# New SectopRAT: Remote access malware utilizes second desktop to control browsers **[gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers](https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers)** 11/21/2019 G DATA Blog This new remote access malware creates a second desktop that is invisible to the system's user. The threat actor can surf the Internet using the infected machine. ## General appearance and obfuscation [SectopRAT is a .NET based remote access malware. The sample[1] was originally found by MalwareHunterTeam and announced in a tweet on](https://twitter.com/malwrhunterteam/status/1195288774957244416) 15. November 2019. It was compiled on 13. November 2019. Using the following Yara rule we were able to obtain a second sample[2] that was compiled on 14. November 2019 and submitted a day later to Virustotal. ``` rule SectopRat { meta: author = "Karsten Hahn at G DATA CyberDefense AG" strings: $s_1 = "RemoteClient\x00" $s_2 = "InitHDesktop\x00" $s_3 = "InitBrowser\x00" $s_4 = "EnoghtSpace\x00" $s_5 = "SPI_SETSCREENSAVEACTIVE\x00" condition: all of them and uint16(0) == 0x5A4D } ``` The first sample[1] is signed by Sectigo RSA Code Signing CA, uses a Flash icon and has the following Version Information. language ID: 0x0409 code page: 0x04B0 Comments: Idito PleasweN MinIMus Inc. CompanyName: Nikler LegalCopyright: Nikler ProductName: Idito PleasweN MinIMus Inc. FileVersion: 3.21.0005 ProductVersion: 3.21.0005 InternalName: Burataslop OriginalFilename: Burataslop.exe The second sample[2] is not signed and uses an icon that looks like a red floppy disk. The Version Information looks different too but follows a similar pattern of upper and lower case combinations in a jumble of arbitrary words. language ID: 0x0409 code page: 0x04B0 Comments: errORs KilEfnos INCreASe MY Wife ----- Co pa y a e o ase usce ea G Jo LegalCopyright: FAW ISir Polaris ComapNY LegalTrademarks: investORS Leanda MikiRUck ProductName: Colleti FileVersion: 4.01.0009 ProductVersion: 4.01.0009 InternalName: Veerfus413 OriginalFilename: Veerfus413.exe The first section of both samples has arbitrary characters for its name and has write and execute characteristics. The 5th and last section has no name and contains the entry point. The other sections look rather typical. The threat actor used ConfuserEx to obfuscate the control flow and add anti-tamper to the .NET assembly. The anti-tamper prevents tools like DnSpy from decompiling the code (see picture below). ConfuserEx adds anti-tamper that leads to decompilation errors ## Configuration and persistence The assembly has a RemoteClient.Config class containing four public static variables for the configuration: ip, retip, filename, mutexName. The ip is the Command and Control (C&C) server IP. The retip variable is for setting a new C&C IP that the server can override by using the "set IP" command. The configuration is the same for both SectopRAT samples. Config class in SectopRAT sample The variables filename and mutexName are set but not used in the code. Instead it uses a hardcoded filename, spoolsvc.exe, and copies itself to %LOCALAPPDATA%\Microsoft\ Persistence is achieved by adding spoolsvc.exe to the RUN key in the registry. ``` HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SFddg --> %LOCALAPPDATA%\Microsoft\spoolsvc.exe ``` Note that the legitimate Print Spooler Service system file by Microsoft is named spoolsv.exe ## Command & control features SectopRAT command and control operates with packet types which are distinguished by a certain byte value in every packet. **Byte value** **Packet type** ----- **Byte value** **Packet type** 1 Start stream 2 Stop stream 3 Handle mouse event 4 Handle keyboard event 5 Init browser 6 Disconnect 7 Get codec info (not implemented) 8 Send computer info 9 Set IP The "Start stream" packet will either stream the current desktop or create another desktop using the hardcoded desktop name "sdfsddfg". The second desktop is not visible to the person who sits in front of the infected computer. The threat actor however can use "Init browser" to surf the Internet via the second desktop on the infected system. The "Init browser" packet has support for running Chrome, Firefox or Internet Explorer. It will change browser configuration, use start parameters and modify registry settings to disable security and make the browsers faster. E.g. for Chrome it disables sandboxes, the graphics cache and graphics options like 3d-apis, flash-3d, gpu-rasterization, gpu-vsync. The browser paths are hardcoded and don't use any environmental variables, which limits compatibility of the RAT. The "Send computer info" packet will send the operating system name, the username, an id that is based on a randomly created path name and a hash value that is based on hardware information like the processor name, the number of cores and RAM. "Get codec info" is not implemented yet. The client does not do anything. "Set IP" makes it possible to change the IP of the C&C server. This code creates another desktop on the infected system. ## Unfinished but we will probably see more ----- Sectop s used t e d but st oo s u s ed a d pa ts ast y do e So e o t e c ass a es a d a so t e a e o t e seco d desktop look like they were produced while trying to type arbitrarily on the keyboard because the keys are right next to each other and repeated by finger motion. Despite obvious flaws like using hardcoded paths without environmental variables to access system files, the RAT's architecture, the use of a second desktop and changes in browser configuration files and parameters show some internal knowledge that is far from a greenhorn. It is quite possible that the first samples in the wild are merely for testing. We expect to see new versions with additional features in the future. ## Indicators of Compromise **Description** **Filenames** **SHA256** **URL** [1] SectopRAT Deobfuscated SectopRAT [1] [2] SectopRAT **Karsten Hahn** Malware Analyst Burataslop.exe blad.exe Veerfus413.exe bssd.exe b1e3b5de12f785c45d5ea3fc64412ce640a42652b4749cf73911029041468e3a hxxp://45.142.213.230/blad. 4409d2170aa9989c6a8dd32b617c51a7c3e328b3c86410813c016691b2bd7774 d5a3d47e1945e9d83a74a96f02a0751abd00078ee62e6d3a546a050e0db10d93 hxxp://45.142.213.230/bssd You are here: [Blog (EN)](https://www.gdatasoftware.com/blog) Remote access malware utilizes second desktop to control browsers -----