{"id":17359,"date":"2020-01-06T19:40:02","date_gmt":"2020-01-07T03:40:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/06\/news-11095\/"},"modified":"2020-01-06T19:40:02","modified_gmt":"2020-01-07T03:40:02","slug":"news-11095","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/06\/news-11095\/","title":{"rendered":"Predator the Thief: Analysis of Recent Versions"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Introduction<\/h2>\n<p>FortiGuard Labs has been monitoring a new release of the malware known as <i>Predator the Thief<\/i>, labeled as version 3.3.4. After our last <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/predator-the-thief-new-routes-delivery.html\">article <\/a>about <i>Predator the Thief<\/i>, we have continued monitoring this malware family. There have been small development differences between each minor version, making this latest version very different from version 3.0.8 mentioned in our last article.<\/p>\n<p>In early December we observed a new <i>Predator the Thief<\/i> campaign using version 3.3.3. We analyzed the new campaign, and found that it is both stealthier and more complicated than its predecessors. In addition, it was upgraded again to version 3.3.4 on Christmas Eve. In this report we will quickly analyze its latest set of capabilities.<\/p>\n<h2>Recent Campaign<\/h2>\n<p>Firstly, we discovered that the campaign now uses multiple phishing documents designed to look like invoices, all pushing the same payload of <i>Predator the Thief<\/i>. Figure 1 shows the infection chain, and Figure 2 shows an example of phishing document.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_1086567456.img.png\/1578333473423\/ptt-one.png\" alt=\"Figure 1: Infection chain of recent Predator the Thief campaign\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Infection chain of recent Predator the Thief campaign<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_160368601.img.png\/1578333485711\/ptt-two.png\" alt=\"Figure 2: Example phishing document\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Example phishing document<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Malware Loading<\/h2>\n<p>Once the document is opened the malware performs the following operations:<\/p>\n<p>1. AutoOpen macro runs the malware VBA script.<\/p>\n<p>2. It downloads three files through PowerShell.<\/p>\n<ul>\n<li>VjUea.dat: Legitimate AutoIt3.exe<\/li>\n<li>SevSS.dat: Base64-encoded AutoIt script with certificate header.<\/li>\n<li>apTz.dat: RC4-encrypted <i>Predator the Thief<\/i><\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_27827334.img.png\/1578333559962\/ptt-three.png\" alt=\"Figure 3: PowerShell for downloading files, compiling loader, and running loader to load Predator the Thief\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: PowerShell for downloading files, compiling loader, and running loader to load Predator the Thief<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>3. It then uses a legitimate AutoIt3.exe to run decoded AutoIt script.<\/p>\n<p>\u201cSevSS.data\u201d is decoded by certutil.exe, a legitimate command line program that is part of the Certificate Service in Windows. The script is then run to decrypt apTz.dat into the payload of <i>Predator the Thief<\/i>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_369624856.img.png\/1578333628411\/ptt-four.png\" alt=\"Figure 4: Certificate header and base64-encoded AutoIt script(.au3)\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: Certificate header and base64-encoded AutoIt script(.au3)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>4. It then loads <i>Predator the Thief<\/i> into a specific hollow process (dllhost.exe, in this sample).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_43684926.img.png\/1578333676850\/ptt-five.png\" alt=\"Figure 5: Decoding and injecting Predator the Thief into dllhost.exe\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: Decoding and injecting Predator the Thief into dllhost.exe<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Predator the Thief Hash:<\/h2>\n<p><b>7195659c846b13069d19341b6da99d925acc7db827dd84e7dbe00815511d30b1.<\/b><\/p>\n<p>After running the malware, we found it connected with the C2 server <b>corp2[.]site<\/b>. In the data sent to its C2 server we found the information file \u201cinformation.txt\u201d contained its version.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_934011644.img.png\/1578333724333\/ptt-six.png\" alt=\"Figure 6: Information.txt shows Version 3.3.3\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: Information.txt shows Version 3.3.3<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As usual, the authors use Telegram to promote their malware business. They upgrade the panel and stealer almost every month. We checked the following channel, used for providing update notes for their customers:<\/p>\n<p><b>hxxps:\/\/t[.]me\/PredatorSoftwareChannel<\/b><\/p>\n<p>The malware was upgraded in early December to Version 3.3.3, and it was soon upgraded again to a new version 3.3.4 on Christmas Eve. Here are notes for both versions:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_769446704.img.png\/1578333794270\/ptt-seven.png\" alt=\"Figure 7: Notes for version 3.3.3 in its Telegram channel\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7: Notes for version 3.3.3 in its Telegram channel<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_233631588.img.png\/1578333813776\/ptt-eight.png\" alt=\"Figure 8: Notes for version 3.3.4 in its Telegram channel\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8: Notes for version 3.3.4 in its Telegram channel<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The stealer\u2019s side does not change much in either version released in December. However, there are have been some new features added since our last article. In the following section we will analyze the features found in version 3.3.3 to determine what changes have been made during this period.<\/p>\n<h2>Features<\/h2>\n<h4>More Anti-Debug Tricks<\/h4>\n<p>More anti-debug tricks have been added to <i>Predator the Thief<\/i>.<\/p>\n<ol>\n<li>NtSetInformationThread<\/li>\n<li>NtQueryInformationProcess<\/li>\n<li>BeingDebugged flag<\/li>\n<li>CheckRemoteDebuggerPresent<\/li>\n<li>Breakpoint detection with AddVectoredExceptionHandler<\/li>\n<li>Thread for permanently monitoring debugger<\/li>\n<li>Descriptor table register check<\/li>\n<li>GetTickCount check<\/li>\n<\/ol>\n<p>We also found that it copies a portion of ntdll.dll into an allocated memory. It then hooks the copied portion with a simple shellcode to call the function NtQueryInformationProcess for anti-debug purposes. It also prevents analysts from hooking NtQueryInformationProcess to avoid being detected. And it also checks the crc32 checksum of the allocated memory to prevent any changes.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_181823917.img.png\/1578333903502\/ptt-nine.png\" alt=\"Figure 9: Anti-debug with NtQueryInformationProcess\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9: Anti-debug with NtQueryInformationProcess<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Before the main routine it also includes multi-level anti-debug functions. A thread is used to detect debuggers every five seconds.<i><\/i><\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_1011401696.img.png\/1578333960224\/ptt-ten.png\" alt=\"Figure 10: Multi-level anti-debug before main routine\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10: Multi-level anti-debug before main routine<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h4>More Complicated Assembly Code<\/h4>\n<p>In contrast with the previous version, 3.0.8, most of the junk code in the main routine has been removed. We can also observe that the assembly code is much shorter but more complicated. For example, all strings are decoded at runtime with XOR or SUB, and those string-decoding loops cause the flow to be more complicated.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_147433111.img.png\/1578334041979\/ptt-eleven.png\" alt=\"Figure 11 Graph comparison between version 3.0.8 and 3.3.3\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11 Graph comparison between version 3.0.8 and 3.3.3<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h4>Being File-less<\/h4>\n<p>We also found that the stolen information is sent as a zip file. However, those files are never generated in the file system. Instead, the malware allocates a memory space to locate the entire zip file structure, and then adds the zip file directly from memory to the request data.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_1713557194.img.png\/1578334111043\/ptt-twelve.png\" alt=\"Figure 12: Data in packet and the decompressed files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12: Data in packet and the decompressed files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p class=\"cq-text-placeholder-ipe\" data-emptytext=\"Text\">\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_215136700.img.png\/1578334133561\/ptt-thirteen.png\" alt=\"Figure 13: Allocated memory for locating zip file\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13: Allocated memory for locating zip file<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h4>C2 Analysis \u2013 check.get<\/h4>\n<p>This is an API used to get the configuration from C2 server. The configuration is more complex and detailed than previous versions, and is encrypted during the connection. One example returned the following base64-encoded-like data.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image.img.png\/1578334212061\/ptt-fourteen.png\" alt=\"Figure 14 Encrypted data in response packets\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14 Encrypted data in response packets<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In fact, the string is encrypted using basic base64 and RC4 algorithms. The RC4 algorithm uses the C2 domain name as its key. After decoding the string shown in the previous figure, we found the following configuration string. Note that the IP information is masked.<\/p>\n<p><b>[0;1;0;0;0;1;1;0;1;;;1]#[]#[City;Country;Longitude;Latitude;IP;Timezone;Postal code]#[]#[]<\/b><\/p>\n<p>The string can be divided into five parts using \u201c#\u201d. &quot;[]&quot; Indicates an empty configuration.<\/p>\n<p>1. The first part of the string first analyzed in version 3.3.3 contains 12 arguments split with semicolons, and version 3.3.4 the configuration related to the CIS region check has been removed:<\/p>\n<ul>\n<li>Webcam bmp capture<\/li>\n<li>Enable anti-VM check:<br \/> \u00a0 \u00a0\u00a0<span>SIDT, SGDT, STR, CPUID<\/span><\/li>\n<li>Collect Skype information<\/li>\n<li>Collect Steam information<\/li>\n<li>Screen capture<\/li>\n<li>Enable CIS region check with default language:<\/li>\n<\/ul>\n<p>We found the following languages are checked in version 3.3.3: Russian, Armenian, Azeri, Belarusian, Georgian, Kazakh, Tajik, Turkmen, Uzbek, and Ukrainian. However, in version 3.3.4, the code related to the default language check had been removed. According to the information found in the author\u2019s notes in Figure 8, this may imply that a CIS region check is now performed on the server side.<\/p>\n<ul>\n<li>Remove itself after running<\/li>\n<li>Collect Telegram information<\/li>\n<li>Collect InetCookies<\/li>\n<li>File search limits<\/li>\n<li>Base64-encoded PowerShell command (Added in version 3.3.2)<\/li>\n<li>Browser history (Added in version 3.3.3)<\/li>\n<\/ul>\n<p>2. The second part contains a file grabber configuration. The following is an example of its configuration structure:<\/p>\n<p><b>[%userprofile%Desktop|%userprofile%Downloads;*.txt,*doc;2048;test.txt;0]:[another grabber configuration]<\/b><\/p>\n<p>It may contain multiple grabber configurations. There are five parts in each grabber configuration:<\/p>\n<ul>\n<li>Initial folders for grabber<\/li>\n<li>Target file types<\/li>\n<li>Maximum file size<\/li>\n<li>Exclusion list of file names<\/li>\n<li>Option for maintaining directory structure<\/li>\n<\/ul>\n<p>3. The third part is the victim\u2019s IP information, which is checked and returned by the C2 server.<\/p>\n<ul>\n<li>City<\/li>\n<li>Country<\/li>\n<li>Longitude<\/li>\n<li>Latitude<\/li>\n<li>IP<\/li>\n<li>Time zone<\/li>\n<li>Postal code<\/li>\n<\/ul>\n<p>4. The fourth part is a sub-configuration for running the download module or other malware. Interestingly, the malware has become a possible loader for other malware due to its ability to download other malware.<\/p>\n<p>There are multiple ways to run files, including hollow process injection, reflective DLL injection, and general API usage, such as CreateProcessA and ShellExecuteA.<\/p>\n<p>Because this section has a complex configuration structure, we have simplified it to the following items:<\/p>\n<ul>\n<li>Download URL<\/li>\n<li>File execution method option<\/li>\n<li>Command line string for hollow process<\/li>\n<li>Download filename<\/li>\n<li>Registry for persistence<\/li>\n<li>Download file type (.dll or .exe)<\/li>\n<\/ul>\n<p>5. The fifth and last part is another configuration for downloading and executing modules. Different from the fourth part of the configuration, it defines an API list. Each API downloads files from [APIName].get and [APIName].post.<\/p>\n<p>The URL is in the following format:<\/p>\n<p style=\"margin-left: 40.0px;\"><b>http[s]:\/\/[PredatorC2]\/api\/[APIName].[get|post]<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">\u201c.get\u201d is a PE file section named \u201c.rdata\u201d.<\/p>\n<p style=\"margin-left: 40.0px;\">\u201c.post\u201d is the main part of the PE file.<\/p>\n<p>Eventually, it creates an executable \u201cWerfault.exe\u201d in the \u201c%ProgramData%[5-random-lowercase-letters name]\u201d folder and then immediately executes it with ShellExecuteA. Interestingly, it is not only an API name. It is also implemented as an API list, so multiple files can be downloaded from different APIs and executed immediately.<\/p>\n<h4>C2 Analysis \u2013 gate.get<\/h4>\n<p>This is used for sending collected information to C2 server. The format is as follows:<\/p>\n<p><b>gate.get?p1=0&amp;p2=315&amp;p3=0&amp;p4=0&amp;p5=0&amp;p6=0&amp;p7=0&amp;p8=0&amp;p9=0&amp;p10=fZWvcQzEdNJmebrpmhICjrWiShZP9vAWnA==<\/b><\/p>\n<p>The meaning of each argument is shown below:<\/p>\n<ul>\n<li>p1: Number of passwords<\/li>\n<li>p2: Number of cookies<\/li>\n<li>p3: Number of cards<\/li>\n<li>p4: Number of forms<\/li>\n<li>p5: Number of Steam accounts<\/li>\n<li>p6: Number of wallets<\/li>\n<li>p7: Number of Telegram accounts<\/li>\n<li>p8: Crc32 checksum anti-debug result<\/li>\n<li>p9: Module execution method configuration<\/li>\n<\/ul>\n<p style=\"margin-left: 80.0px;\">This item is related to the configuration of the fourth part. If the fourth part is enabled, this argument will set to 1.<\/p>\n<ul>\n<li>p10: Encrypted string of registry key name and OS version<\/li>\n<\/ul>\n<p style=\"margin-left: 80.0px;\">This item is encrypted by RC4 and base64. It also uses domain name as its RC4 key.<\/p>\n<p style=\"margin-left: 80.0px;\">For example, we have the following encrypted string at the beginning of this section.<\/p>\n<p style=\"margin-left: 120.0px;\"><b>fZWvcQzEdNJmebrpmhICjrWiShZP9vAWnA==<\/b><\/p>\n<p style=\"margin-left: 80.0px;\">It can be decrypted into the following string.<\/p>\n<p style=\"margin-left: 120.0px;\">|Windows 7 Enterprise x64<\/p>\n<p style=\"margin-left: 80.0px;\">The format is \u201cRegistry Key Name|OS Version\u201d. The registry key name comes from the fourth part of the configuration. If the configuration is not set, it will be empty. By setting this configuration, it will create a registry key at HKCUSoftwareAdviceService Ltd.[Name].<\/p>\n<h2>Conclusion<\/h2>\n<p>In this recent <i>Predator the Thief <\/i>malware and campaign, a simple but tricky way to abuse legitimate AutoIt software to execute the payload of<i> Predator the Thief<\/i> has been added. In addition, the whole program flow has been changed. More anti-analysis features are used, and the configurations are more detailed and complex. It is also able to collect information in a file-less manner and delete itself immediately after sending information to C2. This makes it more difficult for analysts to analyze its damage to the victim system. It also has added new features to execute its additional modules and second stage malware in different ways.<\/p>\n<p>We will continue to monitor this malware family and its related activities and report on important new changes.<\/p>\n<p><i>As part of our membership in the\u00a0<a href=\"https:\/\/www.cyberthreatalliance.org\/\">Cyber Threat Alliance<\/a>, details of this threat were shared in real time with other Alliance members to help create better protections for customers.<\/i><\/p>\n<h2>Solution<\/h2>\n<p>Fortinet customers are protected from malicious threats mentioned in this analysis with the following solutions:<\/p>\n<ul>\n<li>All files are detected with FortiGuard Antivirus<\/li>\n<li>Malicious and Phishing URLs are blocked with our <a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=2018-q3-web-filtering\">FortiGuard Web Filtering Service<\/a><\/li>\n<\/ul>\n<h2>IOCs<\/h2>\n<p><b>Malicious document: Detected as <i>VBA\/Agent.5C0F!tr<\/i><\/b><\/p>\n<p>670c3bb2d41335cee28f4fe90cf9a76a9b68a965e241df648a0198e0be6a9df1<br \/> 46710b47763f27a6ffb39055082fa22e3e5a2bd9ae602ea651aefe01079e0c8d<br \/> bcf6f482a8a7e81d3e96c54840d2d341d12923a3277688eddd2534d614dab70b<br \/> 67093ad07a8342c42b01dd1645dbd18ea82cc13081b5ba84fa87617675cc7054<br \/> 76a4e5baa3650dff80df493fa4aaf04d37bb5d20d7a569ec3bc550bdfb3c1991<br \/> 50f7c8b3c825930b242dceef47bec9e7039bff40362f960c84cd9ff9edafc94b<br \/> 759dc4b2ab45e6faf7a9f1325f75956c1954f3695400e66670f6950c06db44c2<br \/> 4792c8a417b7accd3092788504332881154785a9ee2db2e93e63306813497c7c<br \/> 35820393614d39e600b4afc3332de4547f25f4b5d076b43ea1af98020ec5a8f0<br \/> 91722acec748c76de9d98e1797186a03dc9ab2efbd065a0f04e7c04654644dba<br \/> 14b25649cf6f10670fc8e1afb923895ae0300a8feb78e5033488879d5206267b<br \/> b53dd972d466e2d2ded3ce8cc7af28eda77f2939de0d9c1fbd3663fd057ea87d<br \/> cb76b3ee29944a7d8b839025c1e9eae32b188443a7bf5cbfbf7eabe682424d92<br \/> 68875254237c6f887d0f9771b8f356381f8a0384841ae422ef2d49faf30932e9<br \/> 248ad207c6891d84765ea81d0aa3ca04bee69e0467dff8d693fa4eb76a491c16<br \/> 4cac9af0198fe82f5ae87ac19e964471f6e87461743a21054c2f063be9c2c514<br \/> 3118a980caf696fc5c84cb9ee88015f3a0cf205f021270b1f4f313bbae6b6464<br \/> caeb9b2518d47f3df6f2ec515ce314dca6993370b9e124479bff959075379a90<br \/> e5420cf530192596f2c388eeecfd8d6754af06939461629c94d509b991b967f4<br \/> c392229b34617ee5bc9e48bacde3fc8e9046eea51e6101624d312719e970dc00<br \/> 6215d8637357be64510af9daf778ce12bf8401cdd16216a24da257d42217c65b<br \/> c97d6c8075bd9c55fbdcadda6c69c21432d59e872acdc860228b2709edbb6e6c<\/p>\n<p><b>Encoded AutoIt script:<\/b><\/p>\n<p>36fe75ca8ca8bcef475737dae530e50eb262484ba0cd4dac0081d8508412d0ad &#8211; Autoit\/Injector.ESA!tr<\/p>\n<p><b>RC4 Encrypted Predator the Thief 3.3.3:<\/b><\/p>\n<p>dce3bb2609c710339569404f8dce4e0786521bb0de46ad9358fc27d5b687f043 &#8211; W32\/Agent.PTM!tr<\/p>\n<p><b>Predator the Thief version 3.3.3:<\/b><\/p>\n<p>7195659c846b13069d19341b6da99d925acc7db827dd84e7dbe00815511d30b1 &#8211; W32\/Agent.PTM!tr<\/p>\n<p><b>Predator the Thief version 3.3.4:<\/b><\/p>\n<p>b7e0218883dfb06a4bf5bab7bf5ad4038258dd0e925d4fdd772def810ee2c92d &#8211; W32\/Agent.PTM!tr<\/p>\n<p><b>C2:<\/b> <b><i>Detected as Malware:<\/i><\/b><\/p>\n<p>hxxp:\/\/stranskl[.]site\/<br \/> hxxp:\/\/stranskl[.]site\/apTz.dat<br \/> hxxp:\/\/stranskl[.]site\/VjUea.dat<br \/> hxxp:\/\/stranskl[.]site\/SevSS.dat<br \/> hxxp:\/\/stranskl[.]site\/api\/check.get<br \/> hxxp:\/\/stranskl[.]site\/api\/gate.get<br \/> hxxp:\/\/corp2[.]site\/<br \/> hxxp:\/\/corp2[.]site\/api\/check.get<br \/> hxxp:\/\/corp2[.]site\/api\/gate.get<br \/> hxxp:\/\/tretthing[.]site\/<br \/> hxxp:\/\/tretthing[.]site\/api\/check.get<br \/> hxxp:\/\/tretthing[.]site\/api\/gate.get<\/p>\n<p><i>Learn how\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0provides\u00a0unmatched security and intelligence services using integrated\u00a0<a href=\"https:\/\/twitter.com\/hashtag\/AI?src=hashtag_click\">AI<\/a>\u00a0systems.\u00a0<\/i><\/p>\n<p><i>Find out about the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>\u00a0and <a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/XhRhMuXC-MM\/predator-the-thief-recent-versions.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/predator-the-thief-recent-versions\/_jcr_content\/root\/responsivegrid\/image_1086567456.img.png\/1578333473423\/ptt-one.png\"\/><br \/>FortiGuard Labs has been monitoring a new release of the malware known as Predator the Thief, labeled as version 3.3.4. Read more about its latest set of capabilities in this analysis.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/XhRhMuXC-MM&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17359","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17359"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17359\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17359"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}