Decoding network data from a Gh0st RAT variant

During a forensic investigation in March 2018 we were able to retrieve some files which appeared to be linked with a well-known group named Iron Tiger.

From our research, we believe that the perpetrator hasn’t shown any advanced technical capabilities in this attack. In fact, the main goal was to mine cryptocurrency. During the investigation we found several tools such as password dumpers, Monero cryptocurrency miners, portable executable (PE) injectors and a modified version of Gh0st RAT. Even though Bitdefender and TrendMicro have published reports [1] [2] describing some of the tools used by the group, we were not able to find any references to this specific modified version of Gh0st RAT. Therefore, the purpose of this blog is to briefly describe the modified Gh0st RAT version that is used by the group.

The malicious payload

Firstly, a malicious executable file is executed which will drop a batch file (install.bat) and a cabinet file (data.cab) under a new folder in C:\ProgramData with a random name. The cabinet file includes two files: the malicious shellcode which is partially encrypted and a Dynamic-link library (DLL) which will execute the malicious shellcode. The malicious executable file will then execute the batch file, which will decompress and execute the DLL file. Persistence is achieved by creating a new service or a new registry key, depending on the privileges that the malware has.

Once the execution is passed to the shellcode, it will decrypt the rest of the encrypted data using a single byte as the key in an eXclusive OR (XOR) loop. After decryption, the following interesting string is observed:

Microsoft.Windows.BNG|[C&C IP address]:443;|1;1;1;1;1;1;1;|00-24;|1

The main goal of the shellcode is to load and execute the attacker’s plugins in memory.

Modified Gh0st RAT

While analysing the previous files, we found a folder named ‘Plugins’ with some interesting DLLs inside and two files which required a password upon execution (example in Figure 1).

Figure 1: Password input

After reversing the binary, we found out that the password is not hardcoded. Instead, the password is based on the current year and month. For example, the password for the month of March in 2018 is ‘201803’.

The first file which is named ‘Noodles’ seems to be an old modified version of Gh0st RAT based on compilation date and features. The second file named ‘Mozilla’ is the primary tool which was used for this attack. Below you can see how both panels look.

Figure 2: Noodles Panel - Listener Settings 

Figure 3: Mozilla Panel – Connect Settings

 Currently, both tools can listen on any given ports but only ‘Mozilla’ can connect to a bind port. The supported protocols include Secure Sockets Layer (SSL) and Transmission Control Protocol (TCP). One of the protocols in the list is named, according to the malware authors, ‘WINNET’ but this is not supported yet and an error message is displayed. This might suggest that this tool is still in development and there are plans to add additional functionality.

Figure 4: WININET protocol not supported

Additionally, analysis of the Mozilla tool identified a Program database (PDB) path inside the binary:

  • K:\Mozilla\Mozillav6.0.x_dll\WorkActive\Release\Mozilla.pdb

The tool heavily relies on plugins. When there is a new victim connection, the attacker can use the PluginManager to load new plugins to the infected machine.

Figure 5: “Mozilla” Plugin Manager

Most of the available plugins are based on the Gh0st RAT source code and a summary of them can be found below:

Network communication

The network traffic between the victim and the attacker is encrypted using Rivest Cipher 4 (RC4). The key is unique for each request and is encrypted using ‘XOR’ and ‘AND’ instructions. The key is stored in the first 28 bytes of the request. We wrote a Python script that takes as input a network capture (PCAP) and decrypts it, which can be found in our Github repository here: https://github.com/nccgroup/Cyber-Defence/tree/master/Scripts/gh0st_variant_c2

For example, below we can see the initial connection between a victim and the C2 server, where the machine name is sent:

Data to server..

[i] Found key: C8410061440A01c762FA9000
00000000: 0501570049004E00  2D00510047004F00  ..W.I.N.-.Q.G.O.
00000010: 3400430051004E00  49004F004E003500  4.C.Q.N.I.O.N.5.

And below the distinctive start of a PE file is seen, as a plugin is transferred to the client.

Data to client..

[i] Found key: C841006804EC089c84EA9020
00000000: 4D5A900003000000  04000000FFFF0000  MZ..............
00000010: B800000000000000  4000000000000000  ........@.......
00000020: 0000000000000000  0000000000000000  ................
00000030: 0000000000000000  00000000F0000000  ................
00000040: 0E1FBA0E00B409CD  21B8014CCD215468  ........!..L.!Th
00000050: 69732070726F6772  616D2063616E6E6F  is program canno
00000060: 742062652072756E  20696E20444F5320  t be run in DOS
00000070: 6D6F64652E0D0D0A  2400000000000000  mode....$.......

IOCs

Command and Control (C&C) IPs:

  • 23.227.207.137
  • 89.249.65.194

Malicious files directory:

  • C:\ProgramData\HIDMgr
  • C:\ProgramData\Rascon
  • C:\ProgramData\TrkSvr

Malicious service name:

  • HIDMgr
  • RasconMan
  • TrkSvr

Registry key for persistence:

  • ‘rundll32.exe_malicious_DLL_path’ in ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run’

File names and hashes:

References

  1. https://www.erai.com/CustomUploads/ca/wp/2015_12_wp_operation_iron_tiger.pdf
  2. https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/

Published date:  17 April 2018

Written by:  Nikolaos Pantazopoulos

comments powered by Disqus

Filter By Service

Filter By Date