In late May, we discovered a malware distribution campaign for the Remote Access Trojan (RAT) class — programs that allow attackers to remotely control an infected system.

The group under consideration was distinguished by the fact that it did not choose any specific RAT family for infection. In the attacks within the framework of the campaign, several trojans were noticed at once (all in the public domain). With this trait, the group reminded us of the rat king - a mythical animal that consists of rodents with entwined tails.

ITKarma picture
The original is taken from the monograph by K. N. Rossikov “Mice and mouse-like rodents, the most important in economic terms” (1908)

In honor of this creature, we named the group RATKing that we are considering. In this post, we will talk in detail about how attackers carried out the attack, what tools they used, and also share our thoughts regarding the attribution of this campaign.

Attack progression


All attacks in this campaign went through the following algorithm:

  1. A user received a phishing email with a link to Google Drive.
  2. Through the link, the victim downloaded a malicious VBS script that prescribed a DLL to load the final payload into the Windows registry and ran PowerShell to execute it.
  3. The
  4. DLL library injected the final payload - in fact, one of the RAT used by cybercriminals - into the system process and wrote the VBS script into autorun to fix itself in the infected machine.
  5. The final payload was executed in the system process and gave the attacker the ability to control the infected computer.

Schematically, this can be represented as follows:

ITKarma picture

Next, we will focus on the first three stages, since we are interested in the exact delivery mechanism of malware. We will not describe in detail the mechanism of operation of the malware itself. They are widely available - either sold in specialized forums, or even distributed as open source projects - which means they are not unique to the RATKing group.

Analysis of attack stages


Step 1: Phishing email


The attack began with the victim receiving a malicious email (the attackers used different templates with text, one of the examples is given in the screenshot below). The message included a link to the legitimate vault CDMY0CDMY, which supposedly led to a PDF download page.

ITKarma picture
Example of a phishing email

However, in fact, it was not a PDF document that was downloaded at all, but a VBS script.

When clicking on the link from the letter in the screenshot above, a file with the name CDMY1CDMY was loaded. In this case, the attackers did not even try to disguise the file as a legitimate document.

At the same time, as part of this campaign, we discovered a script called CDMY2CDMY. It could already pass for a legitimate PDF, because by default Windows hides the file extension. True, in this case, the suspect could still be caused by its icon, which corresponded to the VBS script.

At this stage, the victim could recognize the fraud: just look for a second at the downloaded files. However, in such phishing campaigns, attackers often rely on an inattentive or rushing user.

Stage 2. VBS script operation


The VBS script, which the user could inadvertently open, registered the DLL in the Windows registry. The script was obfuscated: the lines in it were written as bytes separated by an arbitrary character.

ITKarma picture
An example of an obfuscated script

The deobfuscation algorithm is quite simple: every third character was excluded from the obfuscated string, after which the result was decoded from base16 to the original string.For example, from the value CDMY3CDMY (highlighted in the screenshot above), the string CDMY4CDMY was obtained.

To deobfuscate strings, we used a function in Python:

def decode_str(data_enc): return binascii.unhexlify(''.join([data_enc[i:i+2] for i in range(0, len(data_enc), 3)])) 

Below on lines 9–10, the value is highlighted, during deobfuscation of which a DLL file was obtained. It was he who launched the next step using PowerShell.

ITKarma picture
Obfuscated DLL String

Each function in a VBS script was executed as the lines were deobfuscated.

After the script was launched, the CDMY5CDMY function was called - with its help, deferred execution was performed.

Next, the script worked with the Windows registry. He used WMI technology for this. With its help, a unique key was created, and the body of the executable file was written into its parameter. Access to the registry through WMI was performed using the following command:

GetObject(winmgmts {impersonationLevel=impersonate}!\\.\root\default:StdRegProv) 

ITKarma picture
A registry entry made by a VBS script

Stage 3. Operation of the DLL


At the third stage, the malicious DLL downloaded the final payload, injected it into the system process and ensured that the VBS script would run automatically when the user entered the system.

Running through PowerShell

The DLL was executed using the following command in PowerShell:

[System.Threading.Thread]::GetDomain().Load((ItemProperty HKCU:\/\/\/Software\/\/\/<rnd_sub_key_name> ).<rnd_value_name>); [GUyyvmzVhebFCw]::EhwwK('WScript.ScriptFullName', 'rWZlgEtiZr', 'WScript.ScriptName'),0 

This team did the following:

  • received data from a registry value named CDMY6CDMY - this data was a DLL file written on the.Net platform;
  • loaded the resulting.Net module into the CDMY7CDMY process memory using the CDMY8CDMY function (a detailed description of the Load () function available from Microsoft ) ;
  • performed the function CDMY9CDMY - it started the execution of the DLL library with parameters CDMY10CDMY, CDMY11CDMY, CDMY12CDMY. The CDMY13CDMY parameter stored the key to decrypt the final payload, and the CDMY14CDMY and CDMY15CDMY parameters were passed in order to register the VBS script into autorun.

DLL Description

In a decompiled form, the bootloader looked like this:

ITKarma picture
The loader in decompiled form (the function with which the DLL started to execute) is underlined in red

The bootloader is protected by.Net Reactor. The de4dot utility does a great job removing this protector.

This bootloader:

  • injected the payload into the system process (in this example, CDMY16CDMY);
  • wrote the VBS script to autorun.

Payload Injection

Consider the function that the PowerShell script called.

ITKarma picture
Function called by PowerShell script

This function performed the following actions:

  • decrypted two data sets (CDMY17CDMY and CDMY18CDMY in the screenshot). They were originally compressed using gzip and encrypted with the XOR algorithm with the key CDMY19CDMY;
  • copied the data to the allocated memory areas.Data from CDMY20CDMY - to the memory area pointed to by CDMY21CDMY (CDMY22CDMY in the screenshot); data from CDMY23CDMY to the memory area indicated by CDMY24CDMY (CDMY25CDMY in the screenshot);
  • called the CDMY26CDMY function ( description of this there are functions on the Microsoft website) with the following parameters (the parameter names are listed below, in the screenshot they go in the same order, but with the working values):
    • CDMY27CDMY - pointer to data from CDMY28CDMY;
    • CDMY29CDMY - a pointer to a line containing the path to the CDMY30CDMY executable;
    • CDMY31CDMY - pointer to data from CDMY32CDMY;
    • CDMY33CDMY, CDMY34CDMY - message parameters (in this case these parameters were not used and had values ​​0);
  • created the CDMY35CDMY file, where CDMY36CDMY is the first 4 characters of the CDMY37CDMY parameter (in the screenshot, the code fragment with this action starts with the CDMY38CDMY command). Thus, the malware added the URL file to the list of files for autorun when the user entered the system and thereby fixed itself on the infected computer. The URL file contained a link to the script:

[InternetShortcut] URL=file :///<vbsScriptPath> 

To understand how the injection was carried out, we decoded the CDMY39CDMY and CDMY40CDMY datasets. To do this, we used the following function in Python:

def decrypt(data, key): return gzip.decompress( bytearray([data[i] ^ key[i % len(key)] for i in range(len(data))])[4:]) 

As a result, we found out that:

  • CDMY41CDMY was a PE file - this is the final payload;
  • CDMY42CDMY was the shellcode needed for the injection.

The shellcode from the CDMY43CDMY array was passed as the value of the CDMY44CDMY function to the CDMY45CDMY function. CDMY46CDMY - callback function, its prototype looks like this:

LRESULT WndFunc( HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam ); 

Thus, when the CDMY47CDMY function is launched with the parameters CDMY48CDMY, CDMY49CDMY, CDMY50CDMY, CDMY51CDMY, the shell code from the CDMY52CDMY array with the arguments CDMY53CDMY and CDMY54CDMY is executed. CDMY55CDMY is a pointer to a line containing the path to the CDMY56CDMY executable file, and CDMY57CDMY is a pointer to the destination payload.

The shell code received the addresses of functions from CDMY58CDMY and CDMY59CDMY by hash values ​​from their names and injected the final payload into the memory of the CDMY60CDMY process using the Process Hollowing technique (for more details, see this article ). When injecting shellcode:

  • created the CDMY61CDMY process in a suspended state using the CDMY62CDMY function;
  • then hid the display of the section in the address space of the CDMY63CDMY process using the CDMY64CDMY function. Thus, the program freed the memory of the original CDMY65CDMY process, then to allocate memory for the payload at this address;
  • allocated memory for the payload in the address space of the CDMY66CDMY process using the CDMY67CDMY function;

ITKarma picture
Starting the injection process

  • wrote the payload contents to the address space of the CDMY68CDMY process using the CDMY69CDMY function (as in the screenshot below);
  • resumed the CDMY70CDMY process using the CDMY71CDMY function.

ITKarma picture
Complete the injection process

Downloadable malware


As a result of the described actions, one of several malware of the RAT class was installed on the infected system. The table below lists the malware used in the attack, which we can safely attribute to one group of attackers, since the samples accessed the same management server.
VPO Name
First noticed
SHA-256
C & amp; C
Injection process
Darktrack
16-04-2020
CDMY72CDMY
kimjoy007.dyndns [.] org: 2017
svchost
Parallax
24-04-2020
CDMY73CDMY
kimjoy007.dyndns [.] org: 2019
svchost
WARZONE
18-05-2020
CDMY74CDMY
kimjoy007.dyndns [.] org: 9933
svchost
Netwire
20-05-2020
CDMY75CDMY
kimjoy007.dyndns [.] org: 2000
svchost

Examples of redistributable malware with the same management server

Two things are noteworthy here.

Firstly, the fact that the attackers used several different RAT families at once. This behavior is not typical of well-known cybergroups, which often use approximately the same set of tools familiar to them.

Secondly, RATKing used malware, which are either sold in specialized forums for a small price, or are completely open source projects.

A more complete list of the malware used in the campaign, with one important caveat, is provided at the end of the article.

About the grouping


We can not attribute the described malicious campaign to any known attackers. So far, we believe that these attacks were committed by a fundamentally new grouping. As we wrote at the beginning, we called it RATKing.

To create the VBS script, the group probably used a tool similar to the VBS-Crypter tool from the developer NYAN-x-CAT . This is indicated by the similarity of the script that this program creates with the script of attackers. In particular, both of them:

  • perform deferred execution using function CDMY76CDMY;
  • use WMI;
  • specify the body of the executable file as a registry key parameter;
  • execute this file using PowerShell in its address space.

For clarity, compare the PowerShell command to run a file from the registry that a script created using VBS-Crypter uses:

((Get-ItemPropertyHKCU:\Software\NYANxCAT\).NYANxCAT);$text=-join$text[-1..-$text.Length];[AppDomain]::CurrentDomain.Load([Convert]::FromBase64String($text)).EntryPoint.Invoke($Null,$Null); 

with a similar command used by the attacker script:

[System.Threading.Thread]::GetDomain().Load((ItemProperty HKCU:\/\/\/Software\/\/\/<rnd_sub_key_name> ).<rnd_value_name>); [GUyyvmzVhebFCw]::EhwwK('WScript.ScriptFullName', 'rWZlgEtiZr', 'WScript.ScriptName'),0 

Note that as one of the payloads, the attackers used another utility from NYAN-x-CAT - LimeRAT .

The addresses of C & amp; C servers point to another distinguishing feature of RATKing: grouping prefers dynamic DNS services (see the list of C & amp; C in the table with IoC).

IoC


The table below provides a complete list of VBS scripts that can most likely be attributed to the described campaign. All these scripts are similar and carry out approximately the same sequence of actions. All of them inject RAT class malware into a trusted Windows process. All have C & amp; C addresses registered using Dynamic DNS services.

However, we cannot claim that all of these scripts were distributed by the same attackers, with the exception of samples with the same C & amp; C addresses (for example, kimjoy007.dyndns.org).
VPO Name
SHA-256
C & amp; C
Injection process
Parallax
CDMY77CDMY
kimjoy007.dyndns.org
svchost
CDMY78CDMY
hope.doomdns.org
svchost
CDMY79CDMY
kimjoy007.dyndns.org
svchost
CDMY80CDMY
kimjoy007.dyndns.org
svchost
CDMY81CDMY
franco20.dvrdns.org
svchost
CDMY82CDMY
kimjoy007.dyndns.org
svchost
CDMY83CDMY
franco20.dvrdns.org
svchost
CDMY84CDMY
hope.doomdns.org
svchost
CDMY85CDMY
kimjoy007.dyndns.org
svchost
CDMY86CDMY
franco20.dvrdns.org
svchost
CDMY87CDMY
kimjoy007.dyndns.org
cmd
CDMY88CDMY
hope.doomdns.org
svchost
CDMY89CDMY
2004para.ddns.net
svchost
CDMY90CDMY
hope.doomdns.org
svchost
CDMY91CDMY
franco20.dvrdns.org
svchost
CDMY92CDMY
kimjoy007.dyndns.org
svchost
CDMY93CDMY
kimjoy007.dyndns.org
svchost
CDMY94CDMY
hope.doomdns.org
cmd
CDMY95CDMY
franco20.dvrdns.org
svchost
CDMY96CDMY
hope.doomdns.org
svchost
CDMY97CDMY
kimjoy007.dyndns.org
svchost
CDMY98CDMY
franco20.dvrdns.org
svchost
CDMY99CDMY
kimjoy007.dyndns.org
svchost
CDMY100CDMY
hope.doomdns.org
svchost
CDMY101CDMY
paradickhead.homeip.net
svchost
CDMY102CDMY
hope.doomdns.org
svchost
Warzone
CDMY103CDMY
kimjoy007.dyndns.org
svchost
CDMY104CDMY
kimjoy007.dyndns.org
svchost
Netwire
CDMY105CDMY
kimjoy007.dyndns.org
svchost
Darktrack
CDMY106CDMY
kimjoy007.dyndns.org
svchost
WSH RAT
CDMY107CDMY
anekesolution.linkpc.net
RegAsm

Lime


CDMY108CDMY
softmy.duckdns.org
RegAsm
QuasarRAT
CDMY109CDMY
darkhate-23030.portmap.io
RegAsm
CDMY110CDMY
darkhate-23030.portmap.io
RegAsm
CDMY111CDMY
darkhate-23030.portmap.io
RegAsm
CDMY112CDMY
darkhate-23030.portmap.io
RegAsm
CDMY113CDMY
chrom1.myq-see.com
RegAsm
CDMY114CDMY
darkhate-23030.portmap.io
RegAsm
CDMY115CDMY
darkhate-23030.portmap.io
RegAsm
CDMY116CDMY
darkhate-23030.portmap.io
RegAsm
CDMY117CDMY
darkhate-23030.portmap.io
RegAsm
CDMY118CDMY
darkhate-23030.portmap.io
RegAsm
CDMY119CDMY
darkhate-23030.portmap.io
RegAsm
CDMY120CDMY
darkhate-23030.portmap.io
RegAsm
CDMY121CDMY
darkhate-23030.portmap.io
RegAsm
CDMY122CDMY
darkhate-23030.portmap.io
RegAsm
CDMY123CDMY
darkhate-23030.portmap.io
RegAsm
CDMY124CDMY
darkhate-23030.portmap.io
RegAsm
CDMY125CDMY
darkhate-23030.portmap.io
RegAsm
CDMY126CDMY
darkhate-23030.portmap.io
RegAsm
CDMY127CDMY
darkhate-23030.portmap.io
RegAsm
CDMY128CDMY
darkhate-23030.portmap.io
RegAsm
CDMY129CDMY
darkhate-23030.portmap.io
RegAsm
CDMY130CDMY
darkhate-23030.portmap.io
RegAsm
CDMY131CDMY
darkhate-23030.portmap.io
RegAsm
CDMY132CDMY
darkhate-23030.portmap.io
RegAsm
CDMY133CDMY
darkhate-23030.portmap.io
RegAsm
CDMY134CDMY
darkhate-23030.portmap.io
RegAsm
CDMY135CDMY
darkhate-23030.portmap.io
RegAsm
CDMY136CDMY
darkhate-23030.portmap.io
RegAsm
CDMY137CDMY
darkhate-23030.portmap.io
RegAsm
CDMY138CDMY
darkhate-23030.portmap.io
RegAsm
CDMY139CDMY
darkhate-23030.portmap.io
RegAsm⁠
.

Source