RATicate – information-stealing malware

Sophos has identified five separate campaigns between November, 2019 and January, 2020 in which the payloads used similar packing code and pointed to the same command and control (C&C) infrastructure. The campaigns targeted industrial companies in Europe, the Middle East, and the Republic of Korea.

This leads them to believe that they are all the work of the same actors—a group they have called RATicate.

RATicate uses two separate infection chains to deliver payloads. The first uses spam emails containing IMG, UDF, or ZIP attachments, which themselves contain an NSIS installer. When opened, the attachments execute the installer to drop the intended payload. The second infection chain also uses spam emails, but instead uses RTF or XLS files that download the payload directly when opened.

At the time of publication, five RATicate campaigns have been identified delivering Agent Tesla, BetaBot, BlackRAT, Bladabindi, Formbook, Netwire, Lokibot, and Remcos. Certain components of the command and control infrastructure are used across multiple campaigns. It is unclear whether RATicate are operating these campaigns in order to use the access and data they collect themselves, or if they are acting as a malware-as-a-service provider for other attackers.

IOC List

Campaign 1
0a19ff6641710799f55f87dde8368f1f8dd65df733026c44895413d4d0551d3e
c89a6f34e268fc278a2a432906430de5b34f1bcc66abdbf42dfb7efd66dd1789
b2deb7ba90236e7560e763c0b51ccd3292c16001b19de6081f6887fd4bb6c54c
3710e346662d90d7a79d5a0f089d29497364bfdfef1fe92e97f9cb0ef9085e2b
658b49ce37c0de6f7964f037efd2fdf9ffa7464ebb672c9bc736aaca6f16a816
6ecfa92a50f8607d68a22d81f331a03afd5704e8050f919018d211d3bfe17545
b4475e10f17d3042d72c89c8bb41e0d26f89e241f9fb0a3f561e8b75c525f155
dbf077ee1a9898a48c5ff8be6c1c40f6ff8f962e197203328d6a38a37b339fcf
5a037073cee53b16e24884de250c481245733ca36d490d6ccf6bd89f5d5b9eff
a326d53ba25a45e83b756eab6e5b92e73ddb6abe2e4afe901b8b346848081b49
864cd1cbf2bbb78528c7a23f77d65ef10e1fc2076c8aa3156f4c75ff40f39d6c
547207a3eb537c6b72a22420354471af1e763d4b66eab57938959ad4a581da96
17e6956252795cb552fc36936f35b7d4213290a27547ea01fa4e2ddab4984863
832f2bf5f2a1a0f40eb89b0d0f793ebd87de09936b19ac723e0f45d56c297c98
a42c300498189da05c0df077eb7c9690f8f866984d54a3e77ff0e7133f9b8150
32c9e1b0df6672d578ff03e37de3a7ffd8e3dae1cef6bf72ba2907764780943f
181900a35994a230e556d7169b06424ab5002c11c932ed229cbf97bc89fa3801
6e5796897b714032f6078460ebab05707bfb622d8696079a90b73f17443f2891
818983bd0636b497f50c5d88dd6d445f97ab7ba5cb16bfb7e3507477627b43f4
f80cb4485215b0742f8eb52176feacc81f3480a05e80ab3f93296a8c3065f44c
4b85eeb935fb27ad2f2389f44a868a7f40c934944f226bf7336ba637297187bb
11baa12646aaf52cf6af9207afe9114c6bdffc16bbb3b7e20225182f766812a1

Campaign 2
62b925870b591e72d98fc370c7943c8afd97e99f264919907469876c2c1a6e22
3c5d30e50426186a45c6cee71e34b97fecace53bf5cfe092317d12cc73454de5
87efed1d252426d609deebe96c92cfe417b72aec54c39cb7c61d8aa80f8630ae
42fc44622a1e2e6569d0c41f7f6919aa4847bcc8042688fbdf15ea510563990a
9a31bd14db9289028a7d833d2ca28131bb2c2a505ad3a69064b97453f5f34ceb
70de9b2eef65e71737558999d8f5ee00ff6ed100d7ddbb5bbc2b5f16f1bb6cdf
9d7861c14680bd8eb5ec6641f1761df8a8bcdad9fc1fdc6028f17bf1dc9a384f
c0a74e429d67691c69c38044d241e7c860a76b8579ffacd7991ed32953cfcd0c
a2ba22c9e4ca97ac1f6c117bba4090f2cdb9cedcad30e68666bd67183ef102f3
74aaf71f2ec7afb5d61a3f25b3878a327ada4b8d29c62ca23a3d0cbbe134c4f1
ea51d9b9becc292d654db7773c3a60e5a92c9e51c03a812f9ccf4ecfd296ddbe
a773ca3d514b7232932f451539adc94d0933ce313328ed9f48ed5f1ebf4f555e

Campaign 3
92f829ebcda59a979889ff63082f8a8dde31a9e1fca950116edc2429c86e3af0
f491f0c961ccf721dd36ef74dc764b89f41ca2f9068e98e4509dfd1204335fd5
300c453f1a23149b1d1f2140c17107845b139fc8bcc78f7af607ec0dc1886545
a6aa4b2f9ac141ffb19aa1a846625a4a87b5726f2e51de0f4b04bc203fc6d8ed
4fcaeec9c065be5cdb5a5a13005f60f15181dc3b2fc0a6a95236872e7b79ea1a
dd9cb7e25cf587d1e8a6a857652b226fb760dcec1a2f1f8bd1f3478f64106069
c34059d7d84e86ecdd061db7f7e0d4c1374d7cbac3a0ef2014be1783eee0308b
bfc56135480dc62cc0cc59afbc6f789e8653c3572a27a0e8d88a9af87bc7766f
99fe53df1ff7aab3ec24e4a55c2fe3999fd1526c4ebd5d69ccb49ea21284b6ff
0515a25c628c836a3c9b1cf4662648c1ff06c5a73a70fee847bbeb2f000ef25b
a35ade39711fc3a32d976f1b765eeee466beaf3c5c638de1dcdf5cef0852b713
a170d60f042695e7cf4e101201fdb42c9098a61fad230aebed7ec6b2922cedcb
b5cb4efaae1a96a9845ec8990a7b351e127f68f1cb25bea030088e9abcb1d25b
8618e2aa6e4586700485b1438c3d41fc0e2c4f7e1461ab5728a6037cbce255c9
2743c38ed0f50f2dba370234514a36d31756c26820f5f3a95b3a8e34f7c9a137
112a0a7a764c073844f14c6ff284d59674062379579c0051d9e224b1f8404447
27b0d4870da49246f191fdf1d0b1b284b05461e132cde25693f82f4d2f39c800
125307a1cfeba113260663a1575481a33523354d55becbda07a3de6d6399fb2b
d9597a3a5b6c2a4f960cfaaabf69e81a3842ec7c34ad5e9a5270118e8d62481c
ed693eb9bf5fbd35c147640a4c0c688f3baa620e58dabaf0da351aa9c9825857
05e25668ecab07ba2dd341f257809f1f2c8cd7ce40c292dd68fe5d084e6e7d3c
f75c90fd0e80b7088645a9f383076bf450327b4f268ee76bba890b51fe4ce02d
85629f01dcfbf54dc16d5c02765939ce9adba9110019c6b0f9c19bc2fe5c1ffb
ca7e82c05049a081d052e12868c0af6531a3d5b94c2767ee760f437310e3e7d5

Campaign 4
08c8902ba83e2535caf9eb6b9b2cfadc6ef91a970c14ae2aa97d3f5ef67d7c87
6dd3e18ef332e6a6241095ee01f6d64b5251a9fcfcbaaf76dc63e9de9615248f
98ce5ad1a455614fc4bcfd1d789efc6cdfafb752d1642cd987dc36cd1ece62ba
945b3a4f18decc98121ac3cd8406a6a4bbc3af2882f90b873c452f9d7d05fb0b
36a374b7b0d7b6f230e092c74cb9744468dce9d16b8ec9506bc8931b5b268205
375693eb6ff08811764b9fb292e09c4232e380732bf18620ffe89f57feeb6b92
02883fde3408c86f4a261907335d8e95e7f33c9f7e95f298a67a3e7a1777b9a6
47a4e4f234051fc889d3180d7b26a93527d36baea05d70786976bdc5a3c3b26c

Campaign 5
86f65d097883c73d2cfcc7691182a90f373869c10366084274843423cb32f9cb
c867c20bd9fabc6855b15b607a18637040a68174d9b2c98ccebd7e4ed259979c
7d3196d1f645c8f1d7c941c261c0e4c3aa5cea2137c40cd59091f4c4ed8d4fed
058fa9c3d43e5bb10914ccc6015b522740cb512c2ef46f082f17627b9c40d4ab
0fca673bb346dcda20aa59e1de49dee4e3aace600d97c1f66bf4f20f74213451
9401a08c1293a7bf361dcef2ee9dbfb310e130474ae1e25af6c3868c6ab7acf3
611c6c9a1d0574fb5651facdf55e20421ead937a4205d2c3ee521b5c3f282df0
73d0ccd49d0742b3cf96f2c3010b52864d544688d5ac469d57fec7752c48e720
07aec105b470a12d9a8d1036f4f2c61a4419ba45a8b9fd19fb48a90369b8745a
e6f2d277d61fd27d2a6452619111c272047ff478247251c9ec5651f5f67e1519
fcb636e016115862b12385330bc2f39a778f79141f07d589dcae8506f0cd3216
6547d7da4ff2202628eb1e845af176daf0b0fdf4611629d1aa3901c004364ccf
75f0fe3334945f520f4496cf8e17afb5d0cad12cfb81e9bb441ef317177521ec

Domains used as C&C for malware payloads delivered by RATicate

Betabot

allenservice.ga
gelcursot.top
negrodesigns.ga
pitchstak.ga
stngpetty.ga
webxpo.ga

Lokibot

gelcursot.top
pitchstak.ga

Formbook

binzom.com/c208
cbespania.info/c206
conrak.net/c206
coxemen.com/c206
czxpkj.com/c206
dachfix.com/c206
ef-oh.com/c208
hearee.com/c208
hsctsu.com/sa
hypnose-beziers.com/c206
jevmod.com/c206
jinshasoft.com/c208
lighthouse-campus24.com/c206
miscov.com/p0x
odoyo.net/c208
oleum.gmbh/c206
phochain.com/sa
pizzans.com/c208
pupilfy.com/c206
ratokasutka.com/p0x
rdrfi.com/sa/
skylod.com/sa
slashoff.com/c208
sofisleep.com/c208
tellpizzqhut.com/c206
terenium.com/c206
vibe.restaurant/c206
yamatobb.com/c206
yncits89.com/p0x
bywebhost.com/c208

Netwire

79.134.225.11:1199
79.134.225.97:2556

Bladabindi

tucson1989.duckdns.org
pedrobedoya201904.duckdns.org

Blackrat

79.134.225.97:1982

Remcos

cashout2018.ddns.de

AgentTesla

mail.newmedicacare.com
mail.jrdigitalstore.com
mail.koyo.com.my
mail.qoa.com.my
mail.sedirectory.com.my
mail.arkazo.com
mail.alhilaly-group.com

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: