Important elements of the analysis
- Source code distribution of malware RATs and stealers via Darknet forums
- Presence of persistence tasks
- Data logging and data stealing modules
- Attempts at .NET obfuscation
- Cryptowallets stealing
- C&C connections
- Wi-Fi credential stealing
- Threats that can be sold on the black market and customized by any threat actor
- Fake Proof of Concept Exploits distributing VenomRAT threats
- Attributes of the infection kill chain hardcoded into the source code
- Anti-Analysis, Anti-VM, Anti-Sandboxing and Evasion
- Remote access management with RDP and VNC protocols
- Mutexes hardcoded into the source code
Introduction
In the present analysis a malware sample of VenomRAT obtained from a Darknet forum, which only allows the download of source code and compiled samples if there is a reaction to the post by a user.
As for VenomRAT (updated to version 6.0.3) it was first seen in the wild in June 2020, it is distributed more via phishing mails and malspam via obfuscated macro attachments than by dropping files, it has encryption and ransomware features and was developed in .NET. Again, there is credential hijacking, cryptowallets, malicious remote management and appears to refer to the deployment of Qasar RAT threats. [0]
Recently, fake Proof of Concept exploits have been identified on GitHub that distribute malicious scripts and infection deployment of VenomRAT samples in a scheduled manner. [1]
VenomRAT analysis
The Venom RAT sample submitted for analysis is contained in an archive, the executable extracted from it is 3b3a304c6fc7a3a1d9390d7cbf56634.
Following are some hexadecimal parameters that can be extracted from the strings of the artefact:
Here are details of some encryption and compression functions CryptoStreamMode, CompressionMode and CipherMode:
There are references to socket types, FileShares, LogonFailures and Server_Certificate for the purposes of discovery tasks and malicious connections:
Next are some details concerning NetworkCredentials, the System.Security.Principal namespace that can granularly define users and permissions.
Here a detail on IsAdmin for checking whether a user is administrative or not, and Paste_bin for consequential C&C connections.
Here is evidence of host information gathering, including filesystem and disk details.
Here below we can see some references to encryption with objects of type MD5CryptoServiceProvider, RSACryptoServiceProvider and AesCryptoServiceProvider, but also to the GetEncoder method.
The methods InitialiseClient, get_SslClient, set_SslClient, get_TcpClient, set_TcpClient and AuthenticateAsClient are used for C&C connections.
At the same time as the assembly details, there are encoded and obfuscated strings:
The .text section is not in “packed” status depending also on the entropy coefficient:
An examination of the hexadecimal code of the artefact reveals SQL queries for system information gathering, creation of scheduled tasks, OS Autostart registry key management for persistence of a .BAT script for killing monitoring processes, such as Taskmgr, Process Hacker and Process Explorer. There are also references to bypassing the Windows Defender MpCmdRun process.
Here is a detail of the Master Key encryption attribute:
In the CGRInfo class, there are methods for obtaining CPU, RAM and GPU information via WMI queries with ManagementObjectSearcher objects:
In the main Program class, we can see that, at the same time as the start-up of the threat, registry setting and AntiAnalysis routines are executed:
Next there are checks to see whether the user has administrative permissions and if so, re-initialize the settings for infection. There is then a while true loop in order to continuously check whether the client with the Socket is connected, if not, the VNC service is stopped and the client is reconnected via Socket, after which there is a Thread.Sleep of 3 seconds.
The static method void StopHVNC terminates all processes with the name “cvtres” (Microsoft Resource File To COFF Object Conversion Utility):
The static Boolean method InitializeSettings() allows the initialization and management of the attributes of AES encryption, malicious connections, AntiAnalysis and hardware information.
Within class Aes256, we can see the presence of the static and private bytes array Salt for encrypting and decrypting the input data.
In the ClientSocket class, if the Paste_bin attribute is equal to null, the domain is randomly generated by means of the string text variable, after which the TCP connection is made.
Depending on the options and attributes passed as input arguments, the message pack sent via Socket is changed:
The sent packet is extracted at the same time as it is sent, if the variable named asString is equal to hvnc the HVNC module is stopped and a connection is made to the (after a cast as Integer) HPort.
The Anti_Analysis module checks the operating system type of the machine in question in order to verify whether it is a server or a virtual machine.
The details of the internal and external cache are then obtained using the WMI query Select * from Win32_CacheMemory:
Some specific monitoring and Windows Defender processes are checked, these are immediately terminated in order to bypass the dynamic analysis and protection phase:
The Camera class obtains the details of the WebCam devices via the GUIDs of the interfaces, the HwidGen class is used to obtain the hardware IDs of the infected machine:
Here the details of the IdSender class that contains the static method of type byte[], it returns the encoded msgPack variable that contains the details collected during the information stealing phase of the compromised host.
The MutexControl class allows mutexes to be managed for proper concurrency at runtime:
The ProcessCritical class checks whether a BSOD event has occurred or the user is administrative, if so the process calls the Exit() method, which sets the process as critical and in the event of an exception there is an infinite 100 second Thread.Sleep, there is a session ending handler, the process enters debug mode and is set as a critical process. This is done in order to avoid dynamic malware analysis.
The machine’s hardware ID is saved in the registry key Software\\, and the NormalStartup class creates a scheduled task for it:
Here instead is the management of the start-up registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\:
Through a using construct of a variable of type StreamWriter, a batch script is created in order to perform an external execution, change directory and forced delete of the variables fileInfo.FullName, Path.GetTempPath() and Path.GetFileName(text) respectively.
The Portable Executable crack.exe was developed in .NET and provides handling of clipboard management events and file information gathering.
Following is an evidence of various strings that can be extracted from the executable relating to the above-mentioned features:
The .text section has an entropy coefficient of 5.18915, so it is not in a “packed” status.
From an extraction of the hexadecimal code, we can see evidence of a Bitcoin address and the Clipper module:
The Clipper’s configuration includes a number of attributes: autorun_enabled (a boolean variable indicating whether the persistence task should be performed or not), the name of the autorun task, whether it should be “hidden”, whether it should be a system task, the execution delay check, and finally a dictionary containing various cryptocurrency addresses, such as Bitcoin, Ethereum, XMR. This dictionary is then followed by a mutex used for concurrency.
The Program class performs an inherent check on the created mutex, but also on the Autorun setting, hidden and system attributes, and finally initializes the clipboard logging method ClipboardMonitor.run().
The Clipboard class obtains the text and content of the clipboard through the use of threads:
The RegexPatterns class performs a parsing task in order to identify the various types of cryptocurrencies.
The Chrome class starts Chrome processes (if an instance is not already open) and monitors the data in LocalAppData and User Data.
Following are the details of the Outils and MutexControl classes that provide monitoring of keystrokes and creation of mutex objects, respectively.
The Keys array consisting of 17 cells allows the typed buttons to be identified and enumerated:
In order to handle keyboard hooks monitoring, DllImport constructs are used to call the functions SetWindowsHookEx, CallNextHookEx and GetKeyboardState:
The KeylogParams class contains in it attributes and options for saving logging files, mutex name and the void method for loading the configuration file LoadFromFile():
Details of the logging files (online and offline) and the configuration file follow:
The HandleNetstat class contains the method void NetstatList which returns a list of processes with their PIDs and the ports used in connection with the TCP connections established, there is the array allTcpConnections. The method void Kill, on the other hand, terminates a process having a specific PID taken as input argument:
The TcpConnectionTableHelper class allows you to obtain the details of TCP connections, such as the associated IP addresses, make an enumeration of established TCP connections, the Boolean method checks whether the Venom RAT server is valid or not. It takes an X509Certificate object as input argument.
Following is the iinitialization of the client and TCP connections via sockets to begin the malicious Remote Management phase.
The static method void ReadServertData takes as input an argument of type IAsyncResult, the bytes read via network packets and SSL clients are obtained.
The static method void Send has an ariety coefficient of 1, so an array of bytes named msg, the SendSync resource is locked, the TcpClient object polls the relevant section of data, performs write tasks with offsets equal to bytes.Length.
The static method void CheckServer has as input argument an object of type object named obj, a ping of the object “Pac_ket” is performed.
The Packet module performs the reading and decoding from bytes of the Pac_ket object, when the regManager string is read, a new RegManager object is initialized, which takes the msgPack variable as input argument.
The Plugin class has the void Run method, which takes a number of objects as input arguments, including the Socket object, the X509Certificate2 certificate, the hardware ID, and the msgPack array of bytes. Next, the connection to the Venom RAT server is initialized and the associated thread is initialized. There is then a while loop which, until the client is connected, performs a Thread.Sleep of 1 second.
The RegistryEditor class contains several static and boolean methods (which result in true if there are no errors) and which make it possible to create new registry keys (which can be used during persistence), delete registry keys and rename them.
The RegistrySeeker class, on the other hand, enables searches within the registry from a root key. The private void method ProcessKey has an ariety of 2 and performs an enumeration with a foreach loop for the registry keys taken into consideration.
The RemoteCamera module has a Packet class that allows data and information obtained from enumerated and identified webcamera devices to be encoded in images.
The RemoteDesktop module contains the void Run method mentioned above.
The ReverseProxy class enables serialization and deserialization tasks to be performed on messages in JSON format.
In the ReverseProxyClient class, in the constructor, it takes as an input argument a variable of type ReverseProxyConnect in order to obtain the necessary connection attributes.
In the case where the connection has been established (and checked with the Handle variable) the buffer and sockets connections attributes are used in order to receive the communication data. In the case where there is an exception error a Connection.Send instance within the catch construct is executed with the purpose of sending connection attributes down and IsConnected equals false.
The void RemoveProxyClient method possesses as ariety 1 and the parameter taken as input corresponds to the ID of the connection to be removed, in fact the _proxyClients.RemoveAt(i) method is executed.
The HandleSendTo class contains methods that can be used to send files contained in the unpack_msgpack object passed as an input argument (in unpacked form). For this purpose a new process is initialized with input arguments PowerShell commands with bypass execution policies with hidden window for the purpose of executing the file used as attribute and specified above. In case the child malicious execution is successful a log of that execution is executed in the Temp\\ path.
The public void method FakeBinder gets the compressed MsgPack as an input argument, the latter is unpacked, and, in case the Current Directory does not contain AppData or other temporary paths an execution of Path.Combine for a temporary path and the generation of a concatenated random string is performed and generated using the Methods.GetRandomString(6) method.
A filter is run for the PowerShell .ps1 extension:
The SendToMemory class allows to write to memory the dump of an executed process using two parameters taken as input: path and the array of bytes given. To achieve this purpose VenomRAT executes the functions CreateProcessA, Wow64GetThreadContext, GetThreadContext (in order to get the details of the contexts of executions of 32-bit and 64-bit threads), as well as the function ReadProcessMemory, which performs a boolean return in order to check whether the read of the dump was successful or not. If not, an exception is thrown with the function call throw new Exception();
The ToMemory method, found within the HandleSendTo class, performs an injection by Framework and Framework64 of a file executed by thread, while the Assembly assembly object loads the unpacked buffer (array of bytes).
Heart of the VenomRAT threat is definitely the presence of information stealing and gathering methods and dictionaries using regex and dictionaries to obtain, for example, credit card and bank card information.
The Banking class appends .org extension values to .com domains in case the domain under consideration is different from some specific entries, such as Google, Bing, and Yandex.
The following static void methods allow you to obtain the details of cryptocurrencies, homebanking services, and any services that contain adult content:
Depending on the card type identification number, which are contained in the KeyValuePair string and Regex CreditCardTypes list. In the case where there is a match between creditCardType.Value and the number variable taken as the input argument, the creditCardType.Key variable is returned.
The Config class contains within it the necessary configuration parameters and attributes in static form for handling AntiAnalysis, logging, stealing, Discord URL, Usernames, specific string attribute dictionaries to identify banking services and porn services.
Here a detail of a Discord hook included hardcoded within the Webhook variable:
The DiscordWebHook class allows you to manage specific connections and sessions to Discord, including, for example, the location of the last message ID (msgid.dat variable) and the history saved in the history.dat file.
The static string SendMessage method takes as an input argument the text variable that allows the creation of a WebClient for compiling the nameValueCollection list and sending the Username, Avatar_URL and content attributes.
Following is a call to the File.ReadAllLines method to read line by line from the keylogging history file KeyLogsHistory, then the Latest Message ID is set.
The static void Replace method within the Buffer class provides for setting the contents of the clipboard with the value Config.ClipperAddresses[key] in case the Key attribute of the patterns passed as an input argument are present within the contents of the Clipboard.
Next, logging and saving the contents of the Clipboard in the clipboard_logs.txt file is handled:
The dictionary associated with regex patterns are decrypted the various attributes of arrays of raw bytes of size 48 or 32 cells.
Details of the AutoFill and Bookmark loggers browsers facilities here:
The ClipboardManager class uses threads and mutexes with the purpose of managing the contents of the monitored clipboard:
The Counter class contains the default values of the attributes used, both integers and booleans:
The CreditCard structure contains Get and Set details of the related attributes Number, ExpYear, ExpMonth, and Name.
VenomRAT has several methods of files and folders management available, such as RecursiveDelete (for recursive deletion starting from a path), copying specific directories, obtaining the size properties of a directory, and creating a password archive:
The password of the above archive is generated randomly with the GenerateRandomData() method:
The sealed Paths class contains references to several special paths considered during infection, stealing and remote access, such as Chromium Paths, Edge Paths, AppData.
The Report class provides (upon entering a sSavePath for saving the data obtained sSavePath) of the attributes obtained from the various tools and folders considered through the use and execution of threads. We can see the grabbing of details related to Discord, Pidgin, Outlook, Telegram, Skype, Minecraft, CryptoWallets, FileZilla, ProtonVPN, OpenVPN, and NordVPN:
Here a retrieval of the system product key:
VenomRAT uses SQLite modules in order to perform values gathering, in the class constructor the file then read over all bytes is considered, specifically the filename attribute.
Next are details of the AntiAnalysis class that detects Sandboxie, Avast and COMODO modules for bypassing protection solutions:
The SelfDestruct class allows you to run a batch script that invokes the chcp 65001 command to set UTF-8 encoding as the page code, forcibly terminates processes with specific IDs via the taskkill /F /IM command, and sets a timeout.
The threat performs a delay for a random number of milliseconds ranging from the range of 0 to 10000 milliseconds:
Here the details of the Startup OS class setting for the persistence task (also in folders of registry keys), files hiding and checking in case a file is installed in the startup OS key.
Here the details of the StringsCrypt class that contains RijndaelManaged random generation and decryption methods.
Here the details of gathering credentials of FTP servers with FileZilla:
The Passwords class provides for deleting old passwords by calling the Filemanager.RecursiveDelete(PasswordsStoreDirectory) method:
Next are details of enumerations with foreach loops for gathering wallets of cryptocurrencies, such as Litecoin, Dash and Bitcoin.
Here are details of the CBrowserUtils class for handling and formatting details obtained from browser instances, such as credit cards, cookies, autofills data, bookmarks and passwords.
The static boolean WritePasswords method takes as input arguments the list of objects Password pPasswords and sFile to save the obtained passwords to file in case the credentials are other than empty string values.
Passwords obtained from Chromium browsing engines are decrypted and encoded in UTF-8:
The CbCrypt class contains BCrypt encryption objects, such as BCRYPT_KEY_DATA_BLOB_MAGIC to be imported into encryption contexts, and several functions imported from the external library bcrypt.dll
VenomRAT gets details of wallets and Chrome extensions linked to cryptocurrencies:
Through an instance of the SqLite module, the history of browsers is obtained and each site is added to the list.
The Recovery class contains the static void method Run that has as parameter sSavePath that allows saving various information and details taken from victims, including Web Data, login data, history, AutoFills, Cookies, credit cards:
Next is the parsing methodology of VenomRAT, which performs Split tasks using Regex objects to split the data taken as input (string data variable) with “/” characters.
The RAT contains numerous hardcoded references to URLs and extension IDs of Edge cryptowallets saved in a string list:
Login keys .db and .json files are handled and are copied and saved in the sSavePath folder:
The following class allows you to enumerate and save the installed versions and mods of Minecraft in AppData concatenated with the .minecraft folder pattern.
Other profile files, options and servers are also saved:
Details of current Steam sessions are also saved and logged:
The same task also occurs for UPlay:
In order to obtain Discord tokens an AppendAllText method is executed in the concatenated path sSavePath + \\tokens.txt:
Here is the static string type method DecodeProductKey which takes as input argument the array of digitalProductId bytes for decoding the system product key, in case during the 28 to 0 cycle of IDs if cell num (the current index in the cycle) + 1 results in 0 with a division by 6 a hyphen is added to the corresponding cell, then from 14 to 0 bit shifting tasks are performed, division with remainder by 24:
Following is the SysInfo class of information gathering, details of the infected machine, such as the public IP address, were saved in the contents string:
Details of the installed antivirus are obtained:
The WebcamScreenshot class allows a WMI query to be run to obtain the details of connected webcams, and screenshots are taken if the Config.WebcamScreenshot configuration attribute is different from 1:
VenomRAT runs a command with forced UTF-8 encoding netsh wlan show profile name to make a list of the Wi-Fi networks you can connect to and then performs a password dump:
Numerous Wi-Fi passwords are dumped and the subtracted attributes are hung in the file sSavePath + \\SavedNetworks.txt
The static void Save method in the NordVpn class is used in order to obtain the directories of the NordVpn.exe executable, details of the user.config file are obtained, and details of the XML configuration data are obtained:
Viewing the main class of the Shellcode namespace it is possible to highlight the initialization of the array of bytes buf obtained from the string attribute “%venom%” with Base64 type encoding. The internal static NativeCaller class makes use of the memory management function VirtualAlloc and CodeCallerDelegate for the native calling phase.
In the strings that can be extracted from the VenomRAT sample, we can see an individualizing URL.
VenomRAT’s servers make use of Personal Information Exchange type certificates.
VenomRAT threat research
Following are details of the correlation between VenomRAT and an IP address used in the killchain infection and registered in Finland:
The IP address in question was registered, in detail, in Helsinki and has the running services MySQL, webserver and RDP with open ports 135, 3306, 5357, 5985 and 47001.
Here are the OSINT details of the IP address regarding the Spam Level, which stands at “Very High.”
IOCs VenomRAT:
- 3b3a304c6fc7a3a1d9390d7cbff56634
- e8bd5244e6362968f5017680da33f1e90ae63dd7
- 7331368c01b2a16bda0f013f376a039e6aeb4cb2dd8b0c2afc7ca208fb544c58
- 95.216.52[.]21
- DcRatByqwqdanchun
- Pac_ket
- 42KwLVv18KiFRZNHzu
- Sdh34yszdfgb
VenomRAT YARA Rule
VenomRATRule:
rule VenomRATRule
{
strings:
$xwormStr = “44X9i4c6YhQcfLiSCrbNH25yrRfkrhrz”
$xwormStr1= “blackhatrussia”
condition:
$xwormStr or $xwormStr1
}
CONCLUSIONS:
The threat considered in this Darknet investigation was distributed via Darkweb when a reaction was made to the main post by the connected user. VenomRAT is customizable and can allow the addition of new features and malicious remote access and stealing tasks. With a view to a future threat landscape, it is possible that the malware under scrutiny will also deploy additional threats, such as advanced and complex ransomware with data theft, and if the ransom is not paid, these will be published. It is important to emphasize how easy and versatile the distribution of the entire malware development and the corresponding source code is. Obviously, this is only the tip of an enormous iceberg that conceals an immense amount of Darkweb forums distributing entire IDE projects of the development of various types of threats. This can lead to forking and customization that would potentially have endless development possibilities.
Consequently, such a malware deployment methodology may lead to the propagation of numerous variants, which may adversely affect static malware signatures and malware engines based on antiviral signatures, as these would show differences in patterns and hexadecimal code, thus rendering some previously created malware hunting signatures and YARA rules useless. In this specific case, an attempt was also noted to obfuscate the .NET code in order to protect the project’s ‘core’ classes, but leaving the plug-in DLL libraries almost completely intelligible. This was probably done with the aim of making the external called libraries more customizable, but keeping the Main classes as protected as possible, making the creation of individualizing antiviral signatures through specific patterns more difficult. It is also important to emphasize that there are numerous attempts at persistence, anti-analysis, anti-sandboxing and evasion techniques from security solutions and dynamic analysis process monitoring tools, such as Process Explorer, Process Hacker and Task Manager. In addition to the purpose of anti-dynamic analysis, this approach may result in an inability to visualize the possible termination of the RAT process due to Anti-VM and Anti-Analysis, Anti-Sandboxing tasks.
In all likelihood, the distribution via the Darknet of stealers and RATs will become increasingly frequent. Following the methodology found in this specific case, the above-mentioned forums will be used to sell such malicious software packages on the black market, allowing various threat actors to modify Bitcoin addresses or contact mails after encrypting files in order to extort money from victims. In this case, the presence of a ransomware module within RAT threats was very interesting, making the infection kill chain de facto more and more complete and invasive from the attacker’s point of view.
References:
[0] (introduction to VenomRAT): VenomRAT: A remote access tool with dangerous consequences (acronis.com)
