What Is It?

Researchers at Sophos recently detailed a novel attack chain that delivered a variant of the MoDi RAT (Remote Access Trojan). The novelty comes from the fact that rather than call­ing PowerShell with a long command string, it creates a PowerShell task and then pastes in PowerShell commands into the window. As it is common to call PowerShell with a long command string, the obvious intention of this technique is to evade detection by endpoint-based security products.

As MoDi RAT is a Windows .NET executable, it is not obfuscated or encrypted and relatively straightforward to reverse engineer. There are multiple steps in the attack chain, beginning with a VisualBasic Script (VBS) file from the spam mail, which downloads a VisualBasic Encoded (VBE) script (VBEs are more difficult to read or altered by end-users). The first VBS #1 (aka the VBE) does two separate things: it writes binary data to the Windows Registry and it creates a scheduled task that runs each minute. It then decodes and drops VBS #2.

VBS #2 script, executed by the scheduled task, launches a PowerShell task to execute the commands using the binary data written to the registry by VBS #1 to assemble filelessly and execute the MoDi RAT payload in memory. Once PowerShell commands are executing, all of the VBS scripts are over with as far as the attack chain is concerned.

When executed, the sample connects to a hardcoded C2 (command and control) site, using port 13. The code supports four C2 hostnames, which were set to the sa­me value in this sample. Now with MoDiRAT running in its own, hidden window and after connecting to one of the hardcoded C2 hosts, the sample sends the name of the active window. Communication with the C2 starts with the string “|Boss2019|”.

As a RAT, MoDi can be instructed via the C2 channel to perform functions such as keylogging, taking desktop screenshots and videos and obtaining system information including installed anti-virus products. The sample also contains code to verify credit card numbers intercepted by the key logger. It does this by calling a site that can decode the first eight digits of a credit card number, providing information such as the location of the issuer, type of card, debit or credit card and brand of card. This information is reported via the C2 channel with the message prefixed with “ccnotif||.”

Strings in the sample indicate that it may be early in its development. First, it was compiled from a directory named “Project Larbi\MoDi RAT V0.1 Build1.” This is reinforced by unused code blocks containing default strings such as a password variable set to “yourPassPhrase” and a cryptographic salt set to “mySaltValue.” 

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial infection vector is a malicious attachment to spam email.

When/How Did BluVector Detect It?

Six malicious samples associated with this attack, including .NET executables, DLL files and VisualBasic scripts are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 50 months prior to their release.