Punisher Remote Access Trojan

Punisher is a .NET-based RAT (remote access trojan). Publicly available on several dark web forums, it can be configured with several capabilities according to the user’s wishes.

At the time of publication, Punisher is delivered exclusively by the Mjag dropper, although this is likely to change as more threat actors begin using the trojan. Once installed, it will connect to a threat actor specified command and control server before collecting and transmitting system information back to the server. It will also create registry keys to ensure persistence.

Punisher will attempt to collect a range of information, including; credentials, keystrokes, files and IP data. It will also monitor the Task Manager and prevent certain processes from terminating other processes. Newer variants of Punisher will enumerate removable drives and copy themselves to them to aid further propagation.

The Mjag dropper is distributed via a malicious link in a decoy PDF which downloads and installs the dropper. During installation, the Mjag dropper performs code injection to execute the Punisher RAT payload.

Affected Platforms:

  • Microsoft Windows – All versions

Indicators of Compromise

URLs

  • tenau.pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe

Domains

  • tenau.pw
  • chris101.ddns.net

MD5

  • 0a459c18e3b8bdef87a6fb7ea860acdb

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: