The US Computer Emergency Readiness Team, CERT, has released the analysis on (RAT) Remote Access Tool Malware variant. The variant has been identified as COPPERHEDGE.
“The Manuscript family of malware is used by advanced persistent threat (APT) cyber actors in the targeting of cryptocurrency exchanges and related entities. Manuscrypt is a full-featured Remote Access Tool (RAT) capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Six distinct variants have been identified based on network and code features. The variants are categorized based on common code and a common class structure. A symbol remains in some of the implants identifying a class name of “WinHTTP_Protocol” and later “WebPacket.”
Malware Analysis Report Published by US-CERT on Trojan: TAINTEDSCRIBE
“The trojan is a full-featured beaconing implant and its command modules. These samples uses FakeTLS for session authentication and for network encryption utilizing a Linear Feedback Shift Register (LFSR) algorithm. The main executable disguises itself as Microsoft’s Narrator. It downloads its command execution module from a command and control (C2) server and then has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes, and perform target system enumeration”
Malware Analysis Report Published by US-CERT on Trojan: PEBBLEDASH
“This report looks at a full-featured beaconing implant. This sample uses FakeTLS for session authentication and for network encoding utilizing RC4. It has the capability to download, upload, delete, and execute files; enable Windows CLI access; create and terminate processes; and perform target system enumeration”.
CERT provides detailed information and recommended mitigation and techniques. Please follow the US-CERT website.