# Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations **researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-** organizations/ Jen Miller-Osborn, Josh Grunzweig March 30, 2017 By [Jen Miller-Osborn and](https://unit42.paloaltonetworks.com/author/jen-miller-osborn/) [Josh Grunzweig](https://unit42.paloaltonetworks.com/author/joshgruznweig/) March 30, 2017 at 5:00 AM [Category: Unit 42](https://unit42.paloaltonetworks.com/category/unit42/) Tags: [MoonWind RAT,](https://unit42.paloaltonetworks.com/tag/moonwind-rat/) [RAT,](https://unit42.paloaltonetworks.com/tag/rat/) [Thailand,](https://unit42.paloaltonetworks.com/tag/thailand/) [Trochilus RAT,](https://unit42.paloaltonetworks.com/tag/trochilus-rat/) [Utilites](https://unit42.paloaltonetworks.com/tag/utilites/) From September 2016 through late November 2016, a threat actor group used both the Trochilus RAT and a newly idenfied RAT we’ve named MoonWind to target organizations in Thailand, including a utility organization. We chose the name ‘MoonWind’ based on debugging strings we saw within the samples, as well as the compiler used to generate the samples. The attackers compromised two legitimate Thai websites to host the malware, which is a tactic this group has used in the past. Both the Trochilus and MoonWind RATs were hosted on the same compromised sites and used to target the same organization at the same time. The attackers used different command and control servers (C2s) for each malware family, a tactic we believe was meant to thwart attempts to tie the attacks together using infrastructure alone. The compromised websites are the site for a group of information technology companies in Thailand, and all the tools were stored in the same directory. ----- We were also able to find a post-compromise tool along with the two RATs, which afforeded us insight into one of the tools the attackers used once they gained a foothold inside an organization. In addition to Trochilus and MoonWind we found Mimikatz, a popular credential harvesting tool. Further research led us to additional MoonWind samples using the same C2 (dns[.] webswindows [.]com) but hosted on a different compromised but legitimate website. The attacks in that case took place in late September to early October 2016 and the attackers stored the MoonWind samples as RAR files, while in the November attacks the RATs were stored as executables. We were not able to find additional tools, but the attackers again compromised a legitimate Thai website to host their malware, in this case the student portal for a Thai University. ## MoonWind Analysis The MoonWind sample used for this analysis was compiled with a Chinese compiler known [as BlackMoon, the same compiler used for the BlackMoon banking Trojan. While a number](https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan) of attributes match the BlackMoon banking Trojan, the malware is not the same. Both malware families were simply compiled using the same compiler, and it was the BlackMoon artifacts that resulted in the naming of the BlackMoon banking Trojan. But because this new sample is different from the BlackMoon banking Trojan, we have named it MoonWind, by combining the BlackMoon compiler artifacts with the embedded string below: E:\StarWind\FW__Project_RTPD-PIBICs\Table.ini When MoonWind first runs, it will copy itself to one of the following locations with a filename of ‘svcohos.exe’: C:\Documents and Settings\All Users\Ufyaginptxb\ C:\Users\All Users\ C:\PorgramData\ C:\Program Files\Common Files\ It then executes a new instance of itself in a new process. Also, it will remove the original file via the following command that is executed in a batch script named 'date.bat’. 1 cmd /c timeout /t 6 & del "C:\ProgramData\Ufyaginptxb\svcohost.exe" & del date.bat During this routine, a randomly generated victim identifier will be created and written to a file named 'micr.ini'. This file is located in the same path as the malware. The following contents represent an example of a victim ID contained in this file: 1 2 [mic] Mic=2199LLLLLL ----- During the install routine, the malware will also setup a timer that will execute a file named 'sevrsvos.exe'. This sample (815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201) acts as a runtime persistence mechanism. It installs itself as a service with the following properties: **Service Name: Windows Ejlptxtxbfjn Rvzd** **Display Name: Windows Ejlptxtxbfjn Rvzd** **Description: Windows Ejlptxtxbfjn Rvzd Hlptxbfjnr** **Startup Type: Automatic** This service serves the single purpose of checking every 60 seconds if the 'svcohos.exe' process is running. If not, the service will spawn a new instance of it. In doing so, this secondary malware sample acts as both a runtime persistence mechanism, as well as a persistence mechanism across reboots. After installation, a keylogging routine begins. The malware writes keystrokes and window information to a filename in the present working directory with the following filename: jop[year][month][day][hour][minute][seconds].zip Additionally, it writes a 'win.ini' file that contains this file path above. The malware proceeds to collect the following victim information: Hostname Username Windows version IP address Current time RAM amount Number of total drives Number of removable drives Unique victim identifier After this information is aggregated, MoonWind enters its command and control loop, and begins reaching out to the servers and ports specified in its configuration embedded in the svcohos.exe file. The following remote hosts were specified in this particular sample: dns.webswindows[.]com|80 dns.webswindows[.]com|443 dns.webswindows[.]com|53 dns.webswindows[.]com|8080 ----- While the ports associated with this sample s configuration pertain normally to HTTP, HTTPS, or DNS, network communication takes place via raw sockets. The malware first receives data, which has the following format as shown in Figure 1: _Figure 1 C2 to MoonWind communication_ Digging into the packet further, we can break out individual pieces, as seen in Figure 2: _Figure 2 MoonWind network communication packet format_ The encrypted data portion is encrypted via RC4 with the following static key: HHSADh!@#$YUAGEWYGhjfsjd5465fsaQWAFGDA/jfdafdjhhasgfh== In the above example, the encrypted data decrypts to ‘\x20\x20\x20\x20\x20\x20’, or six spaces. This particular command requests that the malware send the previously collected victim information. The data returned by MoonWind has the same format, however, uses the following static key for encryption instead: SSHqWSSAFdhjklfahj!@##4*&&!!HQ12785452!@!!$$$32#@$$11!! An example of such data returned by the malware can be seen below in figure 3. ----- _Figure 3 MoonWind to C2 communication_ When decrypted, we see the data shown in Figure 4. Note that the first six bytes contains the return command (‘WYR002’), followed by the payload. The payload contains information previously discussed, delimited by ‘*/*’. Certain variables, such as ‘cdg’ and ‘ip’ are hardcoded. We also see what is most likely a malware versioning string at the end (V2.1). This string is also hardcoded to the sample. _Figure 4 Decrypted data sent by MoonWind_ In total, MoonWind has 73 possibly commands that it can accept. We have not yet fully researched all of the commands, but the majority of them have been identified, as we can see in the Appendix. ## Conclusion [Trochilus was first reported by Arbor Networks in their Seven Pointed Dagger report tying its](https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf) use to other targeted Southeast Asia activity. The activity dates to at least 2013 and has ties to multiple reports by other researchers. It is highly likely MoonWind is yet another new tool being used by the group or groups responsible for that activity, indicating they are not only still active but continuing to evolve their playbook. ----- Palo Alto Networks customers are protected from this threat in the following ways: The malware discussed in this report is blocked by WildFire and Traps The domain names included in this report are blocked by Threat Prevention AutoFocus subscribers can investigate the activities further with the following tags: [Trochilus](https://autofocus.paloaltonetworks.com/#/tag/Unit42.Trochilus) [MoonWind](https://autofocus.paloaltonetworks.com/#/tag/Unit42.MoonWind) ## Appendix **MoonWind Commands** **Command** **Description** **Response** **Command** **Notes** \x20\x20\x20\x20\x20\x20 Returns collected victim information. WYR002 WYR002 Null command. None WYR003 Spawns message box that allows victim to send a message. WYR005 Modifies services. WYR006 Returns a list of running processes. WYR007 Kills specified process. qdcmdl Spawns an interactive shell. WYR003 WYR005 Subcommands of either 'fuwu' (create service), 'exit' (stop service), 'stop' (pause service), 'reun' (continue service), or 'yrun' (start service) WYR006 None cmdok1 ----- WYR009 Send command to interactive shell and receive results. WYR010 Terminates interactive shell. WYR011 Get size of disks. WYR012 Returns space of given directory. WYR013 Return a directory listing of specified directory (C:\ default). WYR014 Execute specified command. WYR015 Open specified command with ShellExecuteA. WYR016 Open specified command with ShellExecuteA (Hidden). WYR018 Perform directory listing with file attributes. xiazai Read contents of file specified. cxqdcx Restart MoonWind. pingmu Return screen resolution. qdkzpm Unknown. WYRCCC None WYR011 WYR012 WYR013 None None None WYR018 wrdown None Uses %TEMP%/restart.bat to perform restart. pmgksj ----- jixujj Unknown. sbkzxx Performs various mouse actions. xhpmkz Unknown. axjpsj Submits keyboard inputs. ksjljp Starts keylogging functionality. tzjljp Stops keylogging functionality. hqjljp Return keylogging data. scjpjl Deletes the keylogging file. xzcxzs Uninstalls malware. httpxx Unknown. zaicif Unknown. xiaokl Unknown. None Subcommands of either 'sj' (double left-click), 'yk' (move to position and right-up), 'zk' (move to position and rightdown), 'zx' (move to position and left-up), or 'yd' (move to position and left-down) None None None jpjlhq None None Uses ‘x.bat’ to accomplish uninstall. Written to present working directory (PWD) of malware. juxuxi Null command. None shangc Unknown. ecscwj Unknown. scwjwb Unknown. ----- scmlcj Creates specified directory. ycxiaz Unknown. zcycxz Unknown. ycxjml Creates specified directory. xjwjcj Writes specified file with provided contents. shanwj Deletes specified file. shanml Removes specified directory. gengmj Moves specified file. ycgwjj Sets hidden attribute on specified file. copywj Copies specified file. fzmlwj Copies specified directory. sdxtcs Unknown. qypxxl Get disk space of specified drive. scdqwj Unknown. wyycwj Unknown. xzwcsc Unknown. mlwzcj None None Command format is ‘[filename]|[data]’. None None None Command format is ‘[src]|^| [dst]’. None copyok Command format is ‘[src]^|^[dst]’. copyok Command format is ‘[src]^|^[dst]’. qdypxx ----- xzwcyx Executes specified command within batch script. dwjjxc Unknown. dwjcwj Unknown. dqscds Returns filesize of specified file. sjkqzd Unknown. sswjsj Finds specified file and returns results including attributes. dwjsjx Unknown. xzbwza Unknown. hqurl1 Returns C2 configuration of MoonWind. ghsxip Writes data to win.dll and loads it. khljcg Unknown. dqyxml Unknown. gxycwj Unknown. gxwjbc Unknown. gxwjok Unknown. fxgxcs Unknown. gxwjsy Open specified command with ShellExecuteA. gxyxcx Unknown. None Uses ‘boot.bat’ to accomplish uninstall. Written to PWD of malware. qcwjcd wjsswb qcsxdz sdczip None ----- bddkzf Unknown. scwjdx Unknown. xzwjdx ## Indicators of Compromise **MoonWind** fd4856f2ec676f273ff71e1b0a1729cf6251c82780fc9e7d628deca690b02928 ce3da112e68e00621920911b1f9c72d7175894901173e703a44ac3700e4d427c e31679b82be58ace96b1d9fdfc2b62b6e91d371ed93957e0764cd7c464b04b9d f2589745671949422b19beec0856ca8b9608c02d5df4402f92c0dcc9d403010b **MoonWind Persistence Mechanism** 815df680be80b26b5dff0bcaf73f7495b9cae5e3ad3acb7348be188af3e75201 **Trochilus** 59f8a31d66f053f1efcc8d7c7ebb209a8c12233423cc2dc3673373dde9b3a149 webswindows[.]com 192.225.226[.]195 **Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017** Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the ----- security industry. Visit the [Ignite website for more information on tracks, workshops and](http://www.paloaltonetworksignite.com/) marquee sessions. **Get updates from** **Palo Alto** **Networks!** Sign up to receive the latest news, cyber threat intelligence and research from us [By submitting this form, you agree to our Terms of Use and acknowledge our Privacy](https://www.paloaltonetworks.com/legal-notices/terms-of-use) Statement. -----