Security vendor RiskIQ has published a blog and a white paper (registration required) laying out its analysis of the htpRAT malware. The evidence it provides points to htpRAT having been developed and distributed by groups associated with China. RiskIQ goes as far as stating: “[htpRAT] is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN).”
What is htpRAT?
htpRAT is a new generation of Remote Access Trojan (RAT) software. It has all the features that are normally associated with any other RAT malware. This includes:
- logging keystrokes to steal security credentials
- take screenshots to capture data
- recording audio and video from a webcam or microphone,
- installing and uninstalling programs
- managing files on the infected computer
The developers of htpRAT have added further features. RiskIQ believes this makes the malware far more dangerous than any other RAT. The report states: “htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute.
“This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands.”
How is it being distributed?
As with the majority of malware attacks, this one is being distributed via a spear phishing campaign. The email contains an attachment which is an Excel spreadsheet loaded with macros. When users click the box to enable content the embedded macro executes a Windows PowerShell command.
The htpRAT authors are using staged downloads. They bring down files in small chunks and rename them once on the local machine. This helps to reduce the chance of a file being detected. It is also used to monitor for the presence of security software.
A further move to defeat or at least confuse security software is the use of a file associated with F-Secure antivirus. The researchers discovered that as part of the install process the ‘winnet.exe’ file is executed. This file allows the attackers to install a malicious dll file called fsma32.dll.
All in all there are five different stages where code is downloaded and executed. The first four seem to lay the groundwork for the actual RAT code to be installed.
Bypassing security concerns using GitHub
The report notes that the attackers are hosting their payload on GitHub. It’s an interesting move. Most payload servers get blocked after a while. Blocking GitHub is unlikely to happen. That is because so many organisations now use it with their development teams and treat it as a safe location. The increased use of Open Source software where GitHub is used to store code also means it is treated as a valued location.
The downside of using GitHub is that RiskIQ was able to extract the Git commit history. This provides details on what was added, changed and deleted over time. The information helps security analysts build a picture of the attackers and identify common malware components. This latter step makes it easier to attribute attacks to specific hackers and groups.
What does this mean?
Attackers are getting smarter. Those with state backing have the money to launch long-term plans for infection. In the detailed report from RiskIQ it discloses that the attackers have owned the C2 domain name for two years. This has the potential to defeat some security software that uses the age of a domain registration as an indicator of reputation. The domain details also mirror those of a valid domain with the exception of the key email address. Again, this is an anti detection approach.
Like many China backed attacks, this one targets companies and individual in ASEAN. This is partly for geopolitical reasons. It is also because the region has a reputation for poor cybersecurity controls. That makes it easier to infect machines.
It is also a region that does a lot of business with large organisations around the world, especially in manufacturing of clothing. Infecting large numbers of small scale businesses in ASEAN increases the chance of a successful attack on a larger organisation. This is long game cyber warfare. So far, however, RiskIQ has not disclosed evidence of an attack against a larger organisation. This is good news and it suggests that detection of htpRAT has come just in time.