Researchers had identified two different versions of a RAT. The RAT is affecting users of a Brazilian public school. Samples of the two versions of this RAT, versions 3.0 and 4.0 were made using Python and packed into an executable using the tool named py2exe. The malware main script bytecode is located in a portable executable section called PYTHONSCRIPT, and the Python DLL is stored in a file called PYTHON27.DLL.
The choice of targeting public school sectors is not surprising because in most of the cases public sectors don’t have implemented a secure cybersecurity solution like an antivirus.
Both versions have all the common functions that any other RAT has, meaning that this RAT can do cybersecurity damage with every infection. During cybersecurity testing the researchers found that version 4.0 is a stripped-down version, saying that some features were removed compared to version 3.0.
Victims of this campaigns are the users of INESAP – Instituto Nacional Escola Superior da Administração Pública – a Brazilian public school sector.
Users of INESAP are easy targets for cybercriminals because all over the world with minor exceptions public sector cyberinfrastructure haven’t been tested with robust cybersecurity solutions like a penetration test other ethical hacking tests.
RAT C&C infrastructure uses a DNS technique called Fast Flux(ing), this technique allows the hosts to change their resolution quickly, the C&C servers use 120 seconds for TTL and are changed several times a day. The C&C is linked to four hostnames which always point to IP addresses hosted within the same ASN.
The RAT is distributed in a py2exe format, which includes the python27.dll and the python bytecode stored as a portable executable resource.
The most recent version of the RAT v4.0 shares a lot of the code with version 3.0. However, researchers found out that cybercriminals attempted to add obfuscation techniques to avoid being detected by a cybersecurity solution.
The new version distributed as a malware packed with a standard version of UPX – a well-known executable packer which will hide some of the strings, by doing this it reduces the chance of being detected by antivirus. The python bytecode instead is not obfuscated it was effortless for researchers to reverse it back to the source code.
During installation, the malware will create a PDF file with HTML code embedded that will load a single image hosted at imgur.com, the image is used as a fake official document from the INESAP.
All of the v.4.0 RAT capabilities are very basic. The network credentials are gathered using the standard Windows API functions CredEnumerate() and CryptUnprotectData(), without the use of techniques like the well-known Mimikatz. The virtual machine (VM) detection capability is somewhat necessary, based on a simple WMI query and checking only for Vmware, VirtualBox, and Virtual PC platforms.
Version 4.0 of the RAT was configured to be part of a campaign targeting the INESAP, a Brazilian school for public administration.
According to artifacts found by researchers in pastebin.com, seems that the campaign and RAT customization might have started around the date of Jan. 9, 2018.
The code found on pastebin.com is a match to the system found in the install module which includes the pdf decoy file generation.
This kind of RAT malware can be easily detected and removed by a sharp cybersecurity solution. We recommend every user to download antivirus for Mac or download antivirus for Windows. By installing a Windows antivirus or a Mac antivirus, depending on which system does user’s device use, the chances of infection with malware that cause significant cybersecurity problems are significantly reduced.