In his articles, you will get to know about two of the malwares which pose a huge threat to the government as well as organizations.-Revenge RAT (Remote Access Trojan) and AZORult.
MEANING AND HOW IT IS BEING USED
There are multiple malicious campaigns that are targeting attacks on the government and financial entities by the use of Revenge RAT. The unit 42 (What is unit 42) in March 2019, started to keep an eye on such attack campaigns which were primarily focused on Middle Eastern countries. The further analysis on these malwares revealed, they were not only affecting that region but also other countries from the United States to Europe and Asia. Most of the attacks have been carried out through phishing emails, which include complaints against the organization which is being targeted. The attackers using the Revenge RAT carried out operations through phishing emails that targeted various authorities such as Better Business Bureau (BBB), Australian Competition & Consumer Commission (ACCC).
The attached zip archives with the emails contained malicious batch files that were responsible for retrieving the malicious PE32 file and executing it, infecting the systems.
The Remote Access Trojans (RAT) such as Revenge RAT, used in these campaigns with other such campaigns are linked together by several unique tactics, techniques and procedures (TTPs) and with command and control (C2) infrastructure obfuscation. Researchers from the Cisco Talos have discovered that the group behind the attacks uses a file-less attack technique which is precise on gaining persistence on targeted systems and evade detection.
Revenge RAT is a remote access tool written in (C#) .NET which is freely available on the internet. The RAT malware is benefiting from its recent updates which help it to access webcams, microphones and other such utilities when recons to gain roots in the targeted computers. With redundant command and control infrastructure disguised in legitimate content, revoke threat actors to deliver a sample of Revenge RAT without leaving files on disk.
HOW IS REVENGE RAT ABLE TO FUNCTION?
Well, one of the reasons why Revenge RAT is able to perform such malware attacks is because the RAT malware uses Microsoft Office Excel Worksheet with Office macro to infect targeted computers that automatically gathers system information before allowing threat actors to remotely access the system components such as webcams, microphones, and other such utilities.
It is capable of opening remote shells, which allows attackers to manage system files, process registry, and services like, to log keystrokes, to dump victim’s passwords and many more.
The campaigns’ operators are making use of Dynamic Domain Name System (DDNS) which is a popular method used to conceal their C2 servers and control infrastructure which commonly observed in case of other attacks deploying such RATs on targeted machines. This was something new as the attackers had pointed DDNS over the Portmap service, which provided an additional layer of obfuscation.
It is a service which is designed to facilitate external connectivity to the systems which are behind firewalls or otherwise which are directly not exposed to the internet.
Researchers expect that the ongoing malware attack campaigns like Revenge RAT are most likely to increase in the future, impacting various organizations around the world.
Azorult is a malware engineered to function as an information stealer when it was first analyzed in 2016. The trojan malware AZORult which exfiltrates data from the compromised system, is capable of stealing browsing history, cookies, ID/passwords, cryptocurrency information and more. Based on its configuration AZORult also behaves as a downloader for other malwares. It is installed on a system via first-stage malware, such as Seamless.
Later in July 2018 AZORult, the trojan malware was updated improving its sealer and downloader functionality. After that it was immediately seen in a large email campaign, improving its capabilities to distribute Hermes ransomware.
HOW DOES IT FUNCTION?
The malware searches for saved passwords, cookies, wallet.data files from bitcoin clients, skype message history, desktop files and many more and sends them to its C2 server. Once the victim’s computer is infected, the malware starts to exfiltrate sensitive data.
AZORult first generates a unique ID of the victim’s computer and applies XOR encryption using the generated ID. In addition to that a masked ID is used for the initial request to command and control (C2) the servers.
The C2 servers respond parallel with configuration data which contains target web browser names, web browser path information, API names, sqlite3 queries, legitimate DLLs and many more. The malware then harvests the sensitive information from the victim’s computer according to rules set by its configuration data. The collection of information obtained is then packed and XORed, and the several types of data sent to C2 servers include, basic information of victim’s computers such as OS version, password information saved by web browsers, the domain name lists accessed by web browser, auto-complete, cookies, and browsing history of web browser. Also, it includes other data also such as, C@ command result, infected host’s IP address information, Screenshots of victim host, and detailed system information om Display resolution, running process tree, installed program list and many more.
AZORult can be configured to download and run additional payloads. It also saves malicious files under %TEMP% or %ProgramFiles%. It checks the extension of downloaded files and if it finds ‘.exe’ it executes them via CreateProcessW(). Otherwise, it calls ShellExecuteW().
The recent update for AZORult version 3.2 has the following effects:-
Added stealing of history from browsers (except IE and Edge), additional support for cryptocurrency wallets such as Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC and many more. Improved loader now supports unlimited links. In addition to that in the admin panel, you can now specify the rules for how the loader works. Stealer can now also use system proxies and if a proxy is installed on the system, but there is no connection through it, the stealer can try to connect directly.
Some of the reporting and technical details
In January 2018 AZORult is delivered via the RIG EK and Ramnit trojan (Malware-Traffic-Analysis).
July 2018: The new version of AZORult stealer improves the loading features, which also spreads alongside ransomware in the new campaign (Proofpoint).
November 2018: New AZORult variants were being used as primary payloads in a new campaign using the fallout exploit kit at the Palo Alto Networks.
July 2019: A new campaign has been observed targeting gamers looking for a game hack or cheat. During this a YouTube user has created numerous videos and free downloadable game-hacks that contain the AZORult DLL, due to which if once the inject is executed, various data will be exfiltrated and sent back to the threat actor, here the collected data includes browser and FTP passwords, as well as browser history.
In the contemporary world, only the government and organizations are not to threats. A common man is too. With the advent of technology, each and every step we take on our mobile phones is monitored and can be jacked. Even our sim cards are not safe. This brings me to another major malicious threat – SIMJACKER. Simjacker poses a malicious vulnerability that is associated with SMS sent on SIM cards. TERRIFYING! Right? Well, Don’t be terrified. Blarrow is here to the rescue, always. To know more, visit https://blarrow.tech/simjacker-a-brand-new-mobile-and-sim-threat/