Free Phone Consultation For New Clients | CONTACT NOW

Unidentified RAT

This blog analyzes 8 unique files. 5 files are malicious loaders that contain an embedded executable. Two of the embedded executables are included in this report. The embedded executables are Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems. The remaining file is a heavily encoded Java Server Pages (JSP) application that functions as a malicious webshell. This Java application will allow an operator to upload and download files from a target system and control the system via a reverse shell.

The command and control infrastructure used by this malware has been actively hosting multiple families of malware for at least the past year. While the initial landing page is not active, all of the C2 servers are still functioning and can be used to remotely deliver additional payloads. Globally, there are over 1500 domain names registered to a single email address. The email address is also linked to multiple other malicious domains used in previous attacks that have not been reported. These domains were registered between January 2015 and April 2016, indicating a lengthy campaign by this actor or actors.

Incident Summary

On March 1, 2016, the CERT/CC reported a cluster of incidents against multiple organizations. The attackers were using their own domain names to host remote access and malicious web shells. Their infrastructure included several Command and Control (C2) servers, including the following:

Client-side detection for these domains is not available, but it can be detected by server-side signatures that identify malicious binaries coming from these domains as well as a number of other indicators. Once the attack begins, the attacker's web site will pop up a fake version of IE and ask the victim to download and install malware on their machine before showing a fake browser window telling them that files have been corrupted and an error message stating that their connection has been reset.


Need secure managed IT services in the Greenville, SC, area?