A .NET rat targets Mongolia
By Sebdraven
Published: 2021-03-24 · Archived: 2026-04-05 17:52:58 UTC
A new document royal road v7 installs a backdoor in .NET. a first executable is dropped \os03C2.tmp. This exe
has many similarities with older campaigns using by Operation LagTime or Tonto Team.
Document
The decoy document is a document about infection of covid19 in Russia send to the Mongolia Authorities. The
document is fake signed A. Amarsaikhan.
This technics was used by Operation LagTime and another APT Chinese.
Backdoor Analysis
The backdoor is installed C:\MSBuild\WindowsUpdate\S-1–2 and the name of file is csrss.exe like the legit
process of Windows
The configuration of the backdoor is stored in a ressource .NET.
Press enter or click to view image in full size
The content of the XML file is encrypted with the AES algorithm. The key is hardcoded in the class Main_Form
in the private method Main_Form_Load.
byte[] crypt_key = new byte[]
{
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 1 of 10

230,
23,
63,
211,
96,
49,
120,
48,
182,
11,
49,
173,
233,
114,
123,
61,
230,
23,
63,
211,
96,
49,
120,
48,
182,
11,
49,
173,
233,
114,
123,
61
};
The xml file is decrypted :
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 2 of 10

A session key is created and used for encrypting all data found by the backdoor and send to C2.
A mutant is created with the information of the configuration:
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 3 of 10

And the persistence is the run keys with a check of the privileges:
A connection to the c2 is done in a thread with the method Post_Online_Message. The messages are encrypted
with the BasicKey hardcoded in the code: 8A5AE1329F9CD824EE915FE14328D267
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 4 of 10

The first information are sent in the setting of the compromise computer with the method Get_ComputerInfo.
Get Sebdraven’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
The disk are listed, the kind of operating system, the processor information, the memory ram. These information
are collecting by using WMI and the IP of the computer.
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 5 of 10

https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 6 of 10

After that, the backoor waits orders in another thread with the method Get_Server_Order.
Press enter or click to view image in full size
All orders are decrypted with the same BasicKey
And the method Order_Catcher launch the different orders:
the order is Getdir, $GetDisk, GetFileList, Checksum, DeleteFile, DeleteFolder, RenameFolder, RenameFile,
RunHide, Upload, Download, ActiveDos, ExecuteCommand, Disconnect, Trans (to transfert data), Uninstall
Each order has a method with the same name:
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 7 of 10

https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 8 of 10

Threat Intelligence
Many TTPs are similar to another groups like TA428 (Operation LagTime) or Tonto. So this backdoor can be
developped by APT Chinese Group.
A new technic is to use .NET. There is different example with .Net plugx loader or tool to install the different
payload like RedDelta. Chinese State-Sponsored Group ‘RedDelta’ Targets the Vatican and Catholic Organizations
(recordedfuture.com)
In this case, there is not a side loading then many operations driven by APT chinese.
IOCs:
c2 185.82.218.40
RTF: 1120275dc25bc9a7b3e078138c7240fbf26c91890d829e51d9fa837fe90237ed
Dropped executable file
C:\Users\admin\AppData\Local\Temp\os03C2.tmp
2b038ad9bfb8c3f40e95e38b572bdf536d9fd2e7dd5cc0c66fbd0bdc1ed89fde
C:\MSBuild\WindowsUpdate\S-1–2\cssrs.exe
08be2c7239acb9557454088bba877a245c8ef9b0e9eb389c65a98e1c752c5709
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 9 of 10

c2: 185.82.218.40
Yara rule:
rule backdoor_net{
meta:
description= “Backdoor targets Mongolia”
author= “@sebdraven”
date = “2020–03–23”
tlp = “white”
strings:
$s1=”RunHide”
$s2=”Token”
$s3=”BasicKey”
$s4=”SessionKey”
$s5=”AdminKeyMD5"
$s6=”Aes256"
$s7=”Order_Catcher”
$s8=”Get_ComputerInfo”
$s9=”TransData”
condition:
all of them
}
Source: https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2
Page 10 of 10