What is Dunihi RAT?

It has been well known that signature-based anti-virus (AV) solutions have significant shortcomings, especially when attempting to detect new advanced persistent threats (APTs). However, many people might assume that legacy AV is still capable of detecting basic attacks that utilize relatively old code. This is not necessarily the case, as in the following example of code detected as malicious by BluVector’s patented Machine Learning Engine (MLE) on a customer’s network. The attack, though basic and untargeted, made use of code first seen in late 2013, and was only initially detected by a few AV vendors on VirusTotal.

Attacker Use Malicious Email Attachment to Spread Dunihi

The sample itself was a Visual Basic Script (VBS) file, using a filename suggesting it was a final invoice file with a double file extension of “.pdf.vbs” in order to appear as a legitimate PDF document. These are very common and very basic techniques used by an attacker in order to attempt to convince a user to click on a malicious attachment. The spam emails these attachments come with are not targeted, the attackers use large volumes of spam emails in a campaign, in the knowledge the percentage of users who will actually infect themselves is quite low. Additionally, the emails in the campaign are usually relatively easy to spot as spam due obviously fake from addresses or typographical or grammatical errors in the body of the email. The key point is that attackers continue to utilize these attacks as they continue to provide a sufficient number of infections.

The Infection Went Undetected Hidden ins Plain Text

The sample hid the malicious payload with a multi-step de-obfuscation process, using long base64 encoded strings. Base64 is an encoding scheme used to encode binary data with plain text characters, most often used by email clients.

Base64 Example: The string BluVector encoded with base64 is: Qmx1VmVjdG9y

This is a very common technique used by VBS and JavaScript malware. Often each sample used in a spam campaign is unique, this is simply achieved by using randomly generated variable names, or by including junk code. In this case, the sample used common words as variable names for its functions, which could easily be altered. Malware authors use these techniques in order to evade detection by legacy AV, by making signatures harder to develop.

How Does Dunihi Work

The final payload was a VBS remote access trojan (RAT), first seen in September 2013, known as Dunihi or H-worm. The malware’s source code has been available for some time and requires very little skill on the part of the attacker to use. All an attacker needs to do is alter the command and control (C2) hostname, and perhaps the port number and it is ready to go. This pushes the malware into the realm of the “script kiddie,” defined as a person who uses existing computer scripts or code to hack into computers, lacking the expertise to write their own. The RAT is categorized as a worm, given its ability to self-propagate via USB devices connected to infected systems. The RAT is able to execute files, upload and download files, list system information, create and delete files and list or terminate processes.

Despite the simplicity of the attack and the age of the malicious code, when this sample was first uploaded to VirusTotal, approximately two hours after being detected by BluVector on a customer’s network, it was only detected by five vendors. Of these five, four detections were generic and based on the presence of base64 content, a reminder that it doesn’t take a sophisticated APT to evade signature-based detections.

How Does It Propagate?

The malware is able to self-propagate using connected USB devices. The malware comes attached to spam emails and uses a double file extension in the hopes of convincing users to double click on it.

When/How Did BluVector Detect It?

Regression testing has shown the sample detected by BluVector’s patented Machine Learning Engine (MLE) would have been detected 6 months prior to its release.