{ "id": "d53d24d4-3bab-4459-af11-c5bf269517da", "created_at": "2026-04-06T01:32:11.104851Z", "updated_at": "2026-04-10T03:36:06.509106Z", "deleted_at": null, "sha1_hash": "effd08ed0c1d5347e4e4de360d18df0e8568413c", "title": "Shadows in the Rain", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2483660, "plain_text": "Shadows in the Rain\r\nBy asuna amawaka\r\nPublished: 2020-03-16 · Archived: 2026-04-06 01:13:34 UTC\r\n6 min read\r\nMar 16, 2020\r\nWhen I read Trend Micro’s report on Operation DRBControl[1] in February, one detail stood out and piqued my\r\ncuriosity — there were 3 mutexes connecting a Trochilus RAT sample in the incident and a BBSRAT sample that\r\nuses a C2 domain linked to the Winnti Group. This came as a surprise to me, because I thought BBSRAT was a\r\nunique malware family, a “new tool” back in 2015 that was attributed by Palo Alto Networks to the attacker group\r\nRoaming Tiger[2]. There seem to be no news on BBSRAT all these years, and now when it is mentioned again, it\r\nis linked to Winnti Group? Interesting.\r\nIs that really a BBSRAT? Only 1 way to find out — analyse it!\r\nFinding the samples to work on\r\nMutexes:\r\ncc5d64b344700e403e2sse\r\ncc5d6b4700e403e2sse\r\ncc5d6b4700032eSS\r\nC2:\r\nbot[.]googlerenewals[.]net\r\nLooking up the C2 domain on Virustotal quickly surfaced 3 samples that exhibited callbacks to this C2, and these\r\nsamples are just the ones we are looking for: they contain the said mutexes! These samples make a copy of itself\r\nas diskshadow.exe on disk (a name that is close to “diskwinshadow.exe” that is the BBSRAT mentioned in Trend\r\nMicro’s report).\r\nThese are self-extracting files that contain other executables within:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 1 of 10\n\nLet’s jump straight into finding out what these “rain.sdb” are, since they are the meat of the malware.\r\nFirst, they are encoded with a simple inversion, then XOR 0x5. Reversing this encoding would get us an -almost-perfect PE file, just alter the first two bytes to the correct Magic header. This simple trick of obfuscating the magic\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 2 of 10\n\nheader could have been intended to fool signature matching defenses.\r\nAfter decoding, we get three unique rain.sdb files. Notice how the two 64-bit files have the same XOR key in their\r\nRICH header despite them having different hashes. Assuming that the RICH header has not been tampered with,\r\nthis means that they have the source code and compilation environment. This is not surprising, considering the\r\nclose compilation timestamps they have.\r\nPress enter or click to view image in full size\r\nFor the rest of this post, I’ll focus on findings using the file with MD5 368B555321F56699D2431A3908D52487.\r\nTo start off, let’s take a look at some of the interesting stuff this sample does.\r\nHide, hide, hide!\r\nSince the malware comes in a typical trio — legitimate executable, rogue DLL loaded via load-order hijacking\r\nand malicious payload, I expect to see some kind of injection to happen. True enough, callback activities are\r\nconducted under the cover of msiexec.exe. There are also other choices of processes for injection, perhaps used in\r\nother variants of this sample. Notice this is where the mutex is created.\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 3 of 10\n\nContents from either the file rain.sdb or regkey “HKCU\\M\\M” are also injected into a created cmd.exe.\r\nPersistency is achieved through services, a different mutex is created to “mark” that the service has already been\r\ncreated.\r\nThe malware also comes with a feature that replaces “InternalGetTcpTable2” in IPHLPAPI.DLL, in an attempt to\r\nhide the C2 connection when a netstat is done.\r\nLeave that door open!\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 4 of 10\n\nThis sample abused Windows’ Bitsadmin utility to execute any powershell script of the attacker’s choice — all he\r\nneeds to do is to write the powershell commands into the regkey HKCU:/M/S, and the BITS job will execute the\r\ncommand as part of the “notification process” after the job is completed (In this case, the job is the copying of\r\nmshta.exe). This job will be executed periodically, and it can stay in the system for 90 days[3] even after the\r\nmalware has been cleaned up.\r\nThis is not a groundbreaking trick, though not commonly seen. According to MITRE ATT\u0026CK’s database, this\r\npersistency technique (T1197[4]) has been observed in malware such as UBOATRAT.\r\nBB phones home\r\nGet asuna amawaka’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe sample accepts the following commands:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 5 of 10\n\nThe sample sends data to the C2 in the following structure:\r\nPress enter or click to view image in full size\r\nThe algorithm used for compression is standard ZLIB v1.1.4.\r\nYes! That’s a BBSRAT!\r\nLooking at the C2 commands supported, as well as the structure of the data communicated to/fro the C2, they bear\r\nstrong similarities with the set of BBSRAT analyzed by Palo Alto Networks in 2015.\r\nFurthermore, there are direct code overlaps/resemblance with one of the BBSRAT sample (MD5\r\n8CD233D3F226CB1BF6BF15ACA52E0E36). Some of them are as follows:\r\nLeft: rain.sdb; Right: BBSRAT (Code logic that performs regular beaconing)\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 6 of 10\n\nLeft: rain.sdb; Right: BBSRAT (Code that receives and decompress data from C2)\r\nLeft: rain.sdb; Right: BBSRAT (Switch code that acts upon different C2 commands)\r\nOne obvious difference lies in the communications with the C2: the 2015 BBSRATs’ beacons are HTTP requests\r\n(POST with data) that gave it its name (the beacons go to URL with the pattern /bbs/#/forum.php?sid=#); the\r\nrain.sdb sample analyzed does not do the HTTP requests, but instead send the compressed data directly to the C2\r\n(on port 53). It may be likely that the change in port and the omission of communication “wrapper” is intentional\r\nto fool network signatures that look out for the suspicious URL. It is unknown however, if the backend BBSRAT\r\nsupported port 53 all along, or it had been upgraded after 3 years.\r\nGh0stly shadows\r\nWhile doing the analysis of the samples, I’ve noticed some code overlap with another well-known RAT: the\r\nGh0stRAT. Gh0stRAT is also listed as one of the tools used by the Winnti Group, though it is also known to be\r\nused by many other actors since its source code is readily available online. The overlaps are observed from the\r\nfollowing file:\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 7 of 10\n\nF0AB7E27B8DE336B14C8756E6CD41CEA rain.sdb\r\nThere are two modules within the sample that contains code highly similar to Gh0StRAT, one is screencapture\r\n(mapped to functions within “ScreenSpy” and “ScreenManager” in Gh0stRAT) and the other is shell (mapped to\r\nfunctions within “ShellManager”).\r\nPress enter or click to view image in full size\r\nTwo modules’ within rain.sdb that uses Gh0stRAT code\r\nPress enter or click to view image in full size\r\nLeft: rain.sdb; Right Gh0stRAT 3.6 Source Code Screenspy.cpp\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 8 of 10\n\nLeft: rain.sdb; Right Gh0stRAT 3.6 Source Code Screenspy.cpp\r\nPress enter or click to view image in full size\r\nLeft: rain.sdb; Right Gh0stRAT 3.6 Source Code ShellManager.cpp\r\nThere is also a constructor that seem to come from Gh0stRAT’s source code:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 9 of 10\n\nLeft: rain.sdb; Right Gh0stRAT 3.6 Source Code CursorInfo.h\r\nLast Words\r\nJudging based on the C2 callback and commands, the rain.sdb payloads are definitely a variant of BBSRAT.\r\nPerhaps the name BBSRAT is now not as descriptive as it was in 2015, since the callbacks are no longer HTTP\r\nrequests to URLs resembling bbs forums.\r\nI was not able to find samples from the Winnti Group that contain the mutexes mentioned by Trend Micro, if\r\nanyone has any of such samples please feel free to contact me;) I’ll be happy to be able to do a matching to see if\r\nthe binaries share any code!\r\nReferences:\r\n[1] “Operation DRBControl: Uncovering a Cyberespionage Campaign Targeting Gambling Companies in\r\nSoutheast Asia”, Trend Micro, 18 Feb 2020\r\n[2] “BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger”, Palo Alto Networks, 22 Dec\r\n2015\r\n[3] “Best Practices When Using BITS”, docs.microsoft.com/en-us/windows/win32/bits/best-practices-when-using-bits\r\n[4] “T1197 BITS Jobs”, attack.mitre.org/techniques/T1197\r\n~~\r\nDrop me a DM if you would like to share findings or samples ;)\r\nSource: https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nhttps://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae" ], "report_names": [ "shadows-in-the-rain-a16efaf21aae" ], "threat_actors": [ { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "866c0c21-8de3-4ad5-9887-cecd44feb788", "created_at": "2022-10-25T16:07:24.130298Z", "updated_at": "2026-04-10T02:00:04.875929Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "Bronze Woodland", "CTG-7273", "Rotten Tomato" ], "source_name": "ETDA:Roaming Tiger", "tools": [ "Agent.dhwf", "AngryRebel", "BBSRAT", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "Kaba", "Korplug", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e254cf33-e7f5-407b-a8a1-1a856a9f1c71", "created_at": "2025-01-21T02:00:03.599871Z", "updated_at": "2026-04-10T02:00:03.804511Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "MISPGALAXY:Operation DRBControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "6d2910b0-9fea-46a2-84e6-a043b1e023e4", "created_at": "2022-10-25T16:07:23.946958Z", "updated_at": "2026-04-10T02:00:04.80291Z", "deleted_at": null, "main_name": "Operation DRBControl", "aliases": [], "source_name": "ETDA:Operation DRBControl", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "5afe7b81-e99a-4c24-8fcc-250fb0cf40a3", "created_at": "2023-01-06T13:46:38.324616Z", "updated_at": "2026-04-10T02:00:02.928697Z", "deleted_at": null, "main_name": "Roaming Tiger", "aliases": [ "BRONZE WOODLAND", "Rotten Tomato" ], "source_name": "MISPGALAXY:Roaming Tiger", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ee9a20b1-c6d6-42da-909d-66e7699723d1", "created_at": "2025-08-07T02:03:24.704306Z", "updated_at": "2026-04-10T02:00:03.722506Z", "deleted_at": null, "main_name": "BRONZE WOODLAND", "aliases": [ "CTG-7273 ", "Roaming Tiger ", "Rotten Tomato " ], "source_name": "Secureworks:BRONZE WOODLAND", "tools": [ "Appat", "BbsRAT", "PlugX", "Zbot" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439131, "ts_updated_at": 1775792166, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/effd08ed0c1d5347e4e4de360d18df0e8568413c.pdf", "text": "https://archive.orkl.eu/effd08ed0c1d5347e4e4de360d18df0e8568413c.txt", "img": "https://archive.orkl.eu/effd08ed0c1d5347e4e4de360d18df0e8568413c.jpg" } }