Malaysian government targeted with mash-up espionage toolkit

Tomáš Gardoň & Filip Kafka, ESET

In June 2018, we detected attempts to infiltrate the systems of a governmental target in Malaysia. The malware used in the attacks seemed familiar, yet at the same time strange, exhibiting elements of the well-known Gh0st RAT, the NetBot Attacker RAT, and hints of Hacking Team’s infamous RCS surveillance tool in its code. We were compelled to take a closer look.

Our analysis revealed a previously undocumented espionage toolkit composed of several backdoors and standalone file stealers. Common features of all its components are Windows API function obfuscation copied directly from the leaked source code of Hacking Team’s RCS, and their exfiltration routine used to deliver gathered data to C&C servers. Some of the backdoors are built on the basis of publicly available source code (Gh0st RAT, NetBot Attacker RAT), but with custom enhancements. As a complement to the spying functionality of the backdoors, the file stealers are preconfigured to continuously steal all files with typical document extensions located on a victim’s disk.

Following our discovery, the attackers have made repeated attempts to compromise their target despite their initial lack of success, making several changes to the unsuccessful evasion techniques employed by the malware.

In this talk, we will provide a technical analysis of this newly discovered mash-up espionage toolkit. We will demonstrate how the attackers made use of the publicly available tools Gh0st RAT and NetBot Attacker RAT and highlight the most interesting modifications they introduced in the developing of the toolkit. Finally, we will describe the techniques intended to evade detection and fool system administrators, from RDP checks through hiding executables in the registry to using fake HTTP headers, and examine how these changed as the attacks progressed.

Tomáš Gardoň

Tomas Gardon is Malware Researcher in ESET’s Security Research Laboratory; his responsibilities include reverse engineering of new complex threats and improving detection systems. Some of his research was presented at Virus Bulletin and CCCC conferences.

Filip Kafka

Filip Kafka is a malware researcher at ESET’s Malware Analysis Laboratory. His main responsibilities include detailed malware analyses and training new reverse engineers in the ESET Virus Lab, but his professional interests, as well as his latest research, focus on APTs. His experience as a speaker includes speaking at the Virus Bulletin conference, the AVAR conference, CARO Workshop, NorthSec conference, and at several events aimed at raising awareness of malware and computer security, presented for local universities. He also teaches a reverse engineering course at the Slovak University of Technology and the Comenius University and runs workshops on reverse engineering and malware research held in London, Brno, Bratislava.

The Dynamic Security Ecosystem
Other Topics