The term “sophisticated” is often linked to “Advanced Persistent Threats”, but other generic malware families have become more sophisticated and often have no issue getting past traditional security solutions.
We recently discovered a variant of the Luminosity Remote Access Trojan (RAT) that leveraged an usual delivery mechanism - the use of the AutoIt scripting. AutoIt is a legitimate system administration tool that is designed for task automation using scripts written by administrators. Although used by other malware previously, the benefit of using AutoIt to deliver Luminosity RAT is that it is often classified as legitimate software and is likely to evade detection from traditional security solutions.
Luminosity RAT was first seen in 2015 and contains features from a tool provided by the company LuminosityLink. Its key features include key logging, password recovery, RDP and the ability to manage files on the infected system.
How was this discovered?
We observed that a new scheduled task was created on a single host on one client’s network. This particular scheduled task was an anomaly in that it was only present on this particular system across the client estate and had not been seen on any other network Countercept monitored.
Further investigation revealed that the task launched a binary with the filename of ‘bambo.exe’ that was located in a randomly named directory in the user’s profile. Upon analysis of the binary, we found it was a renamed version of ‘AutoIt3.exe’.The command line arguments passed to the binary supplied a randomly named file within the same directory.
|Parent process: %USERPROFILE%\njiop\bambo.exe|
|Child process: %USERPROFILE%\njiop\afget.xkl|
Further analysis of the directory containing these files revealed the presence of another unique file with the name of “efkmcutt.gqz”. Both of the data files were unknown and had not been seen on Virus Totalat the time.
This type of behaviour will often easily bypass traditional security solutions due to the fact that AutoIt is a legitimate script binary that is not malicious by nature. It’s only malicious when it is abused and used to run malicious scripts. However, custom written scripts will have unique new hashes that are not seen in the wild, hence signature based solutions will typically not easily detect these.
In addition to the persistence entries discovered and process launch events, live memory analysis techniques had also reported other indicators of compromise on the system. A reflective DLL load had been observed in the legitimate Microsoft regsvcs.exe process, which had been launched by the AutoIt script. Additionally, evidence of thread injection into a number of other legitimate processes on the system were seen.
Reflective loading of DLLs is a technique often used by malware to dynamically inject malicious code into legitimate processes that are loaded on the system. The benefit of this is that it helps blend into the environment amongst normal processes so as to avoid detection from traditional security solutions. As these techniques do not make any changes to the disk, it is also especially effective against standard anti-virus solutions.
What caused the initial infection?
In order to discover the infection vector, a timeline of all related events was created. We traced back the first execution of the ‘bambo.exe’ binary and found the parent process with the name of “Facture SonatelSN10 1001 922783 602.exe”. The metadata of this binary was described as “Adobe Acrobat Reader DC”, though that was clearly not the case. The binary filename ‘Facture Sonatel’ is translated to ‘Sonatel bill’ in English and Sonatel is the principle telecommunications provider of Senegal.
Correlation of other data sources with the timeline constructed showed that the user was accessing attachments via Gmail at the time of the event. Given the affected user’s name and the specific social engineering technique, the most likely explanation was that the malware was generic African malware that had reached an African employee via their personal Gmail account that they were accessing from their corporate system with the phishing technique delivering malicious code under the guise of being a standard phone bill.
Command and Control
Most malware will typically have some form of command and control (C2) channel, which often will involve initiating some form of connection back to an internet hosted server. Further correlation of other data sources with the infection timeline revealed that the legitimate “regsvcs.exe” we had observed as being the target of code injection techniques process had been making outbound connections to a server IP address traced back to Côte d’Ivoire using TCP port 6600.
Heavy obfuscation of the malware scripts themselves made static analysis time consuming but dynamic analysis of the malware quickly revealed that a connection to the same IP address and port was made by the malware, confirming that the traffic we had identified previously was the command and control traffic. The standard beacon packet made periodically had a structure similar to the following:
CONNECT=P4CK3T=ATPS-2711472^$0$00:00:01$^[explorer] ^$^WIN-7LOLVM1\jo _pets^$Microsoft Windows 7 Professional 64-bit$0$1$True$Desktop$^1.5 .1^$08-10-2016$N/A$^8dde18c34015b91824834f7f8060b04eed2adeac6e6348810c37f8e6 038a91b4^$ATPS$N$^8_=_8
The communication starts with the CONNECT followed by commands preceded with =P4CK3T such as, “=P4CK3T=ATPS-2711472”. The C2 server will then acknowledge back with “=P4CK3T=8_=_8”.
In this instance, the infection had been discovered and reported to the client quickly and no evidence of lateral movement on the network or large scale data transfer to this server had been identified.
Further Indicators of Compromise
This malware variant was also found to write key logs and other binary files into another randomly named directory in the users profile (“%USERPROFILE%\AppData\Roaming\aoa\Logs”) and was identified as actively sending back contents of the log file in ‘aoa\Logs’. Based on the beacon behaviour and other behaviour seen, the malware could then clearly be identified as being related to the LuminosityLink Remote Access Trojan (RAT) family.
Would traditional security solutions detect this?
When infected with this variant of RAT, it will most likely remain undetected due to the techniques specifically aimed at evading traditional anti-virus, giving the attackers full control of the target system. The longer the malware remains active on the system, the more opportunity the attackers have to pivot and infect other systems across an enterprise network.
While the techniques used by the malware are not fundamentally new, this is an example of common malware families becoming more sophisticated and traditional security solutions struggling to catch up with them. Whilst traditional anti-virus can never protect against sophisticated targeted attacks, even generic widespread malware is increasingly slipping past anti-virus solutions with greater success.
However, with good visibility of key endpoint data, network traffic and application logs supplemented with a range of anomaly detection techniques, this new malware variant stood out easily and allowed us to quickly identify the techniques used, the extent of the compromise and the infection vector, which allowed the compromise to be quickly contained and weaknesses in the client’s security controls and processes to be highlighted.