1/13 Pavankumar Chaudhari December 18, 2020 RAT used by Chinese cyberspies infiltrating Indian businesses seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/ 18 December 2020 Written by Pavankumar Chaudhari APT, Cybersecurity Estimated reading time: 5 minutes A few months back, Delphibased malware was being distributed on multiple systems via SMB exploit. The payloads used by this malware have close similarities with open-source Gh0stRAT code. Gh0st has been used by Chinese threat actors to target multiple agencies in Asia — Gh0st is a Remote Access Trojan having multiple capabilities like keylogging, microphone surveillance, download and execution of payloads from remote servers, restarting computers, taking the remote shell of systems, et al. We have observed this malware targeting important institutions in India such as – Banks Railways Milk Distributors Hospitals and Pharmaceuticals Agro Industries https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/ https://www.seqrite.com/blog/author/pavankumar/ https://www.seqrite.com/blog/category/cybersecurity/apt/ https://www.seqrite.com/blog/category/cybersecurity/ 2/13 Food Production Industries After analysis, it was found that this malware is creating two different payloads app.exe and mfc.exe. After execution, both executables extract dlls in ststem32 folder of Windows directory and register them as service for persistence. Major code of all exacted payloads shares similarities with the open-source code of Ghost RAT. Technical Analysis Payload 1 – app.exe This executable had an embedded DLL file stored in reverse order as shown in the below figure. Figure 1: Embedded DLL in app.exe This embedded binary is decrypted and written to %SYSTEMROOT%\System32\ folder. The below code shows the decryption code — DLL name is generated from the return value of GetTickCount() API. 3/13 Figure 2: Decryption loop. App.exe then registers this DLL as service by calling Install exported function. Below are details of service: ServiceName: csrss DisplayName: Security Manager Accounts DesiredAccess: SERVICE_ALL_ACCESS ServiceType: SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS StartType: SERVICE_AUTO_START ErrorControl: SERVICE_ERROR_IGNORE BinaryPathName: %SystemRoot%\System32\svchost.exe -k “csrss” The exported function of DLL are as below: DllUpdate Install MainThread ServiceMain Uninstall C2 Functions There are multiple C2 commands observed in the code of Gh0stRat. Some C2 functions observed by static analysis of DLL are as below: Shutdown System Open URL Download and Execute File 4/13 Find Process Clean Event Logs Shutdown System This function takes shutdown debug privileges and calls the ExitWindowsEx() function to shut down systems. Figure 3: Shutdown System Download and Execute File This function will download a specific file from the server and execute it. 5/13 Figure 4: Download and execute file Find Process This function searches for a specific process by calling process enumeration APIs. Figure 5: Find process in an existing running process Open URL This function creates an iexplore.exe process with a specified URL. 6/13 Figure 6: Open URL Clean Event Logs This function clears all event logs of Application, Security, and System Figure 7: Clear event logs Payload 2 – mfc.exe The second executable dropped by the main payload is mfc.exe having embedded executable in resource under the name “BIN”. 7/13 Figure 8: Embedded DLL in the resource. When this payload is run it drops dll (random name) from the above resource into the system32 folder and installed as a service with the name “NetworkServices” on an infected system. After creating DLL into the system32 folder, mfc.exe calls the Install() function of dll. This DLL has four exported functions as below: Install Launch ServiceMain UnInstall Below are C2 Commands observed in this sample: Install Keyboard Hook Process Enumeration Remote Shell Audio Capture Download and Execute File Install Keyboard Hook Below figure, XX shows that a thread is created to install a keyboard hook. All keylogging data is written to a file named “syslog.dat”. Figure XX shows a similar keylogger code of Gh0st RAT. 8/13 Figure 9: Install keyboard hook Figure 10: Keylogger function from open-source Gh0st RAT code. Process Enumeration Process enumeration involves getting the list of running processes to enumerate modules. 9/13 Figure 11: Process listing function Remote Shell This function will create a remote shell to accept and execute any command. Figure 12: Function to get a remote shell Audio Capture 10/13 This function records audio with the help of functions like waveInOpen(), waveInStart(), waveInStop() etc. Figure 13: Function for audio recording Download and Execute File Function to download the executable file from a remote server and execute it. Figure 14: Download and execute the payload 11/13 IOCs FF6511DE176A434FA2F7C939795A13CC A6CC92A1993F040E87090F8B89836332 550C055339A9FEC141997CDA3F32FD0A A2B75BD7254997BEC6A19D752E26FA50 4B8C6D70A186FEC7C79D5B52B2FF0E76 E22E5A85ED5294B179EBD416EEB5BEBB 5CE36CBD7D4A58A1B1A8C5B7BE194F23 E94F9AF9EA11301831AAA1BDE34D3DEB 23D4EC869960CE02865C98F64581136A 367150E5DA2ED1BFAAE9210105BCEEA1 BFB095C595FAA47CBFD4AB6199A7E297 CA07E26D95D927953197840EA93EDD03 6B8A19DF9827CFB95F6461FEF9929F83 7DC43FCA774E612BF611ACD882400308 1127149CB5378FCA7181F81EB8149FC9 F1E921F5730919E946D9A64019867E13 B80A559CD7D48C9D3115A013EA662263 9403464BB99D87A02667E3E5DBA4A57C Alerts Conclusion These samples are modified variants of Gh0st RAT and actors are constantly updating them to evade AV detections. Samples and TTPs that are seen in victim organizations are mostly associated with China-based APT groups. We have been following these samples for the 12/13 last 1 month but were unable to identify the initial attack vector. As they are targeted towards specific industries, we suspect to find more malware associated with these attack chains. Interestingly few of the victims were also infected with Monero miners during the same period. We would be closely monitoring the campaign to hunt for the entire infection chain. Subject matter experts Pavankumar Chaudhari Kalpesh Mantri Pavankumar is associated with Quick Heal Technologies as a Technical Lead (Research and Development) and is also a part of Vulnerability Research and Analysis Team.... Articles by Pavankumar Chaudhari » Related Posts Explained: What is Web3.0 and Why Does it Matter? April 8, 2022 https://www.seqrite.com/blog/author/pavankumar/ https://www.seqrite.com/blog/author/pavankumar/ https://www.seqrite.com/blog/explained-what-is-web3-0-and-why-does-it-matter/ https://www.seqrite.com/blog/explained-what-is-web3-0-and-why-does-it-matter/ 13/13 Metaverse and the Cybersecurity: Evolving Security into the Latest Digital Universe March 29, 2022 Advisory on Russia-Ukraine Conflict-Related Cyberattacks March 15, 2022 No Comments Leave a Reply.Your email address will not be published. Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing this website, you agree to our cookie policy. https://www.seqrite.com/blog/metaverse-and-the-cybersecurity-evolving-security-into-the-latest-digital-universe/ https://www.seqrite.com/blog/metaverse-and-the-cybersecurity-evolving-security-into-the-latest-digital-universe/ https://www.seqrite.com/blog/advisory-on-russia-ukraine-conflict-related-cyberattacks/ https://www.seqrite.com/blog/advisory-on-russia-ukraine-conflict-related-cyberattacks/ https://www.seqrite.com/blog/cookie-policy/