Skip to main content

ShellReset Remote Access Trojan

ShellReset is a newly observed .NET remote access trojan believed to be based on the older Quasar malware.

Threat ID:
CC-3486
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Email spam
Published:
4 June 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

ShellReset is a newly observed .NET remote access trojan believed to be based on the older Quasar malware.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

Delivery of ShellReset is via macro-laden Microsoft Word files, themselves distributed as attachments in spam campaigns targeting a number of London-based events. These document macros contain embedded C# code, which is compiled by the macro into the primary ShellReset binary before being executed. The macros will also set several working directories for ShellReset to operate in.

Once installed, ShellReset will collect system information to send to a command and control (C2) server, before awaiting further instructions. Commands are sent from the C2 server as GET requests, with ShellReset able to execute commands and payloads, take screenshots, and upload files to the C2 server.

Remediation steps

Type Step

To prevent and detect a trojan infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

  • centeralfiles[.]xyz/files/app-provider/ getLatestVersion
  • centeralfiles[.]xyz/files/app-provider/getApp
  • consumerspost[.]xyz/files/Swissin-Voucher[.]doc
  • documentsharing[.]space/files/5G%20Expo[.]doc?clientEmail=
  • documentsharing[.]space/files/FutureBuild[.]doc?clientEmail=
  • misrmarket[.]xyz/files/app-provider/getApp
  • misrmarket[.]xyz/files/app-provider/getLatestVersion
  • misrmarket[.]xyz/files/Get%20Stared[.]doc
  • theashyggdrasil[.]xyz/api/assets/getAwsUploadUrl
  • theashyggdrasil[.]xyz/api/assets/onCreated
  • theashyggdrasil[.]xyz/api/clients/identifyClient
  • theashyggdrasil[.]xyz/api/cmd/onCmdRun
  • theashyggdrasil[.]xyz/api/files/onGetDirRun
  • theashyggdrasil[.]xyz/api/orders/getOrders/

Filenames

  • 5G Expo.doc
  • FutureBuild.doc
  • Get%20Stared.doc

MD5 File Hashes

  • 1d94b086996c99785f78bf484295027a
  • 7bebf686b6e1d3fa537e8a0c2e5a4bdc
  • 93f913f3b9e0ef3f5cedd196eae3f2ae
  • b34b74effbd8647c4f5dc61358e1555f

ATT&CK TTPs

Last edited: 29 June 2021 12:01 pm