Shulou(Shulou.com)05/31 Report--

This article mainly introduces what tRat is, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

Overview

TA505 is a highly active cyber criminal organization that the Proofpoint research team has been tracking. According to the data collected so far, the organization has operated hundreds of Dridex malicious activities that began in 2014, as well as large-scale Locky attacks in 2016 and 2017, many of which involve hundreds of millions of malicious messages around the world. Recently, the organization has begun to spread a variety of remote access Trojans (RAT), as well as a variety of information extraction, loading and network detection tools, including tRat, which we have not introduced before.

TRat is a modular RAT developed with Delphi, which first appeared in malicious activities in September and October this year. So in this article, we will make a simple analysis of this RAT.

Malicious activity

On September 27th, 2018, Proofpoint detected a malicious email activity in which malicious Microsoft Word documents used the macro feature to download tRat. The malicious document marks the Norton antivirus engine and tells users through the document name and embedded images that the file is protected by Kaspersky security products. The subject bar of the email contains the words "secure file sharing", and social work technology is also used to install tRat:

On October 11, 2018, we also observed another malicious activity to spread tRAT. The attacker behind this event is TA505, and this activity is more complex than before, using Microsoft and Microsoft Publisher files, and enriching the theme bar and sender content. According to the analysis, this activity seems to be aimed at users of commercial banking institutions.

In this activity, messages with malicious Microsoft Publisher documents are marked with words such as "billing bill" and "receipt". For example, some malicious emails have the subject "call Notification-[Random number]-[Random number]" and carry an attachment named "Report.doc":

The email attachment will contain malicious macros. When enabled, tRat will be downloaded:

Malicious file analysis

After analyzing the malware samples, we found that tRat achieves persistent infection by copying the code to the following locations:

C:\ Users\\ AppData\ Roaming\ Adobe\ FlashPlayer\ Services\ Frame Host\ fhost.exe

Next, tRat creates a LNK file in the startup directory, and then the target device executes malicious code when the system boots:

C:\ Users\\ AppData\ Roaming\ Microsoft\ Windows\ StartMenu\ Programs\ Startup\ bfhost.lnk

Most important strings in tRat are encrypted and transcoded using hexadecimal code. Here is a Python script to decrypt these strings. [script download]

TRat uses TCP (port 80) to communicate with the remote C2 server, and the data is encrypted and sent in hexadecimal form. To generate the decryption key, tRat concatenates three strings and generates an uppercase hexadecimal encoded string. The sample string we decoded is as follows:

"Fx@%gJ_2oK"AC8FFF33D07229BF84E7A429CADC33BFEAE7AC4A87AE33ACEAAC8192A68C55A6"& LmcF#7R2m"

At present, we do not know whether these strings in different malware samples will change.

In order to generate the key, tRat uses a 1536-byte password table during decryption. Although we do not yet know the exact meaning of all the elements in this password table, we find that the code performs XOR calculations, and some of the values in the algorithm are obtained from encrypted data. [password table acquisition]

The initial network request of tRat is "ATUH_INF", and the decryption sample is as follows:

MfB5aV1dybxQNLfg:D29A79D6CD2F47389A66BB5F2891D64C8A87F05AE3E1C6C5CBA4A79AA5ECA29F8E8C8FFCA6A2892B8B6E

This string contains two substrings separated by ":". The first substring is a hard-coded identifier (encrypted string), and the second substring contains encrypted system data. The sample is as follows:

FASHYEOHAL/nXAiDQWdGwORzt:3A176D130C266A4D

This data contains the name of the infected host, system user name, and tRat bot ID.

Currently, we have not observed that tRat's remote C2 server sends any new functional modules, so we are not yet sure what features will be added to the new version of malware.

Intrusion threat indicator IoCIoC:cd0f52f5d56aa933e4c2129416233b52a391b5c6f372c079ed2c6eaca1b96b85

IoC type: SHA256

IoC description: tRat sample hash, September 27th activity

IoC:cdb8a02189a8739dbe5283f8bc4679bf28933adbe56bff6d050bad348932352b

IoC type: SHA256

IoC description: tRat sample hash, October 1st activity

IoC:51.15.70 [.] 74

IoC type: IP

IoC description: ClearC

Thank you for reading this article carefully. I hope the article "what is tRat" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.