{"id":2698,"date":"2024-09-25T19:29:57","date_gmt":"2024-09-25T19:29:57","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2698"},"modified":"2025-07-29T06:08:56","modified_gmt":"2025-07-29T06:08:56","slug":"chinese-warat-give-attackers-full-control-of-compromised-machines","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/chinese-warat-give-attackers-full-control-of-compromised-machines\/","title":{"rendered":"Chinese waRAT give attackers full control of compromised machines"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"592\" height=\"350\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/VegNewsMouse-1.webp\" alt=\"\" class=\"wp-image-2714\" style=\"width:848px;height:auto\"\/><\/figure>\n<\/div>\n\n\n<p>During LMNTRIX Hunt activities for one of our Telco clients, we discovered a Remote Access Trojan on its network which had completely bypassed the client\u2019s traditional anti-virus solutions.&nbsp;<br><br>This piece of malware, dubbed waRat, could have given the attacker complete remote access to client\u2019s environment. We\u2019ve found no evidence of spearphishing as the delivery mechanism, and instead believe this ended up on the client\u2019s network via drive-by download.<br><br>Drive-by downloads are performed by redirecting users over a malicious site, or a compromised domain with injected malicious scripts, that download files without user consent. Unlike spearphishing campaigns, they don\u2019t require the user to click on or download the malicious content. In this case, a malicious website (nesbbc[.]top) delivered waRAT after a user navigated to the site \u2013 most probably while meaning to reach newsbbc[.]com.&nbsp;<br><br>After further analysing the malicious domain directories, we collected over 15 different variations of the malware.<br><br>We believe waRAT was designed specifically to target organisations in China and Taiwan as during the infection cycle, it seeks out and disables 360 Security AV \u2013 Chinese and Taiwanese businesses being the largest 360 Security customer base.&nbsp;<br><br>The malware is also able to spread laterally through an environment by writing autorun files in all attached volumes. This means that anytime a removable device is attached, it is also infected and becomes the carrier, compromising other devices once inserted.&nbsp;<br><br><ins><strong>Malware Analysis<\/strong><\/ins>&nbsp;<br><br><strong>Static Analysis<\/strong><br><br>Filename: waNewRat360.exe<br><br>Sha256: 4222660b39aff67a4a5712a800f26e481c9b8867e6d3b19761d8df283f7b14ed<br><br>Company Name: 360\u5b89\u5168\u536b\u58eb\u4e3b\u7a0b\u5e8f (360 Security)<br><br>File Name: 360.cn<br><br>The file is a PE32 executable, written in C++. The executable contains many hidden functions, only accessible to the attacker by creating multiple threads. The resources are in Chinese Simplified language. Yara rules match with waRAT payloads from the attacker group, juewangzhe[.]net.<br><br><strong>Dynamic Analysis<\/strong><br><br>The malware tries to evade analysis by hiding active threads from debugger using \u201cZwSetInformationThread API\u201d and calculates execution time using \u201cGetTickCount\u201d. The following is the malware\u2019s execution flow as witnessed in our isolated environment.<br><br>Flow \u2013<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a mutex from current process, fail if mutex already exists<\/li>\n\n\n\n<li>Open registry key HKLM\\Software\\rising and HKLM\\Software\\JiangMin, If succeeds:<br>\n<ol class=\"wp-block-list\">\n<li>Creates a thread to show a window \u201c360Inist\u201d mimicking installation of 360 Security AV<\/li>\n\n\n\n<li>Finds 360 Security AV executables \u201c360sd.exe\u201d and \u201c360rp.exe\u201d running on system and terminates the processes<\/li>\n\n\n\n<li>Creates a thread to:<br>\n<ol class=\"wp-block-list\">\n<li>Get hostname and IP address of system<\/li>\n\n\n\n<li>Connect to C2 and download an executable<\/li>\n\n\n\n<li>Downloaded executable is copied to all connected drives in the system as NewArea.exe in the root directory<\/li>\n\n\n\n<li>Get the system local time<\/li>\n\n\n\n<li>Execute the downloaded executable<\/li>\n\n\n\n<li>Sleep for 2 seconds before exit<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Sleeps for 0.5 seconds<\/li>\n\n\n\n<li>Creates a thread to:<br>\n<ol class=\"wp-block-list\">\n<li>Enumerate partitions in system<\/li>\n\n\n\n<li>Create an autorun.inf file in each partition<br>\n<ol class=\"wp-block-list\">\n<li>Sets [autorun]Open, shell\\open\\command and shell\\explore\\command as recycle.{645FF040-5081-101B-9F08-00AA002F954E}\\GHOSTBAK.exe<\/li>\n\n\n\n<li>Sets shell\\open\\Default to 1<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Copy dropped executable NewArea.exe to Recycler folder of that driver as recycle.{645FF040-5081-101B-9F08-00AA002F954E}\\GHOSTBAK.exe<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Open registry key \u201cStuvwx Aberer Jkl\u201d in HKLM\\SYSTEM\\CurrentControlSet\\Services<br>\n<ol class=\"wp-block-list\">\n<li>If successful:<br>\n<ol class=\"wp-block-list\">\n<li>Create a service with name \u201cStuvwx Aberer Jkl\u201d as Shared process service and Start pending status<\/li>\n\n\n\n<li>Sleep for 0.5 seconds<\/li>\n\n\n\n<li>Set service status as running<\/li>\n\n\n\n<li>Create a mutex, if fails then exit process<\/li>\n\n\n\n<li>If mutex creation is successful, create a thread to:<br>\n<ol class=\"wp-block-list\">\n<li>Open socket connection to C2<\/li>\n\n\n\n<li>Receive data from C2<\/li>\n\n\n\n<li>Accordingly execute shell commands, open URL and download files with Internet Explorer (<strong>Backdoor behaviour<\/strong>)<\/li>\n\n\n\n<li>Sleep for 0.3 seconds and repeat<\/li>\n<\/ol>\n<\/li>\n\n\n\n<li>Start the service dispatcher<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n<p>2.If fails:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Opens Service Control Manager for service \u201cStuvwx Aberer Jkl\u201d<\/li>\n\n\n\n<li>If fails, then creates Service with Service name \u201cStuvwx Aberer Jkl\u201d and Display name \u201cStuvwx Aberereh Jklmnopq Stuv\u201d<\/li>\n\n\n\n<li>Starts the service<\/li>\n\n\n\n<li>Opens registry key \u201cStuvwx Aberer Jkl\u201d in HKLM\\SYSTEM\\CurrentControlSet\\Services and sets description as \u201cStuvwxya Cerererjk Mnopqrs Uvwxyabc Efg\u201d<\/li>\n\n\n\n<li>Exits Process<\/li>\n<\/ol>\n\n\n\n<p><ins><strong>Protection<\/strong><\/ins><\/p>\n\n\n\n<p>The \u201cMITRE ATT&amp;CK\u201d knowledge base extensively covers the techniques often employed by attackers and maps them to various stages in the lifecycle of an attack. With waRAT, it can be detected with the following MITRE techniques:<\/p>\n\n\n\n<p>1.&nbsp;&nbsp; &nbsp;Discover Disabled Security Tools \u2013 Find activity where security tools, such as Windows Firewall, Antivirus, or EDR Agents, are being disabled.<\/p>\n\n\n\n<p>2.&nbsp;&nbsp; &nbsp;File and Directory Discovery \u2013 Find activity where files\/directories are being enumerated or where massive file write operations are occurring within a short time span.<\/p>\n\n\n\n<p>3.&nbsp;&nbsp; &nbsp;New Service \u2013 Find activity where a new service is created. This should be baselined against legitimate administrative actions.<\/p>\n\n\n\n<p>4.&nbsp;&nbsp; &nbsp;Query Registry \u2013 Find activity where registry query operations are occurring. Again, this should be baselined against legitimate administrative actions.<\/p>\n\n\n\n<p>5.&nbsp;&nbsp; &nbsp;Modify Registry \u2013 Find activities where modify registry operations are occurring. This should also be baselined and whitelisted against legitimate administrative actions.<\/p>\n\n\n\n<p>6.&nbsp;&nbsp; &nbsp;Suspicious Run Locations \u2013 Find executables that are being executed from suspicious or non-standard locations.&nbsp;<\/p>\n\n\n\n<p>Alternatively, LMNTRIX Respond is a part of LMNTRIX\u2019s Adaptative Threat Response service that provides complete endpoint security with detection techniques mapped to the \u201cMITRE ATT&amp;CK\u201d framework. With advanced analytics, LMNTRIX Respond brings light to threats that have previously gone undetected along with detailed analysis to provide attack attribution. The LMNTRIX Respond Sensor includes an inbuilt offline capability which uses machine learning models to classify malicious files and quickly isolate the location and determine the extent of the executable.&nbsp;<\/p>\n\n\n\n<p><ins><strong>Indicators of Compromise<\/strong><\/ins><\/p>\n\n\n\n<p>The table below lists the Indicators of Compromise which can help security professionals identify waRAT activity. The domains hosting c2 and payload are spread across China and Hong Kong.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\">\n<table style=\"word-break: break-word;\" border=\"1\" cellspacing=\"1\" cellpadding=\"1\">\n<tbody>\n<tr>\n<td>IPv4<\/td>\n<td>103.229.124.240<\/td>\n<td>c2<\/td>\n<\/tr>\n<tr>\n<td>IPv4<\/td>\n<td>103.232.215.132<\/td>\n<td>payload site<\/td>\n<\/tr>\n<tr>\n<td>IPv4<\/td>\n<td>103.243.25.243<\/td>\n<td>c2<\/td>\n<\/tr>\n<tr>\n<td>IPv4<\/td>\n<td>125.88.183.117<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>196b6b19cc9cb9579c14ddcaf47d2c18df7e73e237387aa57851d42c618893c7<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>2ddf392738b1066615b60a20827240cef69abaaa2595ea8dec9f0cd824c0e83b<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>4222660b39aff67a4a5712a800f26e481c9b8867e6d3b19761d8df283f7b14ed<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>55cfae18049799843b5fbb08aa457102d8421e0b11a4ed18c0ea27fbafc7ab54<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>57c77705cec29f4063c56aa91577319206b0247fc3a2f7171166b0264290c94d<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>6a478e9f8f6b7d678cccc30f2c10ad94f765f4388dce469dd20b3a9d98eefe29<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>805726e7f96e5e99efd69e8d8021de8f18e92277bdda353d78f936cbe776bca6<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>832aa1dd5c39d521658b306abd8bf0ba62900bd68171fad11304081e4ddea515<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>8fb040f2ed45300a044f7e1f4a75670fd7390c7faa60846187f972148e9823f9<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>94d46ccc43ef07f1e100bf893319ec9a925509daef36cec3279a91d13f1da186<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>9fdfa599bbbbbdfb3952334054026dbc1fc2248c6b1943d62c19b3e95f6487d0<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>b085cea75160db91b103f2b0570e18bb08d0c4e3d9e37327fb4564f6cba7a4cc<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>b68aab65827b74a06d92c9f58a17d695a2127c2ed985e4d7ed7fa788ccb9145a<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>b9f997dc30662d81d7b0f640be10943b2e713ec120d093dfd41487350719fb9e<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td>c8c786ca22e50635a6ba7ea7f32158c4a723371023dbcd5c5d8a77215580c3df<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>hostname<\/td>\n<td>kz[.]juewangzhe[.]net<\/td>\n<td>\u00a0<\/td>\n<\/tr>\n<tr>\n<td>hostname<\/td>\n<td>qqguanjia[.]3322[.]org<\/td>\n<td>c2<\/td>\n<\/tr>\n<tr>\n<td>hostname<\/td>\n<td>www[.]nesbbc[.]top<\/td>\n<td>payload site<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n","protected":false},"excerpt":{"rendered":"<p>During LMNTRIX Hunt activities for one of our Telco clients, we discovered a Remote Access Trojan on its network which had completely bypassed the client&rsquo;s traditional anti-virus solutions.&nbsp; This piece of malware, dubbed waRat, could have given the attacker complete remote access to client&rsquo;s environment. We&rsquo;ve found no evidence of spearphishing as the delivery mechanism, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2714,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2698","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2698"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2698\/revisions"}],"predecessor-version":[{"id":4305,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2698\/revisions\/4305"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2714"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}