Emotet Update: New C2 Communication Followed by New Infection Chain

CISO Summary

On March 15, CofenseTM Research reported that the Emotet botnet is changing the way it communicates, in a likely attempt to evade malware detection. Since then, Cofense IntelligenceTM has seen the same trend: Geodo-Emotet isn’t relying on cookies to make certain requests, instead performing HTTP POSTs to what seems to be the C2. Baking requests into cookies is a time-honored and easily detected pattern of  behavior. Switching this up makes it harder to see when the malware is calling home.

Moreover, Geodo-Emotet is now using a new infection chain, utilizing JavaScript files as droppers instead of macro-packed Office documents. These changes in behavior and delivery methods are the threat actors’ latest attempts to keep ahead of network defenders. They will very likely require security teams to adjust—once more.

Full Details

Cofense Intelligence has observed a change in the way that the Emotet botnet communicates, along with  the use of a new infection chain. In past versions, a compromised client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14th, this changed. The clients have begun to perform HTTP POST’s to what appear to be their C2’s. An educated guess: the primary driver behind this transition appears to be an attempt to bypass established detection methods. In tandem with this update, Geodo has begun experimenting with delivering its binaries with JavaScript files acting as droppers, and not via Office documents laden with macros as has been most common.

Historically, Geodo has passed data to its C2 using the Cookie field of the HTTP header. Information about the system, as well as identifiers, would be encrypted, wrapped in Base64 and added to the HTTP header before transport. This was a consistent and easily identifiable pattern of behavior, which led to near universal enterprise detection. Figure 1 shows an example of this exfiltration method.

Figure 1: An example of classic Geodo C2 comms using the Cookie field. Source: app.any.run

Despite being a valid and oft-used header field, there are several other tells – such as direct communication with an IP address for which no DNS resolution was performed. This, when combined with the cookie, is an easy way to identify a Geodo infection calling home.

The latest iteration of Geodo, however, has transitioned away from this legacy method to submitting data to its C2 via HTTP POST as a form. Figure 2 shows an example of this updated communication method.

Figure 2: The new method of C2 comms

Experimenting with JavaScript

Geodo operates various tiers of payload distribution by using payload-agnostic droppers and relying on the Windows file-type handlers to correctly execute what is downloaded. This means that payloads can be hot-swapped at any point during a campaign. This behavior was observed late in 2018 when a payload location, for a short period of time, swapped a Geodo executable for that of QakBot. By making the payload system agnostic, the actors behind Geodo can experiment with varying payloads without affecting the overall integrity of the infection chain. Despite the sophistication and robustness of the Geodo delivery infrastructure, the JavaScript payload observed by Cofense Intelligence was minimally obfuscated and immediately legible to an experienced eye. If one traces the execution, though, things begin to become a little bit murky. Figure 3 shows a snippet of the obfuscated dropper, verbatim.

Figure 3: The obfuscated payload showcasing cleartext strings

After deobfuscation, the flow of the code is somewhat easier to interpret. The code is broken out into 5 distinct functions, with two anonymous functions—one at the head and one at the tail—responsible for execution. Figure 4 shows the first two functions and an array.

Figure 4: Two functions responsible for shuffling an array and retrieving an element by index, respectively.

The shuffling function is likely there to slow down manual analysis of the file. It could also be used to defeat unsophisticated emulation techniques. The second function simply returns an item from an array by its index.

The next two functions, seen in figures 5 and 6, are responsible for downloading and response code verification, and looping through available URLs, respectively.

Figure 5: The code responsible for downloading payloads and verifying the response code

Figure 6: Looping through five URLs, and attempting to execute the retrieved payload

Although the dataset is entirely too small to accept as correlation, the use of 5 payload locations is in line with the standard Geodo modus operandi. During analysis, it was noticed that one of the payloads was not like the others, however. Figure 7 shows the rather interesting subject matter returned during analysis of the payload locations.

Figure 7: A blog page returned in lieu of a binary payload.

Figure 8 shows the code responsible for finding the path of, and writing files to, the %temp% directory.

Figure 8:  The dropper generates a pseudo-random filename as which to write the file

Figure 9 is the code responsible for kicking off the main functions of the script.

Figure 9: The code responsible for starting the download and execute operations. Comments added for clarity

With routine changes in behavior and delivery methods, Geodo’s operators consistently find ways to evolve how the botnet behaves—always attempting to stay ahead of the cat-and-mouse game they play with network defenders. The change in how form data is passed will almost certainly allow Geodo to overcome certain detection technologies, requiring immediate retooling. Identifying a highly dynamic family, such as Geodo, requires highly agile security infrastructure coupled with responsive threat intelligence.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

This Phishing Campaign Spoofed a CDC Warning to Deliver the Latest GandCrab Ransomware

CISO Summary

Cofense IntelligenceTM reports that threat actors have spoofed a CDC email—this one warns of a flu epidemic—to deliver an updated variant of GandCrab ransomware. Besides competing for a new low in predatory cyber-crime, the phishing campaign follows the public release of a decryptor tool for infections of recent GandCrab versions, through version 5.1. The fake CDC email contained version 5.2, which renders the decryptor tool ineffective.

Though ransomware has dropped off over the past year, the authors of GandCrab are still pushing out frequent, powerful updates.  GandCrab is the last of the infamous “ransomware as a service” threats. The extent to which its creators make upgrades, parrying and thrusting with security researchers, shows it’s still a very real weapon for revenue-hungry criminals.

Full Details

Recent updates to GandCrab Ransomware demonstrate that its operators remain committed to the malware’s effectiveness and are prepared to make urgent changes to overcome disruptions. Shortly after a coordinated public release of a decryptor tool for infections of GandCrab versions 5.0.4 through 5.1, Cofense Intelligence observed GandCrab v5.2 campaigns that rendered the tool ineffective.  In a recent phishing email delivering GandCrab, a fabricated flu epidemic alert from the Center for Disease Control (CDC) was crafted to terrify recipients into opening an attached document. Far from receiving potentially life-saving instructions, the Office document was laden with macros, coded to download and execute a copy of—you guessed it— GandCrab v5.2.

Natural disasters, global geopolitical events, and pandemics are perfect narrative drivers for threat actors seemingly devoid of conscience, tact, or taste. Self-preservation is a human imperative, and such narratives that evoke fear and urgency are potentially more effective than those exploiting greed, empathy, or curiosity, other typical phishing narratives.

Coughs and Splutters

Despite leveraging a powerful concept, the execution of the observed campaign leaves much to be desired. Figure 1 shows the body of a typical message from this campaign.

Figure 1: a typical message observed during this campaign

Ostensibly, the message is well-structured, somewhat professional and believable. However, a closer read would note the grammatical errors and unusual statements. The content of the attached document continues this trend, with such preposterously low effort as compared to the effort put into the phishing email. Figure 2 shows the content of the document, displayed to the user while the macros are busy downloading and executing GandCrab.

Figure 2: the content of the document, typically deployed as a decoy.

In scenarios that leverage weaponized documents as the attack vector, threat actors often disseminate believable content to distract the user while whatever required background processes run.

Where’s Trik?

A noticeable deviation from the recent standard GandCrab protocol is the absence of an intermediate loader. Since Feb 2019, all phishing campaigns that ultimately served GandCrab did so via Trik, a spambot with pretentions of data-stealer. Certainly not a wholly unique occurrence, it does reverse a trend that had been forming.

Despite ransomware becoming less and less lucrative, the actors behind GandCrab continue to push out extremely frequent and pertinent updates. On February 19th 2019, Bitdefender released a decryption tool for GandCrab V5.1. Later that same day, it came to light v5.2 – a version for which no available decryption utility would work – had already been released, seemingly in direct response to the decryption utility.

GandCrab is the last great bastion of the ransomware-as-a-service world. Its frequent updates, active engagement with security researchers, and novel abuse of vulnerabilities and weaknesses makes it a very real, and potentially very devastating, threat. By appealing to fear and self-preservation, this campaign highlights to what lengths threat actors will go to generate revenue.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.

IoCs

Flu pandemic warning.doc        054607600b11e09fa74aa39c790357d6

perdaliche.exe                         b47b281a8d1f227d6a7f48f73192e7ed

hxxp://gandcrabmfe6mnef[.]onion/

hxxps://www[.]kakaocorp[.]link/data/images/kadeheme[.]jpg

hxxp://www[.]kakaocorp[.]link/news/image/kazuzu[.]bmp

hxxp://210[.]16[.]102[.]43/perdaliche[.]exe

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

 

Flash Bulletin: Emotet Epoch 1 Changes its C2 Communication

We are currently noticing a change in the way that the Emotet botnet, specifically the epoch 1 variant, is communicating with the C2.  In past versions, the client would typically perform a GET request with data contained in the cookie value. As of approximately 11pm UTC on March 14, this changed. The clients have begun to perform HTTP POSTs to what appear to be their C2s.  The URI’s contacted contain variable words in the paths.  We are seeing form data passed with a name variable and data.  This change will break researchers as well as certain detection technologies while they scurry to retool.  We will continue to track this change and analyze what this means. Further details to come.

IOC’s

Emotet E1 Client hash: e0f04e2fbf3beed2dc836567006890f6f0442db78248cc2fd049437547be462e

Seen POST Uri’s

178[.]78[.]64[.]80:8443/usbccid/
82[.]78[.]228[.]57:443/attrib/
82[.]78[.]228[.]57:443/taskbar/
139[.]59[.]19[.]157/acquire/results/
139[.]59[.]19[.]157/add/between/taskbar/merge/
139[.]59[.]19[.]157/attrib/img/report/
139[.]59[.]19[.]157/badge/sess/devices/enabled/
139[.]59[.]19[.]157/chunk/
139[.]59[.]19[.]157/codec/
139[.]59[.]19[.]157/devices/
139[.]59[.]19[.]157/free/add/report/merge/
139[.]59[.]19[.]157/glitch/
139[.]59[.]19[.]157/health/merge/
139[.]59[.]19[.]157/health/tlb/splash/
139[.]59[.]19[.]157/iab/report/between/merge/
139[.]59[.]19[.]157/jit/entries/enabled/
139[.]59[.]19[.]157/loadan/
139[.]59[.]19[.]157/loadan/child/odbc/
139[.]59[.]19[.]157/pdf/entries/entries/merge/
139[.]59[.]19[.]157/pnp/
139[.]59[.]19[.]157/prep/
139[.]59[.]19[.]157/prov/taskbar/entries/
139[.]59[.]19[.]157/prov/usbccid/
139[.]59[.]19[.]157/report/taskbar/
139[.]59[.]19[.]157/report/window/arizona/merge/
139[.]59[.]19[.]157/ringin/bml/health/
139[.]59[.]19[.]157/schema/iab/
139[.]59[.]19[.]157/scripts/usbccid/
139[.]59[.]19[.]157/sess/jit/usbccid/merge/
139[.]59[.]19[.]157/srvc/glitch/
139[.]59[.]19[.]157/srvc/pdf/
139[.]59[.]19[.]157/stubs/between/entries/merge/
139[.]59[.]19[.]157/teapot/arizona/splash/enabled/
139[.]59[.]19[.]157/tlb/srvc/schema/enabled/
139[.]59[.]19[.]157/usbccid/entries/site/
139[.]59[.]19[.]157/vermont/mult/
139[.]59[.]19[.]157/walk/between/
139[.]59[.]19[.]157/walk/enable/iplk/
139[.]59[.]19[.]157/walk/taskbar/
139[.]59[.]19[.]157/window/between/enabled/
152[.]171[.]65[.]137:8090/psec/rtm/vermont/enabled/
152[.]171[.]65[.]137:8090/splash/arizona/
165[.]227[.]213[.]173:8080/attrib/schema/vermont/enabled/
165[.]227[.]213[.]173:8080/ban/iab/
165[.]227[.]213[.]173:8080/ban/nsip/taskbar/
165[.]227[.]213[.]173:8080/bml/mult/prov/enabled/
165[.]227[.]213[.]173:8080/child/
165[.]227[.]213[.]173:8080/cookies/json/
165[.]227[.]213[.]173:8080/enabled/
165[.]227[.]213[.]173:8080/entries/srvc/
165[.]227[.]213[.]173:8080/loadan/loadan/
165[.]227[.]213[.]173:8080/prep/loadan/symbols/
165[.]227[.]213[.]173:8080/schema/iab/
165[.]227[.]213[.]173:8080/sess/
165[.]227[.]213[.]173:8080/site/bml/forced/merge/
165[.]227[.]213[.]173:8080/splash/enable/prov/enabled/
165[.]227[.]213[.]173:8080/sym/tpt/nsip/enabled/
165[.]227[.]213[.]173:8080/symbols/badge/
165[.]227[.]213[.]173:8080/tlb/nsip/
165[.]227[.]213[.]173:8080/usbccid/prov/sess/
173[.]248[.]147[.]186/attrib/usbccid/entries/
173[.]248[.]147[.]186/iab/odbc/forced/
173[.]248[.]147[.]186/mult/tlb/
173[.]248[.]147[.]186/mult/window/enabled/
173[.]248[.]147[.]186/pnp/taskbar/splash/
173[.]248[.]147[.]186/publish/
173[.]248[.]147[.]186/schema/mult/arizona/
173[.]248[.]147[.]186/teapot/acquire/
173[.]248[.]147[.]186/teapot/usbccid/
178[.]78[.]64[.]80:8443/acquire/entries/
178[.]78[.]64[.]80:8443/acquire/merge/forced/enabled/
178[.]78[.]64[.]80:8443/attrib/usbccid/
178[.]78[.]64[.]80:8443/devices/between/devices/enabled/
178[.]78[.]64[.]80:8443/devices/free/report/merge/
178[.]78[.]64[.]80:8443/devices/free/schema/enabled/
178[.]78[.]64[.]80:8443/json/sess/attrib/
178[.]78[.]64[.]80:8443/raster/
178[.]78[.]64[.]80:8443/tpt/
181[.]16[.]4[.]180/attrib/entries/report/
181[.]16[.]4[.]180/attrib/scripts/
181[.]16[.]4[.]180/between/scripts/child/enabled/
181[.]16[.]4[.]180/cookies/symbols/arizona/merge/
181[.]16[.]4[.]180/dma/
181[.]16[.]4[.]180/loadan/raster/
181[.]16[.]4[.]180/publish/child/tlb/merge/
181[.]16[.]4[.]180/raster/
181[.]16[.]4[.]180/window/tlb/symbols/enabled/
181[.]56[.]165[.]97:53/balloon/enabled/mult/
181[.]56[.]165[.]97:53/child/merge/chunk/enabled/
181[.]56[.]165[.]97:53/iplk/teapot/forced/
181[.]56[.]165[.]97:53/pdf/json/tlb/
181[.]61[.]221[.]146/chunk/iplk/
181[.]61[.]221[.]146/forced/attrib/enable/enabled/
186[.]137[.]133[.]132:8080/ringin/entries/
186[.]138[.]205[.]189/child/devices/add/enabled/
186[.]138[.]205[.]189/stubs/taskbar/
186[.]3[.]188[.]74/arizona/
186[.]3[.]188[.]74/cookies/scripts/arizona/
186[.]3[.]188[.]74/entries/
186[.]3[.]188[.]74/json/health/odbc/
186[.]3[.]188[.]74/prep/window/
186[.]3[.]188[.]74/results/attrib/
186[.]3[.]188[.]74/schema/badge/
186[.]3[.]188[.]74/srvc/report/forced/enabled/
186[.]3[.]188[.]74/stubs/scripts/vermont/enabled/
189[.]208[.]239[.]98:443/enable/raster/prep/
189[.]208[.]239[.]98:443/pdf/cookies/
189[.]208[.]239[.]98:443/scripts/entries/mult/enabled/
190[.]117[.]206[.]153:443/attrib/loadan/
190[.]117[.]206[.]153:443/badge/ban/vermont/
190[.]117[.]206[.]153:443/devices/
190[.]117[.]206[.]153:443/iplk/pnp/
190[.]117[.]206[.]153:443/merge/window/
190[.]117[.]206[.]153:443/publish/
190[.]117[.]206[.]153:443/ringin/odbc/
190[.]117[.]206[.]153:443/sess/balloon/glitch/
190[.]117[.]206[.]153:443/symbols/
190[.]146[.]86[.]180:443/child/odbc/forced/enabled/
190[.]146[.]86[.]180:443/enabled/devices/enabled/merge/
190[.]146[.]86[.]180:443/guids/between/devices/
190[.]146[.]86[.]180:443/guids/site/splash/enabled/
190[.]146[.]86[.]180:443/merge/balloon/
190[.]146[.]86[.]180:443/mult/badge/glitch/merge/
190[.]146[.]86[.]180:443/pnp/
190[.]146[.]86[.]180:443/raster/badge/odbc/enabled/
190[.]146[.]86[.]180:443/srvc/json/
190[.]15[.]198[.]47/arizona/pnp/
190[.]15[.]198[.]47/balloon/cookies/devices/enabled/
190[.]15[.]198[.]47/cab/sess/
190[.]15[.]198[.]47/guids/acquire/splash/
190[.]15[.]198[.]47/img/balloon/
190[.]15[.]198[.]47/schema/report/vermont/enabled/
190[.]15[.]198[.]47/scripts/
190[.]15[.]198[.]47/site/enabled/
190[.]15[.]198[.]47/vermont/
192[.]155[.]90[.]90:7080/acquire/
192[.]155[.]90[.]90:7080/free/prov/chunk/
192[.]155[.]90[.]90:7080/prep/stubs/
192[.]163[.]199[.]254:8080/add/enable/symbols/enabled/
192[.]163[.]199[.]254:8080/balloon/balloon/
192[.]163[.]199[.]254:8080/report/
192[.]163[.]199[.]254:8080/report/acquire/schema/enabled/
192[.]163[.]199[.]254:8080/rtm/srvc/
192[.]163[.]199[.]254:8080/scripts/health/results/
208[.]180[.]246[.]147/add/forced/mult/enabled/
208[.]180[.]246[.]147/tlb/window/
208[.]180[.]246[.]147/usbccid/results/chunk/enabled/
23[.]254[.]203[.]51:8080/acquire/scripts/iab/enabled/
23[.]254[.]203[.]51:8080/arizona/ban/symbols/
23[.]254[.]203[.]51:8080/forced/merge/enable/enabled/
23[.]254[.]203[.]51:8080/json/
5[.]9[.]128[.]163:8080/devices/tpt/
5[.]9[.]128[.]163:8080/enable/sess/tlb/merge/
5[.]9[.]128[.]163:8080/odbc/odbc/enable/enabled/
50[.]246[.]45[.]249:7080/cookies/rtm/
50[.]246[.]45[.]249:7080/dma/cookies/
50[.]246[.]45[.]249:7080/loadan/codec/
51[.]255[.]50[.]164:8080/arizona/srvc/
51[.]255[.]50[.]164:8080/attrib/schema/results/enabled/
51[.]255[.]50[.]164:8080/ban/symbols/acquire/merge/
51[.]255[.]50[.]164:8080/enabled/
51[.]255[.]50[.]164:8080/iab/prep/scripts/
51[.]255[.]50[.]164:8080/iplk/
51[.]255[.]50[.]164:8080/loadan/
51[.]255[.]50[.]164:8080/pdf/psec/schema/
51[.]255[.]50[.]164:8080/publish/
51[.]255[.]50[.]164:8080/site/xian/
51[.]255[.]50[.]164:8080/splash/symbols/acquire/merge/
51[.]255[.]50[.]164:8080/srvc/publish/forced/
51[.]255[.]50[.]164:8080/taskbar/scripts/json/
51[.]255[.]50[.]164:8080/walk/tlb/raster/merge/
51[.]255[.]50[.]164:8080/window/
66[.]209[.]69[.]165:443/between/symbols/
66[.]209[.]69[.]165:443/enabled/walk/
66[.]209[.]69[.]165:443/prep/cone/enable/enabled/
69[.]163[.]33[.]82:8080/add/psec/
69[.]163[.]33[.]82:8080/cookies/splash/chunk/enabled/
69[.]163[.]33[.]82:8080/loadan/badge/publish/enabled/
69[.]163[.]33[.]82:8080/sess/vermont/
69[.]163[.]33[.]82:8080/srvc/
70[.]28[.]22[.]105:8090/arizona/
70[.]28[.]22[.]105:8090/report/tpt/chunk/
70[.]28[.]22[.]105:8090/stubs/balloon/enable/
72[.]47[.]248[.]48:8080/balloon/report/iab/
72[.]47[.]248[.]48:8080/img/raster/arizona/
72[.]47[.]248[.]48:8080/results/merge/symbols/
72[.]47[.]248[.]48:8080/vermont/results/
82[.]78[.]228[.]57:443/acquire/
82[.]78[.]228[.]57:443/arizona/nsip/balloon/
82[.]78[.]228[.]57:443/badge/cookies/teapot/enabled/
82[.]78[.]228[.]57:443/balloon/
82[.]78[.]228[.]57:443/ban/
82[.]78[.]228[.]57:443/between/
82[.]78[.]228[.]57:443/child/usbccid/loadan/
82[.]78[.]228[.]57:443/chunk/health/forced/
82[.]78[.]228[.]57:443/codec/
82[.]78[.]228[.]57:443/devices/
82[.]78[.]228[.]57:443/devices/vermont/
82[.]78[.]228[.]57:443/dma/ringin/enabled/
82[.]78[.]228[.]57:443/enable/entries/
82[.]78[.]228[.]57:443/enabled/child/json/
82[.]78[.]228[.]57:443/glitch/
82[.]78[.]228[.]57:443/iab/scripts/add/enabled/
82[.]78[.]228[.]57:443/mult/publish/sym/
82[.]78[.]228[.]57:443/pdf/arizona/balloon/
82[.]78[.]228[.]57:443/pdf/site/
82[.]78[.]228[.]57:443/prov/enable/splash/enabled/
82[.]78[.]228[.]57:443/schema/publish/vermont/
82[.]78[.]228[.]57:443/site/entries/
82[.]78[.]228[.]57:443/site/glitch/
82[.]78[.]228[.]57:443/stubs/ban/ban/merge/
82[.]78[.]228[.]57:443/taskbar/entries/
82[.]78[.]228[.]57:443/tlb/
82[.]78[.]228[.]57:443/tpt/arizona/child/merge/
82[.]78[.]228[.]57:443/walk/
82[.]78[.]228[.]57:443/xian/

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

‘Read the Manual’ Bot Gives This Phishing Campaign a Promising Future

CISO Summary

Cofense IntelligenceTM has spotted a surgical phishing campaign whose targets could easily broaden, given the sophisticated development of its tactics. For now, it’s taking aim at financial departments in Russia and neighboring countries, using the Read the Manual (RTM) Bot to deliver a banking trojan.

Among other capabilities, the malware steals data from accounting software and harvests smart card information. The newest version uses The Onion Router (TOR) communication protocol, whose privacy and extra encryption are signs the threat actors could be serious about developing the banking trojan for future campaigns.

Technical controls can help combat this threat, for example, blocking connections to TOR nodes and inspecting network traffic for connections attempts. More proactively, educate end users on evolving phishing tactics.

Full Details

Cofense IntelligenceTM has analyzed a phishing campaign delivering a banking trojan and targeting Russia and neighboring countries. Read The Manual (RTM) Bot is created by a cyber group known by the same name. The RTM group is targeting the financial departments within different industry sectors. This modular banking trojan has many unique features, such as stealing data from accounting software and harvesting smart card information. This newest version uses The Onion Router (TOR) communication protocol. These campaigns are typically written in Cyrillic and use the Monthly Payment lure. Figure 1 shows an email associated with this campaign.

Figure 1: An email associated with this phishing campaign

RTM Bot targets accounting software while initially scanning the drive of the endpoint. The scan looks for any items related to the Russian remote banking system and relays the information found to the C2 for further instructions. RTM Bot scours the web browser history, and can access currently opened tabs, looking for any banking URL patterns. After the initial scan, the banking trojan then gathers information, effectively fingerprinting the machine. Figure 2 shows the accounting software strings found in the memory of this sample.

Figure 2: Strings associated with accounting software

Some accounting software requires the use of a smart card to authenticate to the software and access data associated with it. RTM Bot attempts to locate these smart card readers by scanning the registry and attached devices. If a smart card is found, the banking trojan then interacts with the Winscard API function to harvest information. The harvested information is then held within the memory buffer until it is sent to the C2. Figure 3 shows some memory strings associated with the smart card search and API interaction.

Figure 3: Memory strings associated with the smart card search and API interaction

Before attempting to exfiltrate the gathered information, the banking trojan will look up the host’s external IP address and add the value to its collection. It uses a GET request to the website hxxp://myip[.]ru/index_small[.]php to gather the external IP of the infected machine. Figure 4 shows the GET request.

Figure 4: The GET request for the external IP of the machine

Other values collected by RTM Bot during the fingerprinting of the machine include:

  • Username
  • Machine name
  • Logged on user privileges
  • OS version
  • Anti-virus installed
  • Time zone
  • Default language

Previous iterations of this malware used Blockchain Domain Name Services (BDNS) for its C2 infrastructure. The biggest change in the new version is the switch to using The Onion Router (TOR) communication protocol for its C2 infrastructure. Note that RTM Bot does not install a TOR client. Instead it uses the onion libraries, which are often called TOR SOCKS. By not installing a client onto the machine, RTM Bot minimizes its chances of being detected by anti-virus manipulating the Operating System (OS). Figure 5 shows memory strings associated with the TOR C2 infrastructure.

Figure 5: Memory strings associated with the TOR C2 infrastructure

Using the TOR protocol for communication helps threat operators in many ways. The first is that the communication is encrypted at the application layer of the OSI model, which adds an extra layer of encryption to the traffic. Another reason is the privacy that the TOR network affords the threat actors. This is done by passing the data through a network of relay points using layers of encryption. Each relay point decrypts a layer that reveals the next destination and routes the packet respectively. The relay point, however, does not know the next destination or the final destination the packet should reach. This routing scheme helps eliminate eavesdropping, because the router doesn’t know the end to end connections created, as well as the obfuscation by multiple layers of encryption.

RTM Bot has many of the common capabilities of banking trojans, including keylogging and screen captures. The malware can be pre-compiled with modules or it can download and execute the modules as instructed by the C2. The RTM cyber group focuses on financial departments within business in specific countries but can very easily shift its aim.

The newest version using the TOR communication protocol shows the group is actively developing this banking trojan for the future. Blocking connections to TOR nodes and inspecting network traffic for connection attempts will help mitigate the exfiltration of information. However, educating end users about phishing campaign threats and maintaining the threat knowledge base is the key to avoiding these threats.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Lime RAT: Why It Caught Our Eye and How this Versatile Malware Works

CISO Summary

Cofense IntelligenceTM has spotted a phishing campaign using the Lime remote administration tool (RAT), whose versatility makes it an especially dangerous malware type. Lime RAT is a mash-up of ransomware, cryptominer, stealer, worm, and keylogger. When skillfully deployed, it can filch a wide range of information, encrypt computers for ransom, or transform the target host into a bot.

Lime RAT appeals to novice and seasoned threat actors alike, thanks to its anti-virus evasion techniques, anti-virtual machine features, small footprint, and encrypted communications. Threat analysts will want to read the full analysis below. Security awareness managers will want to educate employees by simulating phishing emails containing diverse malware threats.

Full Details

Cofense IntelligenceTM analyzed a phishing campaign that delivered an all-in-one ransomware/cryptominer/stealer/worm/keylogger called Lime Remote Administration Tool (RAT). Lime RAT’s code is written in C# and is dependent on .NET 4.0. Lime RAT is part of a malware library which includes Lime_Miner, Lime_Crypter, and Lime_USB. This malware is open source and touts itself as a teaching tool for .NET malware. But being feature-rich and well-documented, Lime RAT can also be used for nefarious actions by malicious operators.

An interesting feature of this malware family is the use of multiple ports for communication, which establishes redundancy for the communication channels. The initial setup of the Lime RAT building platform and panel needs only two things: port numbers and an AES (Advanced Encryption Standard) 128-bit encryption key. The port number is used to open a port to listen on the server. The AES key is used to encrypt all communication between the client and the server. Figure 1 shows the initial setup pane with the ports and AES key as discussed above.

Figure 1: Setup process for Lime RAT

The builder for the payloads is simply comprised of checkboxes and text input fields that even the most novice operators can use to produce effective, malicious binaries. This panel allows you to customize the payload with different features and icons. It also allows you to set the Command and Control (C2) infrastructure and the location for the persistent drop file on the targeted machine. Figure 2 shows the features available to customize each payload, including the anti-virtual machine option.

Figure 2: Features available to the Lime RAT payloads

When the Lime RAT payload has been created, sent to and executed on a target machine, the binary connects to the panel. When the client connects, it sends information to the control panel and includes details about the operating system, CPU, user, country, and more. The control panel gives the option to automatically assign a task for the client, for example, downloading and executing a specific file. Figure 3 shows the control panel populated with information from the connected client, while Figure 4 shows the ‘OnConnect’ automatic tasking panel.

Figure 3: Control panel view of an infected client machine connected to the C2 infrastructure

Figure 4: ‘OnConnect’ automatic tasking options

The control panel allows the operator to manipulate the target by right-clicking on the selected machine and choosing a command. This is where the operator can specify the method of attack: initiate the encryption for ransomware, drop a Monero miner, enable Remote Desktop Protocol (RDP), steal information/cryptocurrency, and more. Figures 5 and 6 show the options available to the operator for a given target.

Figure 5: Ransomware and other plugins for the target machine

Figure 6: Keylogging and persistence options for the targeted machine

The ransomware feature lets you customize the message as well as the image displayed. When the targeted host is encrypted with the ransomware aspect of this RAT, the file extensions are turned to ‘.Lime’. Figure 7 shows the customizable message and default image that displays to the client after the encryption has been initiated.

Figure 7: Lime RAT’s default ransomware message

The keylogging feature is not very advanced in what it collects. It can only collect what is entered by the keyboard and not what is auto-filled or added from the clipboard. The keylogger output does show a timestamp and which application the text was written in. Figure 8 shows the control panel output of a running keylogger module on a client infected with Lime RAT.

Figure 8: Collection of text from the keylogger module

As shown earlier in Figure 2, Lime RAT can spread like a worm. When the payload is built, the operator can specify the ‘USB spreading’ and ‘pinned task bar application spreading’ features be included within the payload. The USB spreading feature looks for any connected type 2 device and then attempts to replace any file with an executable version of Lime RAT. When doing this, Lime RAT will keep the original icon for the file that has now been infected. The spreading through the pinned task bar applications takes it one step further by replacing the shortcut path to which those icons are linked.

The ‘Thumbnail’ tab (Figure 9) within the control panel of Lime RAT is a screengrab of the infected machine. This screengrab can be turned on or off and has a timer that defaults to 5 seconds between screen grabs.

Figure 9: ‘Thumbnail’ tab that holds the screen grabs of the infected machines

Logging in Lime RAT is not nearly as advanced as we’ve seen in other RATs. As shown in the Figure 10, the ‘Logs’ tab only logs timestamps and IPs of connections and disconnections.

Figure 10: ‘Logs’ tab and the connections made

Lime RAT is an open source, well documented, .NET framework malware suite with multiple features that make it devastating when properly used. The ability for this malware to steal a wide range of valuable information, encrypt for ransom, and/or turn the target host into a bot with basic capabilities, mixed with an intuitive control panel display, makes it a likely choice for novice operators. The anti-virus evasion, anti-virtual machine feature, the small footprint, and encrypted communications would appeal to threat actors across the capability spectrum. The number one way to keep multivariate threats like Lime RAT from infecting a machine via a phishing campaign is to educate the end user on suspicious emails and attachments.

To stay ahead of emerging phishing and malware trends, sign up for free Cofense Threat Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

A Closer Look at Why the QakBot Malware Is So Dangerous

CISO Summary

Cofense Intelligence ™ recently reported a phishing campaign distributing the QakBot malware. QakBot infestation is a significant threat, so be sure to share today’s follow-up post with your SOC analysts.

We’ll drill down into the novel techniques QakBot uses to stymie detection and manual analysis. This sophisticated banking trojan, which Cofense™ has seen distributed via the Geodo/Emotet botnet, uses multiple tools to cover its tracks and steal credentials. The threat actors who have developed it are creative and aggressive.

With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat

CISO Summary

The Revenge RAT malware is getting stealthier, thanks to unusually advanced delivery techniques and support infrastructure. Cofense IntelligenceTM has recently seen this basic and widely available Remote Access Trojan benefit from these upgrades, which help it to access webcams, microphones, and other utilities as Revenge RAT does recon and tries to gain a foothold in targeted computers. When they succeed, RATs enable threat actors to wreak havoc, including monitoring user behavior through keyloggers or other spyware, filching personal information, and distributing other malware.

The Malware Holiday Ends—Welcome Back Geodo and Chanitor

CISO Summary

Even cybercriminals knock off for the holidays. Then in January, it’s back to work. We all have bills to pay.

This past holiday season, including the Russian Orthodox Christmas which fell on January 7, threat actors cooled their heels and malware campaigns dipped. But with the holidays over, threat actors are back in action. Chanitor malware campaigns are spiking, at even higher levels than a year ago, and Geodo/Emotet campaigns have been surging too.