gh0st RAT

Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files... The threat actor uses deceptive file names masquerading as business and financial documents to persuade recipients to download and execute the attachment.

Gh0stRAT/SimpleRemoter code creating a scheduled task through Task Scheduler COM interfaces... WarmCookie initializes COM, creates the older Task Scheduler 1.0 object using CLSID_CTaskScheduler, and requests IID_ITaskScheduler. It then creates a work item, configures flags and creates a trigger.

Code Action ... 8 Execute command with ShellExecute, visible window 9 Execute command with ShellExecute, hidden window ... 125 Executes command in a hidden cmd window

Code Action ... 125 Executes command in a hidden cmd window

Previous research on the group’s activity found that it uses custom loaders hidden behind decoy documents...

Gh0stRAT/SimpleRemoter code creating a scheduled task through Task Scheduler COM interfaces... WarmCookie initializes COM, creates the older Task Scheduler 1.0 object using CLSID_CTaskScheduler, and requests IID_ITaskScheduler. It then creates a work item, configures flags and creates a trigger.

Static review of rundll32.dat!Edge shows Sauron service behavior: Uses HKCU\SOFTWARE\Sauron

As in the CVE-2022-1040 attack, the attackers built a malware that inspects all ping packets, waiting for a specially crafted ping packet... The ping packet, if validated correctly, can be used to trigger the device into either opening a reverse shell... or it will bind and listen on port 31234... This technique is known as Traffic Signalling, and is detailed as technique T1205 in the MITRE ATT&CK framework.

Static review of rundll32.dat!Edge shows Sauron service behavior: Uses HKCU\SOFTWARE\Sauron Copies itself to C:\Windows\svchost.exe when the Sauron key is absent Creates and starts service Sauron

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Gh0stRAT/SimpleRemoter code creating a scheduled task through Task Scheduler COM interfaces... WarmCookie initializes COM, creates the older Task Scheduler 1.0 object using CLSID_CTaskScheduler, and requests IID_ITaskScheduler. It then creates a work item, configures flags and creates a trigger.

Static review of rundll32.dat!Edge shows Sauron service behavior: Uses HKCU\SOFTWARE\Sauron Copies itself to C:\Windows\svchost.exe when the Sauron key is absent Creates and starts service Sauron

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The logexts.dat file is obfuscated and includes several User Account Control (UAC) bypasses.

The logexts.dat file is obfuscated... Gh0st RAT ... included features such as layers of obfuscation to bypass security protections and hinder analysis... Changes made by Webworm to this version of 9002 RAT are apparently intended to evade detection.

The heap payload brings the real loader behavior: PEB/export walking for dynamic API resolution

ainstaller-86533005.exe is wearing a Panasonic jacket, and the fit is almost too good. Inspect the file metadata and everything points at PPcNotif.Provider.RequiredApp.exe, Panasonic PC Notification, version 1.10510.0.0.

Command ID Description 5 Clear Windows Event logs (Application, Security, System)

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The staged buffer goes through two decoder layers. The second decoder starts with key 0x38, walks 0xce0d bytes, XORs each byte, and feeds the decoded byte back into the key. The fully decoded stage then copies 0xae05 bytes from offset 0x2d and XOR-decodes them with: 4@e!c!bSL2AeimnwyD4x.

As in the CVE-2022-1040 attack, the attackers built a malware that inspects all ping packets, waiting for a specially crafted ping packet... The ping packet, if validated correctly, can be used to trigger the device into either opening a reverse shell... or it will bind and listen on port 31234... This technique is known as Traffic Signalling, and is detailed as technique T1205 in the MITRE ATT&CK framework.

thumbs.db decodes to rundll32.dat, whose Edge export implements Sauron behavior.

Timing and environment checks through QueryPerformanceCounter, Sleep, rdtsc, VirtualAllocExNuma, mutex probes, process checks, heap pressure, and COM/object probes

On execution, the binary allocates a new RWX buffer, copies an encoded stage from its own image, decodes it twice, peels a heap payload with a 19-byte XOR key, and jumps into the loader.

Static review of rundll32.dat!Edge shows Sauron service behavior: Uses HKCU\SOFTWARE\Sauron

the implant implements a keystroke, clipboard, and active-window logger ... configures a DirectInput8 interface to acquire the keyboard device for event capture

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

If not, it attempts to elevate its privileges ... BeaconData { ... uint8_t is_admin ... }

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

Below is the structure for the data that the implant returns to the C2 server during the beaconing interval: struct BeaconData { ... hostname ... windows_version ... cpu_name ... uptime ... }

Timing and environment checks through QueryPerformanceCounter, Sleep, rdtsc, VirtualAllocExNuma, mutex probes, process checks, heap pressure, and COM/object probes

远程桌面 实时屏幕控制、多显示器支持、H.264 编码、自适应质量；Web 远程桌面:基于 WebSocket 实现,支持手机/平板通过浏览器访问远程桌面

the implant implements a keystroke, clipboard, and active-window logger ... configures a DirectInput8 interface to acquire the keyboard device for event capture

First, it monitors the clipboard using OpenClipboard and GetClipboardData ... The malware also implements a clipboard hijacker ... substituting attacker-defined strings with replacement values.

Some Backdoor.Oldrea samples use standard Base64 + bzip2... gh0st RAT has used Zlib to compress C2 communications data before encrypting it... HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.

The C2 channel operates over raw TCP sockets with messages encrypted in both directions.

WinINet download logic through InternetOpenA, InternetOpenUrlA, InternetReadFile, and InternetCloseHandle

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

As in the CVE-2022-1040 attack, the attackers built a malware that inspects all ping packets, waiting for a specially crafted ping packet... The ping packet, if validated correctly, can be used to trigger the device into either opening a reverse shell... or it will bind and listen on port 31234... This technique is known as Traffic Signalling, and is detailed as technique T1205 in the MITRE ATT&CK framework.

The ping packet, if validated correctly, can be used to trigger the device into either opening a reverse shell back to the address provided by the attacker... or it will bind and listen on port 31234 to accept a connection from a C2.

Unlike the last cluster however, this variant appears to have been used in an extensive DDNS cluster of infrastructure dating back to at least 2013... that campaign appeared to have slightly different tactics, techniques, and procedures (TTPs), including potentially target-themed domain infrastructure as well as heavily relying on dynamic DNS for C2 domains.

The C2 domain and port remain hardcoded but are now XOR-encrypted ... messages encrypted in both directions ... The implant decrypts C2 messages through the following formula: RC4_decrypt