The RAT race: What happens when RATs go undetected

Recently, a Field Effect MDR client received an email to its self-hosted help desk software. The email contained an attachment which was automatically saved in a Windows temp directory, as is normal practice for the help desk software. However, once the file hit the disk, it was immediately deemed malicious, and Field Effect MDR issued an ARO notifying the would-be victim of the malicious activity.

While this type of activity—malware downloaded, detected, quarantined, and reported—is typical of an effective MDR solution, we were curious to see what would have happened had the file not been detected and the attack proceeded the way the threat actors intended.

What could have happened

As mentioned, the attack chain started when the threat actor sent an email with an attachment to the target’s self-hosted help desk solution. As normal, the help desk system created a ticket for the email and saved the attachment, named attach_71gnjgai1e4ungap5iji6gatcqjnwgaw.html (SHA256: 65709e96fce3ec279ee1350e0cf28d1ea420fc50163b7936d505ba9ac7600a9d), to a local directory.

Now let’s pretend that the file wasn’t detected. The file appears to be a benign HTML file. However, once decoded, analysis of its contents reveals that it is an exploit for CVE-2024-38213. This flaw allows threat actors to bypass Windows’ "Mark of the Web" (MoTW) security feature, which flags files downloaded from untrusted sources, such as the internet, and enables additional protections like Windows Defender SmartScreen.

Image 1: CVE-2024-38213 exploit code

Presumably, the help desk agent assigned the ticket would eventually open the file. Once opened, the exploit would prompt the user to load the URL \\invoiceposs[.]shop@9895\DavWWWRoot\UP5740936209HJSKUDS as a remote WebDav directory in Windows Explorer rather than the victim’s default browser. Because of this, the user would not see any security warnings regarding the potentially unsafe nature of the files the directory contains.

Image 2: Prompt to view the file in Windows Explorer

The directory contains one LNK file disguised as a PDF, named UP5740936209HJSKUDSA_pdf. The target of this LNK file is \\expect-major-institutes-ec.trycloudflare[.]com@SSL\DavWWWRoot\new.vbs, a visual basic script.

Image 3: WebDav Directory containing disguised PDF file that leads to VB script

When executed, the new.vbs runs new.bat, a bat file obfuscated by BatchShield that first looks to open a PDF file in the user’s downloads directory, presumably as a decoy. It then checks to see if Avast or AVG anti-virus software is running and modifies the download URL based on the outcome.

After, it downloads and extracts a ZIP file to the user’s downloads folder and extracts the contents. The Python scripts contained in the archive are then run and another obfuscated bat file, called startuppp.bat, is downloaded and placed in the user’s start up folder.

Image 4: New.vbs code

New.bat then downloads and extracts an additional file before hiding the folders, one named Print and the other Extracted, in the user’s downloads folder.

Image 5: Contents of new.bat file obfuscated using BatchShield

Image 6: Contents of deobfuscated new.bat file

Python modules

New.bat executes multiple compiled Python files (PYC files), each one with its own functionality. However, they are all loaded in the same manner, in that they use a similar Python script to execute arbitrary code in memory without leaving traces on disk.

This allows threat actors to achieve stealthy in-memory execution of payloads, bypassing traditional file-based detection mechanisms. The shellcode is encrypted with an RC4 stream cipher, likely to make detection more difficult, and generated using Donut., an open-source tool which can inject and load in-memory payloads for execution.

Once executed, it runs a second shellcode payload likely generated by laZzzy, a shellcode loader freely available on GitHub that uses different execution techniques commonly used by malware.

Image 7: f5.py shellcode loader

New.bat final payloads

Our analysis of the Python files revealed that their purpose is to launch well-documented Remote Access Tools (RAT), often used for malicious purposes.

The two files—ana.py and ven.py—launch DcRAT, a RAT popular among threat actors due to its low cost, ease of use, and customizable features. DcRAT is sold on underground forums and often comes as a single executable file, making it accessible even to less technically skilled attackers.

The file named asy.py launches AsyncRAT, another RAT designed for malicious purposes that allows attackers to remotely control and manipulate infected devices. It's a widely available and customizable open-source RAT, used by both researchers for legitimate testing and attackers for nefarious activities.

The files named Xw3.py and Xw5.py launch XWorm, a RAT designed for various illicit activities, including data theft, espionage, and system manipulation. XWorm is known for its stealth and advanced features, making it a popular tool among threat actors.

The script Hvn.py launches an obfuscated .NET payload which results in the deployment of the PureLog Stealer. This stealer targets crypto wallets and browser data.

Image 8: PureLog Infostealer code snippet

Interestingly, the payload contains URLs to a GitHub repository hosting Selenium’s WebDriver for Chrome and Microsoft Edge, which is primarily a legitimate tool for web automation and testing.

However, its capabilities can also be exploited to perform unauthorized actions or assist in cyberattacks. For example, malware can use WebDriver to automate the login process to online banking portals and perform fraudulent transactions.

It can also be used to automate ad clicks to generate fake traffic and revenue.

Image 9: URLs to Selenium found in PureLog Infostealer

These WebDriver files were uploaded to the repository on March 3, 2024, indicating that the campaign could have been going on since then. The GitHub account has no other repositories or activity, indicating it was likely set up solely to support this campaign.

Image 10: GitHub repository hosting WebDriver for Chrome and Microsoft Edge.

Startuppp.bat final payloads

Additional Python bytecode files are executed from the startuppp.bat file depending on whether Avast or AVG anti-virus software are detected. If they are, scripts named f1.py through to f6.py launch DcRat, AsyncRat, PureLog Stealer, and XWorm.

If Avast and AVG are not detected, scripts named r1.py through to r6.py launch the same payloads but packed differently.

Image 11: Deobfuscated startuppp/bat

The double execution of the payloads is likely for redundancy in case one of the payloads fails to load due to issues with decryption, shellcode loading, etc.

Command and control

Each of the RATs and the PureLog Infostealer uses a duckdns.org domain for command and control. Duck DNS is a free service allowing users to point subdomains of duckdns.org to an IP of their choice. In this case, the domains were pointed to one of two IP addresses, 12.187.175.72 or 12.202.180.114, both hosted by AT&T and located in the U.S.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Interestingly, the subdomains often include the name of the particular RAT they are presumably used by, for example, ‘Newxrm5.duckdns.org’ and ‘Pdhasync.duckdns.org’. This is likely meant to assist the threat actor in keeping track of which RAT the various subdomains are associated with.

According to Censys.io, IP 12.202.180.114 hosts:

• DcRAT on port 7878,
• AsyncRat on port 8797, and
• a Plex media server on port 32,400.

IP 12.187.175.72 does not appear to have any services currently running on it.

As of the time of publishing, several of the C2 domains have already been sinkholed, meaning DNS servers purposedly won’t resolve domains to prevent further infections.

Additional attacks and WebDav directories

While investigating this attack attempt, we were alerted to another client who had received an email which contained the same exploit. This time, the email was sent from what appeared to be a legitimate email address, info@meridianinsurance.com, and contained an attachment called Policy_claimpdf.html, continuing the insurance theme.

The attachment was the same exploit for CVE-2024-38213 as previously observed, except this time the target was directed to an LNK file disguised as a PDF hosted in a different WebDav directory located at \\prtmscaup[.]click@7567\DavWWWRoot\.

The LNK file then redirects the target to the new.bat script which is hosted in another WebDav directory located at \\level-kevin-sing-jordan.trycloudflare[.]com@SSL\DavWWWRoot\.

Examining the folders within the \\prtmscaup[.]click@7567\DavWWWRoot\ directory also revealed malicious LNK files that directed targets to new.bat hosted at \\quite-plug-kevin-restore.trycloudflare[.]com@SSL\DavWWWRoot\.

While the directory was under observation, the threat actor changed the target of all the LNK files to \\facts-at-pennsylvania-compliance.trycloudflare[.]com@SSL\DavWWWRoot\.

Image 12: Contents of WebDav directory hosted at \\prtmscaup[.]click@7567\DavWWWRoot\

It appears that the threat actor is using Cloudflare’s free tunnel service, TryCloudflare, to quickly stand up and take down URLs that lead to the open WebDav directory containing the malicious files required for the attack. These subdomains are randomly generated, which explains the odd naming conventions we observed, and then proxied through Cloudflare’s network to the threat actor's web server.

Conclusion

Fortunately, Field Effect MDR detected and stopped these attacks in their infancy. Had it not, our analysis shows that the threat actor could have gained remote access to the target’s system and others on the same network, potentially facilitating the deployment of ransomware or the exfiltration of sensitive data.

Cyberattacks happen and, when they do, it’s important to have a cybersecurity solution in place that rapidly detects and contains threats in their earliest stages. In this case, Field Effect MDR identified and alerted to the presence of malware almost immediately to stop the threat from spreading and causing avoidable damage.

Indicators of compromise

File name / SHA256:

attach_71gnjgai1e4ungap5iji6gatcqjnwgaw.html / 65709e96fce3ec279ee1350e0cf28d1ea420fc50163b7936d505ba9ac7600a9d

UP5740936209HJSKUDSA_pdf.lnk / 002dac453fe5045d78a58b59e02c8272a2ece1a03c1f4aaeac3f9fba62260ddc

new.vbs / d1507c309b4cba14cdb1ae65fc8f0fcb88a003208a3c141e6025cff6229aefbf

startuppp.bat / F6ceb1059c0e299135f04990333f11d63b6c9a85c717307accdd23a04bebb0b6

new.bat / 70b7fb00510a73ea4760ca53484d290bcba33b9503baee509874a5419e7d7638

DXJS2.zip / 8fdad5333e382170c136cbe818d4f36980bfc02cb4a3ab484016df7c6c4c8aa4

FTSP.zip / 96d41eef94431f80eb20dd4d38b88ea9c5608b84ecc03c643de2c1ae64e0182b

cam.zip / d9ac80b19b5724074c255b5a53634267e2b0d19c37d489449cf37e85bc131ecb

bab.zip a43c024e93ea0f63ecc5a719b5823ddd4b3bd0a2dd135940f1d9c599e2b90e7a

PYC files - Bab folder (file name, C2 domain, C2 IP, SHA256):

ana.py - sdanarchynd.duckdns.org (12.187.175.72:7878) 99e366ae607f3fb3ea65474af20c2e23d4b3018bc5ef132dc636662e5166feee

asy.py - soasyncb.duckdns.org (12.187.175.72:6745) f0ce0161599ac739251c2b94b30594b3b98741983ab2616fce572d9f0982ed52

hvn.py - newhvmo.duckdns.org (12.187.175.72:6757) f5d1b3bc84c739601127e1c3f280ad747a295294630c0f942608686712cb8cd3

ukk.py - momentnb3901.duckdns.org (163.172.59.233:3901) 2d891106a415b0a97faa47af22074b617ebef123381fdfd782e3fdcddda193dc

ven.py - jkvernm.duckdns.org (12.187.175.72:8520) 2d891106a415b0a97faa47af22074b617ebef123381fdfd782e3fdcddda193dc

xw3.py - hnxwrm3.duckdns.org (12.187.175.72:8292) 308786f86dd4f2d1e79325ca3dd71984e2e12db3c01df52deb76ea5546972745

xw5.py - newxrm5.duckdns.org (12.187.175.72:9390) fe8a2c66e0f199022b6b4cdcff96971cc66d2dd978263fd104d75b6344436471

PYC files - Cam folder (file name, C2 domain, C2 IP, SHA256)

ana.py - sdanarchynd.duckdns.org (12.187.175.72:7878) 7023f20f5264c9d83b17d995a07f0cc255fa0861c5bf83101034a430c8ff85d6

asy.py - soasyncb.duckdns.org (12.187.175.72:6745) 8ed0e51fac43d041360f5a7b8b59285f6c98a1f3954401d4c4b8f5a95eface0f

hvn.py - newhvmo.duckdns.org (12.187.175.72:6757) f136acbb905459aa3292dd65c86361cb863c94d710ade951ac2208a88c36ec6a

ukk.py - momentnb3901.duckdns.org (163.172.59.233:3901) 75cf8d1c43fad756cb9c6da084a71ee50bd3d4a46e870df14cdd2135d86681a5

ven.py - jkvernm.duckdns.org (12.187.175.72:8520) 7bb3936b975266dfac275080576000fc368ca7388dd1931f891cc80565c82daa

xw3.py - hnxwrm3.duckdns.org (12.187.175.72:8292) c1969a287c8425d306dab962572667b26ad2135376d3dc24fdf6dba52d6ee62b

xw5.py - newxrm5.duckdns.org (12.187.175.72:9390) 0a0e5e5c246ece090f6ece4bd34601cebf68d36ab280a1df819ad84687b84fc3

PYC files - FTPS folder (file name, C2 domain, C2 IP, SHA256)

f1 - sdanarchynd.duckdns.org (12.187.175.72:7878) c20a2d5c4bd09c1858ac88c8900609c9306e59e412d1d3b37be5c5971d9561f4

f2 - soasyncb.duckdns.org (12.187.175.72:6745) 382dbe6d39c39fd38e1ee247592deaab1d55a4525f062cb9372de08cb842330e

f3 - jkvernm.duckdns.org (12.187.175.72:8520) 7184b9380355584e2c2279cd3bf50ba651b26848f390e723dc33f80ef865f9d2

f4 - newhvmo.duckdns.org (12.187.175.72:6757) 8877e607552950a006062ee083437e733de5f502c0979b8de20962327d426395

f5 - hnxwrm3.duckdns.org (12.187.175.72:8292) 5645e16631e12be7eb36aeba6fe76cdff82b8be163a44a442188d90fb44cec34

f6 - newxrm5.duckdns.org (12.187.175.72:9390) 5645e16631e12be7eb36aeba6fe76cdff82b8be163a44a442188d90fb44cec34

PYC files - DXJS folder (file name, C2 domain, C2 IP, SHA256)

r1 - sdanarchynd.duckdns.org (12.187.175.72:7878) 44051748c5278fa392206b9bb1f612b864f1e59d278b19ddb8e6db0160d81b9d

r2 - soasyncb.duckdns.org (12.187.175.72:6745) 9ea03e9d12665dc3c905596961e6806eda4faca1f527f869fe4918c3f4ab8977

r3 - jkvernm.duckdns.org (12.187.175.72:8520) ad06a456e8383f8f7ab41572aefa4250749364d48de429445b40de09728c3523

r4 - newhvmo.duckdns.org (12.187.175.72:6757) ac774294588a03aad61499229221eff805c8dc2bbbfd7eb766acda7522d0dba6

r5 - hnxwrm3.duckdns.org (12.187.175.72:8292) ca61ba38fa43d88cc01a430d1509d58e315d029a3e85d95c569a201818d83909

r6 - newxrm5.duckdns.org (12.187.175.72:9390) ca61ba38fa43d88cc01a430d1509d58e315d029a3e85d95c569a201818d83909

PYC files - DXJS2 folder (file name, C2 domain, C2 IP, SHA256)

01.py ana.bin - ghanarchydn.duckdns.org (Sinkholed) 33f7b6071bfcbd935a2b2b7cd25fa452ec513e0ea85b100138e3080eca48c9fe

01.py asy.bin - pdhasync.duckdns.org (Sinkholed) cd848b86defa1f282fa99be1ce19a9342cf1619815caa88aa617656061af8c29

Second Stage Payloads (file name, SHA256, RAT)

bab_ana.bin - 49bef5b4b64221297f90380092f6eba6014d81f6f517e82e42f4906087b20d19 - dcrat

bab_asy.bin - bb2f8dff11bd99bcfbc0544d29a5e690701fc242c8188e68192371768bec6f7d - asyncrat

bab_hvn.bin - 54f51d85fd754d3fa0bd46b548582843aac04abe0fbc9e693b309cf48267045d - purelog

bab_ukk.bin - 87f796c64019595590d7767478f320bd05eb98e3b7cc9063413a353400c637e3 - xworm

bab_ven.bin - a58c1ba197c1ad3f97902900d3f125b5c5c7b35e0d5edcafc17c7b2f16773c18 - dcrat

bab_xw3.bin - b8f03e60b0b79494fefa04862c3ceae0276103dbad7d9aa25ef50c2fd7012336 - xworm

bab_xw5.bin - e36eb2bd4984b602f3f8c1c9303560c91f6adb35e8781c165bf8b5a3402e9ff9 - xworm

DXJS_ana.bin - b283e721ef829991f5b794be6b033619a731436ec21f9ac0f0a681d3ab40a6a6 - dcrat

DXJS_asy.bin - 00d92dc62ad67a1f7299147dc407e0d0a74dbec59c87b3a768f0df69d2aa5fd9 - asyncrat

ftsp_f1.bin - e1a225fd284ebe4090893b19cb4b4287b0e0d7547211562273b7877a42347e5d - dcrat

ftsp_f2.bin - 8c0177a227ce368c16ac479886ac4ef5e5613a5eb9de6d62cf8e9e63d1369bea - asyncrat

ftsp_f3.bin - c3e7f5bf4b92bbeaa7973eb0665edbfffc428a8c90c0a9fe1f4d7cc7ead3bf97 - dcrat

ftsp_f4.bin - 009c8c527a61077b528c3a0ce021aae6b83addd4f21225539d17d56372c2a031 - purelog

ftsp_f5.bin - d2419eb4442ece088febfa99ed8e19068feb2db742fd84c506ced24f60374dfb - xworm

ftsp_f6.bin - 1277b7f12af65d3590f7e06672413698255214dfab3bdf7668d5846577c00368 - xworm

ftsp_r1.bin - 49bef5b4b64221297f90380092f6eba6014d81f6f517e82e42f4906087b20d19 - dcrat

ftsp_r2.bin - bb2f8dff11bd99bcfbc0544d29a5e690701fc242c8188e68192371768bec6f7d - asyncrat

ftsp_r3.bin - a58c1ba197c1ad3f97902900d3f125b5c5c7b35e0d5edcafc17c7b2f16773c18 - dcrat

ftsp_r4.bin - 54f51d85fd754d3fa0bd46b548582843aac04abe0fbc9e693b309cf48267045d - purelog

ftsp_r5.bin - b8f03e60b0b79494fefa04862c3ceae0276103dbad7d9aa25ef50c2fd7012336 - xworm

ftsp_r6.bin - e36eb2bd4984b602f3f8c1c9303560c91f6adb35e8781c165bf8b5a3402e9ff9 - xworm

IP addresses

• 12.187.175[.]72
• 12.202.180[.]114
• 163.172.59[.]233
• 154.216.16[.]111

Domains

• Sdanarchynd.duckdns[.]org
• Soasync.duckdns[.]org
• Jkvernm.duckdns[.]org
• Newhvmo.duckdns[.]org (PureLog Stealer)
• Hnxwrm3.duckdns[.]org
• Newxrm5.duckdns[.]org
• momentnb3901.duckdns[.]org
• Ghanarchydn.duckdns[.]org (Sinkholed)

WebDav Directories

• \\invoiceposs[.]shop@9895\DavWWWRoot\
• \\expect-major-institutes-ec.trycloudflare[.]com@SSL\DavWWWRoot\
• \\prtmscaup[.]click@7567\DavWWWRoot\
• http://partinvshipppjbb[.]click:7382
• \\level-kevin-sing-jordan.trycloudflare[.]com@SSL\DavWWWRoot\
• \\quite-plug-kevin-restore.trycloudflare[.]com@SSL\DavWWWRoot\
• \\facts-at-pennsylvania-compliance.trycloudflare[.]com@SSL\DavWWWRoot\

Image loaded by exploit

• https[:]//winaero.com/blog/wp-content/uploads/2016/05/build-10158.png

If you have any questions or comments regarding this analysis, please contact us.