RATs in the Cloud: AsyncRAT, Nanocore and Netwire

Recently researchers have identified several new malware campaigns distributing Remote Access Trojans through public cloud services

Regression testing of 18 publicly available samples of AsyncRAT, Nanocore and Netwire malware show that BluVector would have detected them for an average of 78 months prior to their release.

What Is It? 

 

A recent report published by researchers from Cisco’s TALOS group details their observations of malware campaigns from late October 2021. The campaigns utilized public cloud services to distribute variants of AsyncRAT, Nanocore and Netwire RATs (Remote Access Trojans). This is the latest example of threat actors misusing public cloud services as a component of their malicious campaigns. From an attacker’s point of view, public cloud services offer them three advantages. The first is ease of use: public cloud services are designed to be straightforward to configure and administer, saving an attacker time and effort when compared to setting up their own servers, or compromising existing internet facing servers. The next advantage is cost: public cloud services are relatively affordable, certainly when compared to the cost of so-called “bullet proof hosting” offered by parties on underground forums. The final benefit is the appearance of legitimacy which traffic from public cloud services potentially has. Almost all organizations of any real size utilize at least one public cloud service as part of normal business operations. When attackers use them, it increases the probability that the traffic and sites will not be flagged as malicious and could conceivably even be part of an existing allow list. 

In the case of these campaigns, the initial attack vector is phishing emails containing a malicious zip file as an attachment. TALOS found these emails were mainly targeted at users in Italy, Singapore and the United States. The social engineering component of the phishing uses the tried and true lure of a copy of an invoice for a recent purchase. The zip file attachment contains an ISO image file which holds a malicious script. The malicious script is either a JavaScript, Visual Basic Script or a Windows batch file, which download the malicious RAT payload from files hosted on public cloud services. The JavaScript scripts use four levels of obfuscation in an attempt to evade detection on the endpoint. The Visual Basic scripts and Windows batch files use a more basic form of obfuscation.   

As RATs, the AsyncRAT, Nanocore and Netwire payloads all have similar functionality and purpose, which is, to provide attackers with persistent backdoor access to infected systems. This allows for remote access to the filesystem, and to attached webcams and microphones. Additional malware can also be downloaded to infected systems and executed. These RATs, particularly NetWire, are also designed to log keystrokes and to locate and exfiltrate sensitive data such as login credentials, other passwords, and credit card information. RATs can also expand their functionality using plugins. At a technical level, the AysncRAT and Nanocore RATs are both obfuscated .NET executables. Nanocore uses the Eazfuscator .NET 3.3 obfuscator to hinder analysis and reverse engineering of the sample. The Netwire RAT is the odd one out, being written in Visual C++.  

The Netwire RAT also uses a fairly simple string obfuscation technique in an effort to evade detection by legacy signature-based solutions, and to increase analysis time. The Netwire RAT sample analyzed for this Threat Report uses a transposition cipher, with the key being the string “_BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C”. To deobfuscate a string, the position in the key of each character from the obfuscated string is calculated, and replaced by the character 6 bytes further along in the key. For example, if the first character of the obfuscated string is “E”, it will be replaced by the character 6 bytes further along, in this case “G”, as shown in the following: _BqwHaF8TkKDMfOzQASx4VuXdZibUIeylJWhj0m5o2ErLt6vGRN9sY1n3Ppc7g-C. The code from the sample which performs this process is show in below: 

Netwire RAT code sample

There are approximately 130 strings obfuscated using this technique. These obfuscated strings can be extracted from the sample, and deobfuscated en masse using a simple Python script. Once deobfuscated, the strings provide insight into the capabilities of the sample, as the following comparison of obfuscated and deobfuscated strings shows – e.g. the strings enclosed in square brackets indicate the presence of keylogging functionality: 

Deobfuscated Netwire Strings

These campaigns demonstrate that misuse of public cloud services is yet another option threat actors have in order to reduce their overheads in terms of time, effort and cost. They also potentially improve the probability of evading detection, due to the use of legitimate public cloud services, which may be the same services utilized by the victim organization. 

How Does It Propagate? 

The RAT malware described in this Threat Report do not contain the necessary code to self-propagate. The initial attack vector for these campaigns is a phishing email containing a malicious zip file as an attachment. 

When/How Did BluVector Detect It? 

A total of 18 publicly available samples of AsyncRAT, Nanocore and Netwire malware related to the public cloud campaigns were tested against BluVector’s patented Machine Learning Engine (MLE), and all were detected. Regression testing of these samples show that BluVector would have detected them for an average of 78 months prior to their release. 

Team member
Threat Team
BluVector’s Threat Report is written by BluVector’s expert security team, tasked with identifying the latest cybersecurity threats in the wild and when our solutions would protect customers from those threats.

All Threat Reports