# BitRAT pt. 2: Hidden Browser, SOCKS5 proxy, and UnknownProducts Unmasked **[krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/](https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/)** [Posted on September 4, 2020](https://krabsonsecurity.com/2020/09/04/) [Pt. 1 of the BitRAT series.](https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/) During my initial analysis, there were several features in BitRAT that I did not have the opportunity to fully analyze. As such, I thought another post is merited to explore these functionalities further. In addition to this, analysis of the binary revealed strong similarities and shared code with the Revcode malware. We could from this infer that BitRAT has a significant relationship to Revcode, whether it is the developers sharing code or the developers being in fact the same person. The information leading to this assessment will be explored in detail in the last section of the post. ## Hidden Browser I did not explore the Hidden Browser feature in much detail initially, as I assumed it would merely be an interface built on top of TinyNuke’s HVNC. However, this assumption was incorrect. The Hidden Browser (command 65-6E) is implemented separately and from scratch. The first command (0x65) calls the remote browser initializer (004B6A64), which is a considerably large function due to the heavy use of STL, Boost, and string obfuscation. Due to this, screenshots will be combined and cut to fit in the article. First, it generates a random 16-character string, which it then uses to create a named desktop. Then, it tries to obtain the default installed browser by querying the file association for the “.html” extension. ----- Currently, only Chrome is supported and the function returns prematurely if another browser is set as the default .html handler. BitRAT then checks to see if Chrome is already running. If this is the case, it creates a new browser profile in the temp directory, otherwise it uses the default profile. It then appends some parameters disabling certain chrome features as is typical of HVNC browsers, creates the process and saves the browser window’s handle. ----- After this, the current thread enters a loop where it continuously screenshots the current browser and sends it back to the C2 server. The screenshot function makes use of BitBlt and GDI to take the screenshot, then convert it to a JPEG image and passes it back. ----- Parts of the image capturing code Conversion to JPEG Overall, the hidden browser is essentially another fairly basic HVNC implementation. For those not familiar with how HVNCs work, MalwareTech’s post is a fairly simple introduction that should clear things up. ----- ## SOCKS5 Proxy For interfacing with the tor service that is dropped to disk, BitRAT makes use of the [SOCKS5 library “socks5-cpp“. Interestingly, around 3 years ago a Steemit post was made](https://github.com/NuclearC/socks5-cpp) [describing how to use this specific library for sending traffic through Tor, this is presumably](https://steemit.com/tor/@scriptkid/tor-as-a-socks5-proxy-in-your-c-applications-with-socks5-cpp) where the idea was taken from. ----- ## UnknownProducts, BitRAT, and the link to Revcode A few days after I posted my initial article on BitRAT, @tildedennis noted that BitRAT is quite similar to the Revcode malware. Though I didn’t see it for a few days due to Twitter filtering out the notification, I was immediately interested for several reasons: 1. I’ve dealt with Revcode before and have identified its author as Alex Yücel, notorious for developing the Blackshades malware. 2. I knew that at one point, Revcode had a C++ payload that used Boost; however, I have not until now had a sample of this to look at and have only reverse-engineered the VB variant of it. The usage of Boost was shortly removed after it was implemented. 3. UnknownProducts’ timezone is GMT+2, which matches Sweden. He previously pretended to be Russian, however this is utterly unconvincing for various reasons. Given this reliable indicator that the two are possibly linked, a comparison between a sample of Revcode’s Boost variant [(be535a8c325e4eec17bbc63d813f715d2c8af9fd23901135046fbc5c187aabb2) and BitRAT](https://app.any.run/tasks/c69f9dc3-8fb5-4d50-82d4-237a9d7c5ffc/) is in order. The sample was trivial to unpack, the packer stub was built on 18 Jan 2019 05:29:34 UTC and the Revcode file inside was built on 20 Dec 2018 03:02:36 UTC. ----- ### RunPE What first caught my eye when reverse engineering BitRAT’s RunPE is how injection APIs are imported statically (refer to the previous post) and how a function parameter controls the return value. While the rest of the RunPE was copy-pasted, I could not find any public RunPE implementation that has such an option for the return value or even one that references dwProcessId. As such, I immediately searched for references to injection-relevant APIs within Revcode and immediately found a virtually identical function with the same method for controlling the return value. The rest of the code was virtually identical, with the only significant difference being that BitRAT encrypts the “NtUnmapViewOfSection” string. ----- RunPE in BitRAT RunPE in Revcode ### Keylogger BitRAT’s keylogger hook callback (4ABC8D) decodes key data into human-readable strings. For example, the strings “{NUMPAD_2}”, “{NUMPAD_5}”, “{NUMPAD_7}”, “{F12}” are used to represent such keys. The same strings are used in Revcode. In fact, the entire keyboard hook function is identical. ----- Part of BitRAT’s keylogger callback Part of Revcode’s keylogger callback ### Service Manager function The service manager shares identical strings such as “Boot Start,” “Win32 share process”, “The service is stopped,” “The service is in the process of being stopped.” While these strings are likely widely used elsewhere, they are referenced in the same manner and order. Furthermore, a comparison of the control flow graph reveals that BitRAT’s service manager only differs in complexity and length due to string encryption and SEH. ----- The flow graph of the service manager function. BitRAT is on the left, while Revcode is on the right. ### Identical command handling mechanisms A significant amount of command names are similar between the two malware. Both abbreviates “process” as “prc”. Both do not abbreviate “webcam”. Furthermore, both BitRAT and Revcode set up a table of command strings and command IDs the same way. The command string gets passed to a function that returns a DWORD pointer, which is dereferenced to set the command ID. The only difference between the two in the command text and the lack of string encryption in Revcode. BitRAT’s command list initialization ----- Revcode’s command list initialization ### Audio recording [BitRAT and Revcode both use A. Riazi’s Voice Recording library for recording audio from](https://www.codeproject.com/Articles/10138/Voice-Recording-Playing-back-using-simple-classes) machines infected by it. The only difference is that in BitRAT the debugging strings are stripped out while they are present inside Revcode. CVoiceRecording::Record in BitRAT ----- CVoiceRecording::Record in Revcode ### Other shared strings Some tag strings presumably for formatting data for communication are common between the two. Decrypted BitRAT strings ----- Strings from the Revcode binary ## Conclusion Given the findings above, it should be fairly evident that BitRAT is a successor to Revcode’s Boost payload. Sadly, UnknownProducts’ bid to remain unknown did not work out too well due to the practice of code reuse. While it is possible that the relationship is based only on code-sharing, the combination of the matching timezone makes this unlikely to be the case. Revcode dropped around March 2019, and in April 2019, UnknownProducts posted the initial development thread for BitRAT. The product was finally released in June, suggesting that Revcode’s Boost and non-Boost codebase were split into two, one for sales as Revcode and one for sales as BitRAT. This split was probably done to increase sales and market presence and to allow the aggressive marketing of illicit features such as HVNCs and remote browsers, which are meant exclusively for fraud. View Comments ... -----