One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1080738 |
| Date de publication | 2019-03-25 13:00:00 (vue: 2019-03-25 21:58:00) |
| Titre | The odd case of a Gh0stRAT variant |
| Texte |
This is a guest post by independent security researcher James Quinn. This will be Part 1 of a series titled Reversing Gh0stRAT Variants.
As 2018 drew to a close and 2019 took over, I began to see a different behavior from SMB malware authors. Instead of massive, multi-staged cryptocurrency miners, I began to see more small, covert RATs serving as partial stage1’s. Of these samples, there was one specific sample that stood out to me. A Gh0stRAT variant, this sample not only changed the Gh0stRAT header from “Gh0st” to “nbLGX”, it also hid its traffic with an encryption algorithm over the entire TCP segment, in addition to the standard Zlib compression on the Gh0stRAT data. Some key functionality is below:
Can download more malware
Offline Keylogger
Cleans Event logs.
[Screenshot 1] Encrypted Login Packet sent by Gh0stRAT infected PC
In addition to a standard malware analysis blog post, I’d also like to take this time to document and describe my methods for analysis, in the hopes that you as a reader will use these techniques in the future.
Malware Analysis
Before we begin the analyses, I’d like to clarify on some of the terms used.
Stage1 - Typically the first contact or entry point for malware. This is the first part of the malware to arrive on a system.
SMB Malware - Any malware that uses the SMB protocol to spread. SMB is typically used for file sharing between printers and other computers, however in recent years malware authors have been able to leverage this protocol to remotely infect hosts.
RAT - Remote Access Trojan. This type of malware allows for the complete control of an infected computer.
Gh0stRAT - An open source RAT used primarily by Chinese actors. A more detailed analysis of the standard Gh0stRAT can be found here.
Despite being a Gh0stRAT sample, this variant is very different than your standard Gh0stRAT sample. One of the most noticeable differences is the use of encryption over the entire TCP segment, as a way for it to evade detection. Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. Also, unlike most samples that I receive on my honeypot, this sample did not start as a DLL that communicates to a distribution server in order to download the stage1. Instead, dropped on my honeypot was a full exe that served as the dropper.
Domains
http://mdzz2019.noip[.]cn:19931
http://mdzz2019.noip[.]cn:3654/
From my analyses, I was able to identify http://mdzz2019.noip[.]cn:19931 as its main C2 url. This is a dynamic DNS, meaning the actual IP changes quite frequently. Additionally, on that same url, http://mdzz2019.noip[.]cn:3654/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell.
Exploits
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
These 2 exploits are EternalBlue/Doublepulsar and are used to drop the Stage1 Dropper onto a |
| Envoyé | Oui |
| Condensat | affiliates at&t case created gh0strat give gnu its license odd permission public screenshot tool use using variant wrote |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.