Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Source: Martin-Fowler via Alamy Stock Photo
A Commercial RAT With a Long Tail
Threat actors began marketing BitRAT on underground cybercriminal markets starting in February 2021. The RAT is notorious for its social media presence and its relatively low price of $20, which makes it popular among cybercriminals, researchers said.Key capabilities of BitRAT include: data exfiltration, execution of payloads with bypasses, distributed denial of service (DDoS), keylogging, webcam and microphone recording, credential theft, Monero mining, and running tasks for process, file, and software, among others.BitRAT is an example of how the use of commercial RATs has evolved not only with new capabilities for propagation, but also by harnessing the use of legitimate infrastructures to host malicious payloads, Pradhan said. This is something that enterprises now need to account for in their respective security defense postures, he noted.To that end, researchers advised that all organizations employ endpoint detection and response (EDR) solutions to detect malware such as BitRAT as it inserts itself into a network endpoint, they said. Functions like asset management, vulnerability detection, policy compliance, patch management, and file-integrity monitoring capabilities across a system are key for combating malware like this, they added.Enterprises should also implement external attack surface management solutions, which allow for continuous monitoring and reduction of the entire enterprise attack surface — including internal and Internet-facing assets and discover previously unidentified exposures — to counter evolving threats, researchers said.
Anatomy of the BitRAT
Researchers found and analyzed a cache of Excel sheets — all authored by "Administrator" — being used as lures for a BitRAT campaign, with data from the tables being reused in Excel maldocs as well being included in the database dump, they said."The Excel contains a highly obfuscated macro that will drop an .inf payload and execute it," Pradhan wrote in the post. "The .inf payload is segmented into hundreds of arrays in the macro."A de-obfuscation routine performs arithmetic operations on the arrays to rebuild the payload once it's ready for execution, with the macro then writing the payload to "temp" and executing it via a file called advpack.dll, he said.The macro itself also includes a hex-encoded, second-stage .dll payload that is decoded via certutil, written to "%temp%\," and executed by the command "rundll32," researchers found. After this process is executed, the temp files are then deleted, they said.It's this .dll file that uses various anti-debugging techniques to download and execute the final BitRAT payload. The file also uses the WinHTTP library to download BitRAT-embedded payloads from a GitHub repository created in mid-November by a "throwaway" account to the "%temp%" directory, Pradhan wrote.In the final stage of BitRAT execution, the .dll uses WinExec to start the "%temp%" payload and exits. To maintain persistence on a user's machine, the BitRAT sample starts and then relocates the loader to the user's startup, the researchers said.
About the Author(s)
You May Also Like