• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  APT • Cybersecurity  /  RAT used by Chinese cyberspies infiltrating Indian businesses
Chinese cyber spies breach the Indian enterprise
18 December 2020

RAT used by Chinese cyberspies infiltrating Indian businesses

Written by Pavankumar Chaudhari
Pavankumar Chaudhari
APT, Cybersecurity
Estimated reading time: 5 minutes

A few months back, Delphibased malware was being distributed on multiple systems via SMB exploit. The payloads used by this malware have close similarities with open-source Gh0stRAT code. Gh0st has been used by Chinese threat actors to target multiple agencies in Asia — Gh0st is a Remote Access Trojan having multiple capabilities like keylogging, microphone surveillance, download and execution of payloads from remote servers, restarting computers, taking the remote shell of systems, et al.

We have observed this malware targeting important institutions in India such as –

  • Banks
  • Railways
  • Milk Distributors
  • Hospitals and Pharmaceuticals
  • Agro Industries
  • Food Production Industries

After analysis, it was found that this malware is creating two different payloads app.exe and mfc.exe. After execution, both executables extract dlls in ststem32 folder of Windows directory and register them as service for persistence. Major code of all exacted payloads shares similarities with the open-source code of Ghost RAT.

Technical Analysis

Payload 1 – app.exe

This executable had an embedded DLL file stored in reverse order as shown in the below figure.

Figure 1: Embedded DLL in app.exe
Figure 1: Embedded DLL in app.exe

This embedded binary is decrypted and written to  %SYSTEMROOT%\System32\ folder. The below code shows the decryption code — DLL name is generated from the return value of GetTickCount() API.

Figure 2: Decryption loop.
Figure 2: Decryption loop.

App.exe then registers this DLL as service by calling Install exported function. Below are details of service:

ServiceName: csrss

DisplayName: Security Manager Accounts

DesiredAccess: SERVICE_ALL_ACCESS

ServiceType: SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS

StartType: SERVICE_AUTO_START

ErrorControl: SERVICE_ERROR_IGNORE

BinaryPathName: %SystemRoot%\System32\svchost.exe -k “csrss”

The exported function of DLL are as below:

  • DllUpdate
  • Install
  • MainThread
  • ServiceMain
  • Uninstall

C2 Functions

There are multiple C2 commands observed in the code of Gh0stRat. Some C2 functions observed by static analysis of DLL are as below:

  • Shutdown System
  • Open URL
  • Download and Execute File
  • Find Process
  • Clean Event Logs

Shutdown System

This function takes shutdown debug privileges and calls the ExitWindowsEx() function to shut down systems.

Figure3: Shutdown System
Figure 3: Shutdown System

Download and Execute File

This function will download a specific file from the server and execute it.

Figure 4: Download and execute file
Figure 4: Download and execute file

Find Process

This function searches for a specific process by calling process enumeration APIs.

Figure 5: Find process in an existing running process
Figure 5: Find process in an existing running process

Open URL

This function creates an iexplore.exe process with a specified URL.

Figure 6: Open URL
Figure 6: Open URL

Clean Event Logs

This function clears all event logs of Application, Security, and System

Figure 7: Clear event logs
Figure 7: Clear event logs

Payload 2 – mfc.exe

The second executable dropped by the main payload is mfc.exe having embedded executable in resource under the name “BIN”.

Figure 8: Embedded DLL in the resource.
Figure 8: Embedded DLL in the resource.

When this payload is run it drops dll (random name) from the above resource into the system32 folder and installed as a service with the name “NetworkServices” on an infected system. After creating DLL into the system32 folder, mfc.exe calls the Install()  function of dll.

This DLL has four exported functions as below:

  • Install
  • Launch
  • ServiceMain
  • UnInstall

Below are C2 Commands observed in this sample:

  • Install Keyboard Hook
  • Process Enumeration
  • Remote Shell
  • Audio Capture
  • Download and Execute File

Install Keyboard Hook

Below figure, XX shows that a thread is created to install a keyboard hook. All keylogging data is written to a file named “syslog.dat”.

Figure XX shows a similar keylogger code of Gh0st RAT.

Figure 9: Install keyboard hook
Figure 9: Install keyboard hook                                                                                                                                                                                                
Figure 10: Keylogger function from open-source Gh0st RAT code.
Figure 10: Keylogger function from open-source Gh0st RAT code.

Process Enumeration

Process enumeration involves getting the list of running processes to enumerate modules.

Figure 11: Process listing function
Figure 11: Process listing function

Remote Shell

This function will create a remote shell to accept and execute any command.

Figure 12: Function to get a remote shell
Figure 12: Function to get a remote shell                                                                                       

Audio Capture

This function records audio with the help of functions like waveInOpen(), waveInStart(), waveInStop() etc.

Figure 13: Function for audio recording
Figure 13: Function for audio recording

Download and Execute File

Function to download the executable file from a remote server and execute it.

Figure 14: Download and execute the payload
Figure 14: Download and execute the payload

IOCs

  • FF6511DE176A434FA2F7C939795A13CC
  • A6CC92A1993F040E87090F8B89836332
  • 550C055339A9FEC141997CDA3F32FD0A
  • A2B75BD7254997BEC6A19D752E26FA50
  • 4B8C6D70A186FEC7C79D5B52B2FF0E76
  • E22E5A85ED5294B179EBD416EEB5BEBB
  • 5CE36CBD7D4A58A1B1A8C5B7BE194F23
  • E94F9AF9EA11301831AAA1BDE34D3DEB
  • 23D4EC869960CE02865C98F64581136A
  • 367150E5DA2ED1BFAAE9210105BCEEA1
  • BFB095C595FAA47CBFD4AB6199A7E297
  • CA07E26D95D927953197840EA93EDD03
  • 6B8A19DF9827CFB95F6461FEF9929F83
  • 7DC43FCA774E612BF611ACD882400308
  • 1127149CB5378FCA7181F81EB8149FC9
  • F1E921F5730919E946D9A64019867E13
  • B80A559CD7D48C9D3115A013EA662263
  • 9403464BB99D87A02667E3E5DBA4A57C

Alerts

Conclusion

These samples are modified variants of Gh0st RAT and actors are constantly updating them to evade AV detections. Samples and TTPs that are seen in victim organizations are mostly associated with China-based APT groups. We have been following these samples for the last 1 month but were unable to identify the initial attack vector. As they are targeted towards specific industries, we suspect to find more malware associated with these attack chains. Interestingly few of the victims were also infected with Monero miners during the same period. We would be closely monitoring the campaign to hunt for the entire infection chain.

Subject matter experts

Pavankumar Chaudhari

Kalpesh Mantri

 Previous PostAre air-gapped networks completely secure?
Next Post  How can EdTech companies deal with rising security challenges?
Pavankumar Chaudhari
About Pavankumar Chaudhari

Pavankumar is associated with Quick Heal Technologies as a Technical Lead (Research and Development) and is also a part of Vulnerability Research and Analysis Team....

Articles by Pavankumar Chaudhari »

Related Posts

  • How to avoid dual attack and vulnerable files with double extension?

    April 9, 2021
  • Protect enterprise endpoints against their use for illicit activities

    Defend your business systems from being used for illegal purposes

    March 23, 2021
  • New Spear Phishing Campaign using Army Welfare Education Society's Scholarship Form

    New Spear Phishing Campaign using Army Welfare Education Society’s Scholarship form

    March 22, 2021

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • New Spear Phishing Campaign using Army Welfare Education Society’s Scholarship form New Spear Phishing Campaign using Army Welfare Education Society’s Scholarship form March 22, 2021
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017
  • Nation-states shoot from somebody else’s shoulder Nation-states shoot from somebody else’s shoulder March 10, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • How to avoid dual attack and vulnerable files with double extension?

    How to avoid dual attack and vulnerable files with double extension?

    April 9, 2021
  • Cryptocurrency Malware: Bitcoin Mining threats you need to know about

    Cryptocurrency Malware: Bitcoin Mining threats you need to know about

    April 4, 2021
  • Zloader: Entailing Different Office Files

    Zloader: Entailing Different Office Files

    March 23, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (10) Bitcoin (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (284) cyber security (26) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (103) Enterprise security (14) EPS (9) Exploit (12) firewall (11) GDPR (10) IoT (10) malware (59) malware attack (23) malware attacks (12) MDM (25) Network security (18) Patch Management (12) phishing (17) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite Workspace
  • Unified Threat Management
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.