Chinese waRAT give attackers full control of compromised machines

During LMNTRIX Hunt activities for one of our Telco clients, we discovered a Remote Access Trojan on its network which had completely bypassed the client’s traditional anti-virus solutions. 

This piece of malware, dubbed waRat, could have given the attacker complete remote access to client’s environment. We’ve found no evidence of spearphishing as the delivery mechanism, and instead believe this ended up on the client’s network via drive-by download.

Drive-by downloads are performed by redirecting users over a malicious site, or a compromised domain with injected malicious scripts, that download files without user consent. Unlike spearphishing campaigns, they don’t require the user to click on or download the malicious content. In this case, a malicious website (nesbbc[.]top) delivered waRAT after a user navigated to the site – most probably while meaning to reach newsbbc[.]com. 

After further analysing the malicious domain directories, we collected over 15 different variations of the malware.

We believe waRAT was designed specifically to target organisations in China and Taiwan as during the infection cycle, it seeks out and disables 360 Security AV – Chinese and Taiwanese businesses being the largest 360 Security customer base. 

The malware is also able to spread laterally through an environment by writing autorun files in all attached volumes. This means that anytime a removable device is attached, it is also infected and becomes the carrier, compromising other devices once inserted. 

Malware Analysis 

Static Analysis

Filename: waNewRat360.exe

Sha256: 4222660b39aff67a4a5712a800f26e481c9b8867e6d3b19761d8df283f7b14ed

Company Name: 360安全卫士主程序 (360 Security)

File Name: 360.cn

The file is a PE32 executable, written in C++. The executable contains many hidden functions, only accessible to the attacker by creating multiple threads. The resources are in Chinese Simplified language. Yara rules match with waRAT payloads from the attacker group, juewangzhe[.]net.

Dynamic Analysis

The malware tries to evade analysis by hiding active threads from debugger using “ZwSetInformationThread API” and calculates execution time using “GetTickCount”. The following is the malware’s execution flow as witnessed in our isolated environment.

Flow –

• Create a mutex from current process, fail if mutex already exists
• Open registry key HKLM\Software\rising and HKLM\Software\JiangMin, If succeeds:
  
  1. Creates a thread to show a window “360Inist” mimicking installation of 360 Security AV
  2. Finds 360 Security AV executables “360sd.exe” and “360rp.exe” running on system and terminates the processes
  3. Creates a thread to:
     
     1. Get hostname and IP address of system
     2. Connect to C2 and download an executable
     3. Downloaded executable is copied to all connected drives in the system as NewArea.exe in the root directory
     4. Get the system local time
     5. Execute the downloaded executable
     6. Sleep for 2 seconds before exit
  4. Sleeps for 0.5 seconds
  5. Creates a thread to:
     
     1. Enumerate partitions in system
     2. Create an autorun.inf file in each partition
        
        1. Sets [autorun]Open, shell\open\command and shell\explore\command as recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
        2. Sets shell\open\Default to 1
     3. Copy dropped executable NewArea.exe to Recycler folder of that driver as recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
  6. Open registry key “Stuvwx Aberer Jkl” in HKLM\SYSTEM\CurrentControlSet\Services
     
     1. If successful:
        
        1. Create a service with name “Stuvwx Aberer Jkl” as Shared process service and Start pending status
        2. Sleep for 0.5 seconds
        3. Set service status as running
        4. Create a mutex, if fails then exit process
        5. If mutex creation is successful, create a thread to:
           
           1. Open socket connection to C2
           2. Receive data from C2
           3. Accordingly execute shell commands, open URL and download files with Internet Explorer (Backdoor behaviour)
           4. Sleep for 0.3 seconds and repeat
        6. Start the service dispatcher

2.If fails:

1. Opens Service Control Manager for service “Stuvwx Aberer Jkl”
2. If fails, then creates Service with Service name “Stuvwx Aberer Jkl” and Display name “Stuvwx Aberereh Jklmnopq Stuv”
3. Starts the service
4. Opens registry key “Stuvwx Aberer Jkl” in HKLM\SYSTEM\CurrentControlSet\Services and sets description as “Stuvwxya Cerererjk Mnopqrs Uvwxyabc Efg”
5. Exits Process

Protection

The “MITRE ATT&CK” knowledge base extensively covers the techniques often employed by attackers and maps them to various stages in the lifecycle of an attack. With waRAT, it can be detected with the following MITRE techniques:

1.    Discover Disabled Security Tools – Find activity where security tools, such as Windows Firewall, Antivirus, or EDR Agents, are being disabled.

2.    File and Directory Discovery – Find activity where files/directories are being enumerated or where massive file write operations are occurring within a short time span.

3.    New Service – Find activity where a new service is created. This should be baselined against legitimate administrative actions.

4.    Query Registry – Find activity where registry query operations are occurring. Again, this should be baselined against legitimate administrative actions.

5.    Modify Registry – Find activities where modify registry operations are occurring. This should also be baselined and whitelisted against legitimate administrative actions.

6.    Suspicious Run Locations – Find executables that are being executed from suspicious or non-standard locations. 

Alternatively, LMNTRIX Respond is a part of LMNTRIX’s Adaptative Threat Response service that provides complete endpoint security with detection techniques mapped to the “MITRE ATT&CK” framework. With advanced analytics, LMNTRIX Respond brings light to threats that have previously gone undetected along with detailed analysis to provide attack attribution. The LMNTRIX Respond Sensor includes an inbuilt offline capability which uses machine learning models to classify malicious files and quickly isolate the location and determine the extent of the executable. 

Indicators of Compromise

The table below lists the Indicators of Compromise which can help security professionals identify waRAT activity. The domains hosting c2 and payload are spread across China and Hong Kong.