Punisher Remote Access Trojan

Punisher is a .NET-based RAT (remote access trojan). Publicly available on several dark web forums, it can be configured with several capabilities according to the user’s wishes.

At the time of publication, Punisher is delivered exclusively by the Mjag dropper, although this is likely to change as more threat actors begin using the trojan. Once installed, it will connect to a threat actor specified command and control server before collecting and transmitting system information back to the server. It will also create registry keys to ensure persistence.

Punisher will attempt to collect a range of information, including; credentials, keystrokes, files and IP data. It will also monitor the Task Manager and prevent certain processes from terminating other processes. Newer variants of Punisher will enumerate removable drives and copy themselves to them to aid further propagation.

The Mjag dropper is distributed via a malicious link in a decoy PDF which downloads and installs the dropper. During installation, the Mjag dropper performs code injection to execute the Punisher RAT payload.

Affected Platforms:

• Microsoft Windows – All versions

Indicators of Compromise

URLs

• tenau.pw/owa/neftioban1830369427520181030abbidialtddt30102018_pdf.exe

Domains

• tenau.pw
• chris101.ddns.net

MD5

• 0a459c18e3b8bdef87a6fb7ea860acdb