Mysa Remote Access Trojan

MysaRAT is a remote access trojan that uses the EternalBlue SMBv1 exploit to propagate. Believed to have been created in the weeks after EternalBlue was publicly disclosed by the Shadow Brokers, it appeared to have fallen out of use but has recently begun appearing in new attacks.

At the time of publication it is unclear how Mysa is initially delivered to systems, although there are unconfirmed reports indicating it may be distributed via targeted spam campaigns as an embedded Dynamic Link-Library (DLL) file.

This DLL file will connect to a command and control (C2) server when executed, before terminating specific user accounts, files and processes. It will then create two registry entries to gain persistence and download a number of files, including a second stage payload. This second stage appears to be a modified version of a Chinese remote administration tool known as ForShare. When executed, it will connect to a separate C2 server before deploying the EternalBlue exploit to propagate to other devices on the network. Once this is done it will close port 445, likely in an attempt to prevent infection from other malware using EternalBlue.

Indicators of Compromise

IP Addresses

• 118.190.50[.]141
• 182.18.23[.]38
• 23.27.127[.]254
• 47.52.0[.]176
• 47.88.216[.]68
• 67.229.144[.]218

URLs

• 118.190.50.141:8888/test[.]dat
• 23.27.127.254:8888/close[.]bat
• 47.52.0.176:8888/item[.]dat
• 47.88.216.68:8888/test[.]dat
• 67.229.144.218:8888/test1[.]dat
• down.mysking.info:8888/ok[.]txt
• js.mykings.top:280/helloworld[.]msi
• js.mykings.top:280/v[.]sct
• scdc.worra[.]com
• wmi.mykings.top:8888/kill[.]html