subject has been observed as "Purchase order #693641_3451483".


Recommendations
• Raise awareness on password/credentials hygiene and detecting phishing attempts.
• Ensure anti-virus software and associated files are up to date.
• Search for existing signs of the indicated IOCs in your environment.
• Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.

Nanocore RAT


Original release date: May 24, 2019
Jamaica CIRT has become aware of a new phishing email campaign


Overview
The email attempts to entice a user into opening an attachment (PURCHASE ORDER.docx) claiming to be a legitimate purchase order. Within the body of the email, they are instructed to download the attachment, a password protected Microsoft Office Word document, to view the order. The attachment contains two identical zip files that need to be extracted. The infection process begins once the victim has entered the password and opened the document that contains the Nanocore RAT.  The email comes from "COLLAKU Elona (AlmegiPharma)", and the subject has been observed as "PO-99703487954-2019".


Recommendations
• Raise awareness on password/credentials hygiene and detecting phishing attempts.
• Ensure anti-virus software and associated files are up to date.
• Search for existing signs of the indicated IOCs in your environment.
• Block all URL and IP based IoCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.