**[HOMEHOME](http://www.threatgeek.com)** **[« Strengthen Your Defenses against DDoS Cyber Extortion |](http://www.threatgeek.com/2016/01/strengthen-your-defenses-against-ddos-cyber-extortion.html)** **[Main](http://www.threatgeek.com/)** **Wednesday, January 27, 2016** **Security analysts and threat researchers** **are invited to attend the** **webinar Dissecting the Malware** **Involved in the INOCNATION Campaign** **details our investigation of INOCNATION** **and the new malware variant Hi-Zor.** **The webinar is scheduled for Thursday,** **January 28, 2016 at 2 pm ET.** **[In Fidelis Threat Advisory #1020 (FTA), we](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf)** **provided comprehensive analysis of a tool that** **had been observed in a campaign called** **INOCNATION. Fidelis Threat Research is now** **confident that the malware observed in that campaign is a new Remote Access Trojan (RAT) that we** **are calling Hi-Zor RAT based on strings observed in the sample.** **Hi-Zor RAT uses the following techniques, some of which have been observed in other APT tools:** **Uses string-stacking, a technique observed in the Etumbot and Ixeshe families.** **Creates a copy of itself in the systems with a ʻ.datʼ extension and entrenches it in the** **registry run key with ʻregsvr32.exeʼ pointing to a DLL file without a DLL extension. This** **technique has been observed in the Derusbi malware.** **Sends a victimʼs Volume Serial Number information in the beacon. This technique has been** **observed in Sakula.** **Double XOR to encode command and control.** **Uses common applications, such as VPN installers, as the decoy. This tactic has been** **observed in Sakula.** **Beyond these techniques, it provides core RAT features such as:** **Process execution** **Reverse shell** **File management** **Upload/Download** **Kill switch/Uninstall** **[Fidelis Threat Advisory #1020 provides detailed analysis of these facets. New indicators and an](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf)** **[updated Yara rule are available for download here.](https://github.com/fideliscyber)** **There are few samples of Hi-Zor RAT that have been observed in public malware repositories such as** **VirusTotal. In our estimation, Hi-Zor RAT represents continued investment and tooling by APT actors** **and it is our expectation that it will feature in future intrusions.** ## Why is the Hi-Zor RAT not Sakula? **Crowdstrike first notified the world about this tool in their blog post ʻ** **[Sakula Reloaded.ʼ The following](http://www.crowdstrike.com/blog/sakula-reloaded/)** **analysis is why weʼre defining Hi-Zor to be distinct from Sakula RAT.** **Our comparative analysis is based on the following Hi-Zor malware sample related to the INOCNATION** **campaign:** **MD5** **SHA256** **75d3d1f23628122a64a2f1b7ef33f5cf** **cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c** **As a reference, to obtain publicly documented samples of Sakula, we used the article released by Dell** **[SecureWorks: Sakula Malware Family](http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/)** **MD5** **SHA256** **f25cc334809bd1c36fd94184177de8a4** **2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca** **Some differences were found between the above samples:** #### 1. Code comparison with BinDiff **Comparing the code with the Google BinDiff, the tool found that only 5% of the code is similar.** #### Search Categories # advanced malware ### Advanced Persistent Threat #### advanced persistent threat protection advanced threats **[Apple](http://www.threatgeek.com/apple/)** **[APT prevention](http://www.threatgeek.com/apt-prevention/)** **[APT protection](http://www.threatgeek.com/apt-protection/)** **[Arming the Boardroom](http://www.threatgeek.com/arming-the-boardroom/)** **[Back to the Basics](http://www.threatgeek.com/back-to-the-basics/)** **Ben** **Greenberg** **[Bill Harback](http://www.threatgeek.com/bill-harback/)** **[Black Hat](http://www.threatgeek.com/black-hat/)** **Christopher** **Clark** **[CISO](http://www.threatgeek.com/ciso/)** **[Computer Forensics](http://www.threatgeek.com/computer-forensics/)** **content** **inspection** **[content monitoring](http://www.threatgeek.com/content-monitoring/)** **content** **protection** **[Curt Shaffer](http://www.threatgeek.com/curt-shaffer/)** **cyber information** **protection** **[Cyber Scoop](http://www.threatgeek.com/cyber-scoop/)** **cyber threat** #### intelligence cyber threat ## security cybercrime Cybersecurity **legislation** **[Darian Lewis](http://www.threatgeek.com/darian-lewis/)** **data breach** **prevention** **[data breach prevention solution](http://www.threatgeek.com/data-breach-prevention-solution/)** #### data breaches data leakage prevention **[data loss prevention](http://www.threatgeek.com/data-loss-prevention/)** **data loss prevention** **products** **[data loss prevention tools](http://www.threatgeek.com/data-loss-prevention-tools/)** **data theft** **prevention** **[David Chirico](http://www.threatgeek.com/david-chirico/)** **[David Gilbert](http://www.threatgeek.com/david-gilbert/)** **[DDoS](http://www.threatgeek.com/ddos/)** **[deep session inspection](http://www.threatgeek.com/deep-session-inspection/)** **[Emilio Iasiello](http://www.threatgeek.com/emilio-iasiello/)** **[Empowering the Board Room](http://www.threatgeek.com/empowering-the-board-room/)** **[encryption](http://www.threatgeek.com/encryption/)** **extrusion** **prevention** **[Fidelis Threat Advisories](http://www.threatgeek.com/fidelis-threat-advisory/)** **[Fidelis XPS](http://www.threatgeek.com/fidelis-xps/)** **[Gene Savchuk](http://www.threatgeek.com/gene-savchuk/)** **[Hardik Modi](http://www.threatgeek.com/hardik-modi/)** **[incident response](http://www.threatgeek.com/incident-response/)** **[information assurance information flow](http://www.threatgeek.com/information-assurance/)** **[information flow map](http://www.threatgeek.com/information-flow-map/)** **[information protection](http://www.threatgeek.com/information-protection/)** **[insider threat intelligent network forensics](http://www.threatgeek.com/insider-threat/)** **[intrusion detection intrusion detection and](http://www.threatgeek.com/intrusion-detection/)** **[prevention systems intrusion prevention appliance](http://www.threatgeek.com/intrusion-prevention-appliance/)** **[Jim Jaeger](http://www.threatgeek.com/jim-jaeger/)** **[John Bambenek](http://www.threatgeek.com/john-bambenek/)** **[John Laycock](http://www.threatgeek.com/john-laycock/)** **Josh** **Dalman** **[Justin Harvey](http://www.threatgeek.com/justin-harvey/)** **[Keith Jones](http://www.threatgeek.com/keith-jones/)** **[Ken Rutsky](http://www.threatgeek.com/ken-rutsky/)** **[Kim Stokes](http://www.threatgeek.com/kim-stokes/)** **[Kristen Cooper](http://www.threatgeek.com/kristen-cooper/)** **[Kurt Bertone](http://www.threatgeek.com/kurt-bertone/)** **[malware](http://www.threatgeek.com/malware/)** **[malware detection](http://www.threatgeek.com/malware-detection/)** **Michael** **Buratowski** **[Michael Nichols](http://www.threatgeek.com/mike-nichols/)** **[NAV](http://www.threatgeek.com/nav/)** **network** **analysis and visibility** **[network defense](http://www.threatgeek.com/network-defense/)** **[network forensics](http://www.threatgeek.com/network-forensics/)** **[network forensics tools](http://www.threatgeek.com/network-forensics-tools/)** **[network monitoring](http://www.threatgeek.com/network-monitoring/)** **network security** **appliance** **[network security monitoring network](http://www.threatgeek.com/network-security-monitoring/)** **surveillance** **[network visibility](http://www.threatgeek.com/network-visibility/)** **NGFW / next** **generation firewall** **[packet capture Pat Brooks](http://www.threatgeek.com/packet-capture/)** **[Patent](http://www.threatgeek.com/patent/)** **[PDF malware](http://www.threatgeek.com/pdf-malware/)** **[Peter George](http://www.threatgeek.com/peter-george/)** **prevent** #### cyber attacks prevent data breaches protect against APT **[ransomware](http://www.threatgeek.com/ransomware/)** **[Reconcilable Differences](http://www.threatgeek.com/reconcilable-differences/)** **RSA** **Conference** **[Ryan Vela](http://www.threatgeek.com/ryan-vela/)** **[Samsung](http://www.threatgeek.com/samsung/)** **[Sig Murphy](http://www.threatgeek.com/sig-murphy/)** **[situational awareness](http://www.threatgeek.com/situational-awareness/)** **[threat assessment](http://www.threatgeek.com/threat-assessment/)** ### threat geek threat intelligence **[threat intelligence feed](http://www.threatgeek.com/threat-intelligence-feed/)** **[threat mitigation](http://www.threatgeek.com/threat-mitigation/)** #### THREATtoons Tom Lyons wikileak **[wikileaks](http://www.threatgeek.com/wikileaks/)** **[Will Irace](http://www.threatgeek.com/will-irace/)** **[XPS](http://www.threatgeek.com/xps/)** **[zero day attacks](http://www.threatgeek.com/zero-day-attacks/)** #### Archives **[January 2016](http://www.threatgeek.com/2016/01/index.html)** **[December 2015](http://www.threatgeek.com/2015/12/index.html)** **[November 2015](http://www.threatgeek.com/2015/11/index.html)** **[October 2015](http://www.threatgeek.com/2015/10/index.html)** **[September 2015](http://www.threatgeek.com/2015/09/index.html)** **[August 2015](http://www.threatgeek.com/2015/08/index.html)** **[July 2015](http://www.threatgeek.com/2015/07/index.html)** **[June 2015](http://www.threatgeek.com/2015/06/index.html)** **[May 2015](http://www.threatgeek.com/2015/05/index.html)** **[April 2015](http://www.threatgeek.com/2015/04/index.html)** |MD5|SHA256| |---|---| |75d3d1f23628122a64a2f1b7ef33f5cf|cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c| |MD5|SHA256| |---|---| |f25cc334809bd1c36fd94184177de8a4|2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca| ----- **[Contagio Malware Dump](http://contagiodump.blogspot.com/)** **[Cyber, War and Law](http://www.cyberwarandlaw.com/)** **[Dark Reading](http://www.darkreading.com/blog)** **[Didier Stevens](http://blog.didierstevens.com/)** **[F-Secure](http://www.f-secure.com/weblog/)** **[John Kindervag's blog](http://blogs.forrester.com/john_kindervag)** **[John Pescatore](http://blogs.gartner.com/john_pescatore/)** **[Malware Tracker](http://blog.malwaretracker.com/)** **[Mark McDonald](http://blogs.gartner.com/mark_mcdonald/)** **[Metasploit](http://blog.metasploit.com/)** **[Naked Security](http://nakedsecurity.sophos.com/)** **[Packetstan](http://www.packetstan.com/)** **[PaulDotCom Security Podcast](http://pauldotcom.com/)** **[Risk Factor](http://spectrum.ieee.org/blog/riskfactor)** **[Schneier on Security](http://www.schneier.com/)** **[Security Bloggers Network](http://www.securitybloggersnetwork.com/)** **[TaoSecurity](http://taosecurity.blogspot.com/)** **[Tech Dirt](http://www.techdirt.com/)** **[Tenable Network Security](http://blog.tenable.com/)** **[The Ashimmy Blog](http://www.stillsecureafteralltheseyears.com/)** **[The Forensics & Incident Response Daily](http://paper.li/andrewsmhay/forensics-and-ir)** **[The Forrester Blog](http://blogs.forrester.com/security_and_risk)** **[TheSecurityBlog](http://www.thesecurityblog.com/)** **[Threat Expert](http://blog.threatexpert.com/)** **[Threat Level](http://www.wired.com/threatlevel/)** **[Threat Post](http://threatpost.com/)** **[ThreatChaos](http://www.threatchaos.com/)** |basicBlock matches (library)|116| |---|---| |basicBlock matches (non-library)|65| |basicBlocks primary (library)|65| |basicBlocks primary (non-library)|327| |basicBlocks secondary (library)|3161| |basicBlocks secondary (non-library)|423| |flowGraph edge matches (library)|93| |flowGraph edge matches (non-library)|40| |flowGraph edges primary (library)|93| |flowGraph edges primary (non-library)|440| |flowGraph edges secondary (library)|4489| |flowGraph edges secondary (non-library)|586| |function matches (library)|30| |function matches (non-library)|49| |functions primary (library)|6| |functions primary (non-library)|101| |functions secondary (library)|246| |functions secondary (non-library)|153| |instruction matches (library)|285| |instruction matches (non-library)|254| |instructions primary (library)|242| |instructions primary (non-library)|4692| |instructions secondary (library)|13158| |instructions secondary (non-library)|2945| |basicBlock: MD index matching (bottom up)|3| |basicBlock: MD index matching (top down)|4| |basicBlock: call reference matching|2| |basicBlock: edges Lengauer Tarjan dominated|4| |basicBlock: edges MD index (bottom up)|18| |basicBlock: edges MD index (top down)|37| |basicBlock: edges prime product|19| ----- |basicBlock: exit point matching|5| |---|---| |basicBlock: exit point matching|2| |basicBlock: jump sequence matching|2| |basicBlock: loop entry matching|2| |basicBlock: prime matching (0 instructions minimum)|4| |basicBlock: propagation (size==1)|53| |basicBlock: relaxed MD index matching|4| |basicBlock: self loop matching|2| |function: MD index matching (flowgraph MD index, top down)|1| |function: address sequence|2| |function: call reference matching|3| |function: call sequence matching(exact)|13| |function: call sequence matching(sequence)|39| |function: loop count matching|1| |function: name hash matching|20| |Confidence|0.267055127| |Similarity|0.053533386| #### 2. IDA code decompilation **The following screenshots show the main SWITCH statements between the samples showing their** **difference (click to enlarge):** **3. Network traffic** **The network traffic between both samples is also different. The Sakula samples beacons out with the** **following traffic:** **POST /newimage.asp?imageid=ivpgvz-1004122437&type=0&resid=365854765** **HTTP/1.1** **User-Agent: iexplorer** **Host: citrix.vipreclod[dot]com** **Content-Length: 176** **Cache-Control: no-cache** **The malware discussed in** **[Fidelis Threat Advisory #1020 beacons over a secure connection (e.g. TLS)](https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf)** **with the following traffic:** ----- **User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko** **Host: inocnation[dot]com** **Content-Length: 8** **Connection: Keep-Alive** **In the above traffic, both samples send the Volume Serial Number in the same format, but the traffic is** **still different. The traffic from the Hi-Zor sample includes the victimʼs system Computer Name and is** **sent over a secure connection.** #### 4. String obfuscation **In the Sakula sample analyzed, the malware configuration (e.g. C2, URL, Filename, etc.) is obfuscated** **with a single byte XOR key of “0x56”.** **In the Hi-Zor sample, the C2 configuration is obfuscated with a double XOR with the following keys:** **“0x70” and “0x79”.** **The string stacking technique is also widely used in the Hi-Zor sample, while this technique is not** **observed in the Sakula sample inspected.** #### 5. File type **The Sakula malware is a “.EXE” file and the malware in the FTA is a “.DLL” file.** #### 6. Registry entrenchment **The Sakula malware entrenches in the system here:** **Key:** **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run** **Value name: MicroMedia** **Value data: %TEMP%\MicroMedia\MediaCenter.exe** **While the Hi-Zor sample entrenches in the system here:** **Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run** **Value name: AdobePlayer** **Value data: regsvr32 /s "%APPDATA%\adobe\adobe.dat"** #### 7. Embedded files **The Sakula sample inspected contained a 32-bits and a 64-bits DLL obfuscated in its resource section.** **These DLLs were decoded with a single-byte XOR key of 0x24. The decoding process skipped values** **with the same XOR key and null (0) values. According to SecureWorks, this code is used for UAC** **bypass. This is not observed in the Hi-Zor sample.** **Due to these differences between the sample in FTA #1020 and the Sakula samples inspected, we have** **decided to distinguish the malware reverse engineered in the FTA and assign it the distinctive name** **Hi-Zor. More malware threat analysis to come in future blogs and Fidelis Threat Advisories.** **-- The Fidelis Threat Research Team** **[Posted by ThreatGeek at 12:52 PM in advanced malware, malware, malware detection | Permalink](http://profile.typepad.com/6p0147e41f3c0a970b)** **LikeLike** **[©2011 - 2015 Fidelis Cybersecurity | 1.800.652.4020](http://www.fidelissecurity.com/)** -----