- Version 1.1
- Download 192
- File Size 0.00 KB
- Create Date June 29, 2020
- Download
The Remote Administration Tool (RAT) is long. They allow users and administrators to be able to take full control of their system without the need to be physically in front of a device. In this era of global operations, this is a big deal. In countries ranging from troubleshooting machines to observation of in-room staff, RAT solutions have become a widely used tool for remote maintenance and monitoring.
Unfortunately, malware authors often use these same capabilities to compromise the system. Full remote access capability is a dream tool for the black hat community, and is highly sought after.
As a case in point, we recently discovered a spam campaign targeting German-speaking users that includes a relatively new commercial RAT called ozone.
German-Speaking Social Engineering
In this report we will take a look at this new SPAM campaign that appears to be targeting German-speaking users. The email subject claims to be billing information for “Cable” service, and the attachment contains a Microsoft Word document.
Microsoft Word documents with malicious downloader Macros are quite common. In this case, however, the attacker is using a rather old, but possibly still very effective scheme. Attached to the document is a javascript with a small thumbnail of what the recipient is intended to assume is their cable bill. It comes with the classic instruction to double-click on the image to see it fully. As expected, doing so executes a malicious javascript, and initiates the next step in the infection chain.
The malicious JavaScript begins to install a fake SSL Certificate, and sets proxies on IE, Chrome, and Mozilla browsers to a remote Proxy Auto Config (PAC) file. The address to the PAC file is a TOR URL (a tool that allows people to communicate anonymously on the Internet) that is randomly selected from its hard-coded configuration. It allows the system to access the attacker’s TOR site without installing TOR proxy software, by using “.to” (Tor2Web) and “.link” (Onion Link) URL extensions. These services act as relays between the TOR network and the Web.
This is a very common setup for man-in-the-middle (MITM) attacks. By setting the browser proxies, the attacker can lead users to phishing pages like banks, payment sites, credit card companies, etc. It would not be a surprise to learn that those pages are registered using the installed fake SSL Certificate to assure users that the sites being accessed are legitimate and secure.
As if not satisfied with installing a man-in-the-middle attack, the script then downloads a RAT server.
The Ozone RAT Server and Core Module
Upon searching for similar samples of the downloaded executable, some versions were found to include debug information pointing to Ozone RAT. The similarities between these samples and the code in our lab suggested that the executable is the Ozone RAT’s server component, and was built using the tool. This assumption was further confirmed in our tests on the RAT that we discuss later in this article.
It turns out that this is the “loader-only” version of the server. The core module (DLL), containing all the RAT capabilities, needs to be received from the client first. In this case, after informing the client of the server’s existence, it then waits for the client to manually initiate the sending of the module.
Once the encrypted core module is sent, it is dropped as “data.dbf” to the same path as the server. This is later read and decrypted in memory for loading. This same file can also be found in the Ozone package.
It then uses a technique called Reflective DLL Injection, whereby it loads the decrypted module directly from memory using the Delphi API BTMemoryModule. This is commonly used for loading libraries directly from the binary’s resource. However, in this case, since the module is not from the binary’s actual resource, it’s possibly just an attempt to hide the module from process inspections since modules loaded this way will not be included in a process’ list of loaded libraries. It’s also possible that it’s just an adaptation of its other version. This is briefly discussed later while discussing the module’s RAT capabilities.
Ozone RAT
The Ozone RAT website has been active for a year, offering 2 package options – Standard ($20) and Platinum ($50). The latter offers a lifetime license and bonus features for Crypto Mining and MSWord Exploit builder.
It was not difficult to find a “modified” version of the application for testing. We got ahold of Ozone 0.55. Although based on the demo video from the website, version 0.60 is already available.
The Ozone interface has all the characteristics of a typical RAT client - main interface, server builder, and a control center.
The main interface shows the status of the running servers and the active ports being used for communication.
Building a server component is very simple. One does not need to be an expert to build one and distribute it. As mentioned earlier, the server has two versions - the “FAT” and the “loader-only” version. The former is bigger (duh!) because the core module is already included in the server binary as a resource. In this version, it makes more sense to use the Reflective DLL Injection version to avoid additional dropped files. In the case of the latter, as mentioned previously, this can be a process inspection evasion or simply an adaptation of the “FAT” version. It also has the option to pack the binary with a simple UPX.
All RAT operations that can be executed by the server are in the Control Center interface. This includes everything from simple file operations to fully controlling the system using a remote desktop. Its arsenal is common to RAT applications, except for the hVNC (or hidden VNC) module. Basically, hidden VNC takes advantage of Windows’ multiple desktop capability to open a new hidden desktop session for the attacker to control. Since applications running from other desktops are invisible to others, an attacker can control the system and run applications without the user knowing - a very tricky feature to implement.
As an attempt to prevent malicious usage, the website includes a list of Terms of Services (TOS), attempting to scare violators with a “license ban”. Included in the list are the terms, “You are not allowed to use it in malicious ways” and “You are not allowed to send out a bin to another person’s PC's without their permission.” However, for a tool intended only for legitimate purposes, but at the same time including an exploit builder and hidden VNC as features, there’s seems to be a little contradiction between its stated function and its actual functionality.
Conclusion
An important lesson here is that malware actors still use simple, but very effective social-engineering techniques to get those extra clicks from unaware and untrained users. Also, in this particular case, in addition to an MITM setup, a RAT malware is installed in the system. This multiple setup shows how much an attacker desires to take control of a system.
With RAT applications like Ozone, one does not need to be an expert to create and distribute malware. Anyone can buy Ozone from their websites, or simply download “modified” versions, like what we used in our tests for this article. Some are publicly available, and can be attractive to curious minds. Just a few words of caution, though. This can be a cunning ordeal. These “modified” versions may be the malware themselves. With a lack of understanding how malware schemes work, even before starting your first attack, you may inadvertently become one of the first victims.
Keylog from the server installed by the modified Ozone RAT client