MalwareUsed by 1 actorExploits 2 CVEs

Cotx RAT

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2018-0798Microsoft Office Equation Editor Memory Corruption RCEExploited in the wild

Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT.

via proofpoint threat insight blogproofpoint.com

CVE-2017-0144EternalBlue SMBv1 Remote Code ExecutionExploited in the wild

攻撃者はEternal Blueを悪用して同一ネットワーク上のいくつかのホストに移動することに成功すると、そのうちの1つのホスト上で興味深いマルウェアを動かし始めました。

via ntt security japaninsight-jp.nttsecurity.com

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TA428

彼らはPoison IvyやCotx RATを使ってコンピュータのコントロールを得た後、更に侵害を深めるために横展開を行いました。

via ntt security japaninsight-jp.nttsecurity.com

MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence1

We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions. | Proofpoint researchers initially identified email campaigns with malicious RTF document attachments targeting East Asian government agencies in March 2019.

Execution

3 techniques

T1059.003Windows Command ShellEvidence1

We observed the following commands: 5 - Open command shell 6 - Open command shell as logged in user 7 - Send command to command shell

T1203Exploitation for Client ExecutionEvidence1

The malicious RTF attachments exploited vulnerabilities in the Microsoft Equation Editor, specifically CVE-2018-0798, before downloading subsequent payloads.

T1574.001DLLEvidence1

This legitimate Symantec binary is used to side-load RasTls.dll using DLL search-order hijacking leading to the execution of Cotx RAT malware.

Persistence

2 techniques

T1112Modify RegistryEvidence1

The current encrypted configuration is also stored in the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Java\user”.

T1547.001Registry Run Keys / Startup FolderEvidence1

When executed, writes a Word Add-In file with the “.wll” extension to the Windows Startup directory, which runs the next time Word is opened.

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

When executed, writes a Word Add-In file with the “.wll” extension to the Windows Startup directory, which runs the next time Word is opened.

Stealth

3 techniques

T1036MasqueradingEvidence1

Spear phishing emails included malicious .doc attachments that were actually RTF files saved with .doc file extensions.

T1574.001DLLEvidence1

This legitimate Symantec binary is used to side-load RasTls.dll using DLL search-order hijacking leading to the execution of Cotx RAT malware.

T1622Debugger EvasionEvidence1

Researchers at SectorB06 have noted this stage-one payload and indicated that throughout the above process it is running a “CheckRemoteDebuggerPresent” function to prevent analysis and debugging by researchers.

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

The current encrypted configuration is also stored in the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Intel\Java\user”.

Discovery

5 techniques

T1057Process DiscoveryEvidence1

We observed the following commands: 14 - Process listing

T1082System Information DiscoveryEvidence1

The initial beacon contains “|”-delimited system information... Computer name... Username... Windows version... Architecture... Local IP addresses... First adapter's MAC address

T1083File and Directory DiscoveryEvidence1

We observed the following commands: 2 - Get directory info or drive info

T1518Software DiscoveryEvidence1

We observed the following commands: 21 - Get list of installed software

T1622Debugger EvasionEvidence1

Lateral Movement

1 technique

T1210Exploitation of Remote ServicesEvidence1

Collection

1 technique

T1113Screen CaptureEvidence1

We observed the following commands: 13 - Screenshot

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

The command and control structure of Cotx RAT is proxy aware. It utilizes wolfSSL for TLS encrypted communication.

T1090ProxyEvidence1

The command and control structure of Cotx RAT is proxy aware... Proxy IP and port discovered by searching the IPv4 TCP connection table for established connections with remote ports using common proxy ports (3128, 8080, 808, 1080) Or via WINHTTP_OPTION_PROXY.

T1105Ingress Tool TransferEvidence1

We observed the following commands: 25 - Execute an executable

Impact

1 technique

T1489Service StopEvidence1

We observed the following commands: 15 - Kill process

INDICATORS OF COMPROMISE

IOCs tracked for this family

10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app6 years ago

domain●●●●●●●●●●●●View more in app7 years ago

hash.sha256●●●●●●●●●●●●View more in app7 years ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

ntt security japanNews

Oct 15, 2020

Panda's New Arsenal: Part 1 Tmanger | セキュリティナレッジ | NTTセキュリティ・ジャパン株式会社

攻撃者がコンピュータの制御を得るために使用したRAT。

proofpoint threat insight blogNews

Jul 23, 2019

Chinese APT Uses Poison Ivy Malware to Target Government | Proofpoint US

Custom remote access trojan written in C++ and delivered via malicious RTF/Equation Editor exploitation. It is side-loaded through RasTls.dll, stores encrypted configuration in a .cotx PE section and the registry, communicates over TLS via proxy-aware C2, and supports commands including shell access, file operations, screenshots, process control, configuration updates, and self-removal.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching10

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.