New SectopRAT: Remote access malware utilizes second desktop to control browsers

[harlan4096]

This new remote access malware creates a second desktop that is invisible to the system's user. The threat actor can surf the Internet using the infected machine.

General appearance and obfuscation

SectopRAT is a .NET based remote access malware. The sample[1] was originally found by MalwareHunterTeam and announced in a tweet on 15. November 2019. It was compiled on 13. November 2019. Using the following Yara rule we were able to obtain a second sample[2] that was compiled on 14. November 2019 and submitted a day later to Virustotal.

The first sample[1] is signed by Sectigo RSA Code Signing CA, uses a Flash icon and has the following Version Information.

language ID: 0x0409
code page: 0x04B0
Comments: Idito PleasweN MinIMus Inc.
CompanyName: Nikler
LegalCopyright: Nikler
ProductName: Idito PleasweN MinIMus Inc.
FileVersion: 3.21.0005
ProductVersion: 3.21.0005
InternalName: Burataslop
OriginalFilename: Burataslop.exe

The second sample[2] is not signed and uses an icon that looks like a red floppy disk. The Version Information looks different too but follows a similar pattern of upper and lower case combinations in a jumble of arbitrary words.

language ID: 0x0409
code page: 0x04B0
Comments: errORs KilEfnos INCreASe MY Wife
CompanyName: LAkoRasen Kuscev MeaninG Jow
LegalCopyright: FAW ISir Polaris ComapNY
LegalTrademarks: investORS Leanda MikiRUck
ProductName: Colleti
FileVersion: 4.01.0009
ProductVersion: 4.01.0009
InternalName: Veerfus413
OriginalFilename: Veerfus413.exe

The first section of both samples has arbitrary characters for its name and has write and execute characteristics. The 5th and last section has no name and contains the entry point. The other sections look rather typical.

The threat actor used ConfuserEx to obfuscate the control flow and add invalid metadata to the .NET assembly. The invalid metadata prevents tools like DnSpy from decompiling the code.

Configuration and persistence

The assembly has a RemoteClient.Config class containing four public static variables for the configuration: ip, retip, filename, mutexName. The ip is the Command and Control (C&C) server IP. The retip variable is for setting a new C&C IP that the server can override by using the "set IP" command. The configuration is the same for both SectopRAT samples.

The variables filename and mutexName are set but not used in the code. Instead it uses a hardcoded filename, spoolsvc.exe, and copies itself to %LOCALAPPDATA%\Microsoft\

Persistence is achieved by adding spoolsvc.exe to the RUN key in the registry.
...

Continue Reading