## s s # d w r s **s** **d** **r** **21 2016** **Joseph Landry** **u** **r** **r** **rs** **s ur** **s** **Attackers have been successfully deploying RATs for years to remotely control users systems - giving** **them full access to the victim’s files or resources such as cameras, recording key strokes, or�** **downloading further malware. Traditionally RATs have been deployed when a user opens an email** **attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors�** **involve use of files to deliver the payload - which are easier to detect.�** **Recently we detected a more sophisticated technique that a handful of countries across Asia are** **actively using to infect systems with RATs. This new technique ensures that the payload/file remains in�** **memory through its execution, never touching the disk in a de-encrypted state. In doing so, the** **attacker can remain out of view from antivirus technologies, and even ‘next-generation’ technologies** **that only focus on file-based threat vectors. Also, the samples analyzed have the ability detect the�** **presence of a virtual machine to ensure it’s not being analyzed in a network sandbox.** **And finally it’s important to highlight that the RAT itself is not new. In fact this technique can be used to�** **deliver any “known” RAT to a victim’s system. We analyzed this sample against our SentinelOne EPP** **to confirm is does not evade our behavior-based detection mechanisms. This is due to the fact that�** **we’re monitoring all processes at the user-space/kernel-space interface - and because all** **communication between the application and the kernel must be unencrypted, we detect the sample at** **both process injection points** ----- **Samples Analyzed** **Main Sample** **r** **32** **E NE** **2 0** **H** **256 su** **9551 15319 068** **966 8 9 563 522 d9 1** **2d19 122** **8 018 8** **H** **1 su** **3 1** **5 3509281 d 0 61 1 8** **6 d3** **393 55** **5 su** **65 52** **2d6 3d121** **826** **65d 9** **s z** **32102** **s 32** **Unpacked Samples** **◦ e5c71180f117270538487cd9b9b1b6d8 - Packed "Benchmark" DLL ▪** **9e05fb115bd4e85cfc0e32c72aa721be - Monitor (PerfWatson.exe) ◦** **d740ed3f33ca4cef3a6aa717f94bf52a - NanoCore RAT dumped from memory** **Behavioral Analysis** **When run, the binary will copy itself to** **%APPDATA%\Microsoft\Blend\14.0\FeedCache\nvSCPAPISrv.exe and extracts a second binary** **named PerfWatson.exe** **It then executes both binaries.** **For persistence, a registry key is created at HKEY_CURRENT_USER\Software\Microsoft\Windows** ----- **Finally, the RAT tries connecting back to its control server:** **z** **2015** **r** **161** **z** **r** **161** **chickenkiller.com is owned by a free dynamic DNS service.** **At the time of this writing, the DNS records still exist, but the address they resolve to appears to be** **down.** **Unpacking** **"Benchmark" .NET DLL** **The main executable contains an XOR encrypted .NET DLL in its .NET managed resources and the** **logic to unpack it. This DLL contains the logic to unpack and inject the RAT as well as monitor the** **application, PerfWatson.exe. This DLL is referred to as "Benchmark" because that is the .NET** **namespace it uses.** **After decrypting the resource, it is linked into the process using** **[System.Reflection.Assembly.Load(byte[]). This method is documented on �MSDN here. Using this](https://msdn.microsoft.com/en-us/library/h538bck7%28v=vs.110%29.aspx)** **method, the DLL will never be written to the filesystem. This technique could have been chosen by the�** **developers to evade antivirus detection.** ----- **Under the hood, Assembly.Load(), uses a call to the win32 api call CreateFileMappingW() with the hFile** **parameter set to INVALID_HANDLE_VALUE. According to MSDN, this will create a mapped file that is�** **backed by the paging filesystem, not the standard filesystem. A layer below CreateFileMapping, the�** **system call NtCreateSection is invoked.** **After the empty file is created, it is mapped into memory using the Win32 API call MapViewOfFileEx.�** **The layer below this invokes the system call NtMapViewOfSection.** **Now, a call to memcpy() is used to copy the decrypted DLL into the newly allocated address range.** ----- **Unpacking Settings and NanoCore** **The settings for "Benchmark" and the NanoCore executable are serialized, DES encrypted, spliced,** **and stored across multiple PNG files as pixel data. The PNG files are concatenated and stored in the�** **.NET managed resources of the main executable.** **Some of the settings that can be configured are:�** **E** **r u** **s d** **d** **s** **d** **s** **s** **r** **r** **s** **d N** **r** **s** **ss** **us r** **Id** **r** **r** **r** **s r** **N** **w** **d** **r** **d** **r** **I** **r** **d** **r** **d ru** **r** **I** **d** **r** **ss** **After viewing one of these images, it is obvious they are not used to conveying visual information to a** **human eye.** ----- **After writing a short python script, I was able to extract all 19 PNG files. If you have robot eyes, you can�** **see a cat.** **Here is a C# decompilation of the method used to extract the information out of the pixel data.** ----- **Once everything is decrypted, the set options are executed, and the NanoCore RAT payload is injected** **into a new child process. The method of injection is discussed later.** **Unpacking PerfWatson.exe** **Now that "Benchmark" is loaded into memory, it is tasked with copying the main executable and** **extracting PerfWatson.exe to %APPDATA%\\Microsoft\Blend\14.0\FeedCache\.** **PerfWatson.exe is stored inside Benchmark as a base64 encoded string. There is no encryption or** **obfuscation outside of the base64 encoding.** **Inside the .NET assembly, the string is stored as a DefaultSettingValue string. The developers might** **have used this as a way to conceal the meaning of this long string.** **Once the string is decoded it is written to disk and executed** ----- **Injecting the Payload** **The NanoCore RAT payload is never written to disk to avoid detection. Instead, it is injected into a new** **process. The injection routine can be summarized by these Win32 API and system calls:** **r** **r** **ss** **E** **E** **EN** **r** **d** **r** **ss** **sus** **d** **d** **N** **r** **d** **s d** **d** **E** **d** **u d** **EI** **r** **s** **r** **d r** **ss** **r** **ds** **E** **I** **s** **ddr ss** **d** **N** **w** **s ru s** **w** **r** **s** **r** **d** **d** **0** **00000** **r u** **E** **s d** **s** **r** **N** **r** **r u** **r** **0 00 00000** **E H** **d r** **0 00 02000** **0 00 36000** **rsr** **0 00 3 000** **r** **E** **I** **s** **ddr ss** **d** **s** **s** **ddr ss** **0** **00000** **N** **r** **d** **d** **s** **EI** **r** **s** **r** **r** **d** **N** **r** **su** **r** **d** **us s** **d** **r** **ss** **sus** **d** **d** **d** **ru** **r** **ss** **s** **sus** **d** **d** **N** **r** **d** **s r** **d r** **d** **r** **ss** ----- **r** **r** **d** **ddr ss** **E** **s** **w** **w** **d s** **r** **d** **ddr ss r** **r** **d** **s** **w** **d** ----- **d** **w** **s r** **s** **N** **r** **r u** **r** **d u d** **E** **I** **s** **ddr ss** **N** **r** **d s** **d** **u d** **EI** **r** **s** **r s** **u** ----- **u** **s s** **r** **d w** **N** **r** **su** **r** **d** **du** **r** **ss** **d s** **w** **s** **d** **r** **ss s us** **N** **r** ----- **For more information on how SentinelOne protects against attacks such as these, visit our resources** **[page at sentinelone.com/resources](https://www.sentinelone.com/resources)** -----