Tomáš Gardoň & Filip Kafka, ESET

In June 2018, we detected attempts to infiltrate the systems of a governmental target in Malaysia. The malware used in the attacks seemed familiar, yet at the same time strange, exhibiting elements of the well-known Gh0st RAT, the NetBot Attacker RAT, and hints of Hacking Team’s infamous RCS surveillance tool in its code. We were compelled to take a closer look.

Our analysis revealed a previously undocumented espionage toolkit composed of several backdoors and standalone file stealers. Common features of all its components are Windows API function obfuscation copied directly from the leaked source code of Hacking Team’s RCS, and their exfiltration routine used to deliver gathered data to C&C servers. Some of the backdoors are built on the basis of publicly available source code (Gh0st RAT, NetBot Attacker RAT), but with custom enhancements. As a complement to the spying functionality of the backdoors, the file stealers are preconfigured to continuously steal all files with typical document extensions located on a victim’s disk.

Following our discovery, the attackers have made repeated attempts to compromise their target despite their initial lack of success, making several changes to the unsuccessful evasion techniques employed by the malware.

In this talk, we will provide a technical analysis of this newly discovered mash-up espionage toolkit. We will demonstrate how the attackers made use of the publicly available tools Gh0st RAT and NetBot Attacker RAT and highlight the most interesting modifications they introduced in the developing of the toolkit. Finally, we will describe the techniques intended to evade detection and fool system administrators, from RDP checks through hiding executables in the registry to using fake HTTP headers, and examine how these changed as the attacks progressed.