Updated Malware Boosts Espionage Tool

Monday, November 17, 2014 @ 10:11 AM gHale


Masterminds behind the Uroburos malware campaign created a new tool for carrying out spy programs.

ComRAT is a remote access Trojan (RAT) that can execute commands, download files, collect information from the affected computers and exfiltrate it to a remote server, said researchers at G Data.

RELATED STORIES
RAT Hides and then Attacks
Gmail Draft Messages Steal Data
Tool to Spy on Bad Guys
Malware Team Uses RAT

There are two versions of the malware with very little differences between them. The differences occur mainly in the way files end up obfuscated and how the details of the command and control (C&C) server remain stored.

The most recent version of the malware comes with improved obfuscation and anti-analysis mechanisms, which is also an attempt to hide the connection with the previously used tools, said Paul Rascagneres of G Data.

Rascagneres said the threat achieves persistency by creating a registry key for an installed payload (shdocvw.tlp – dynamic library); the key ends up used to associate the library with a specific object (42aedc87-2188-41fd-b9a3-0c966feabec1). “The purpose is to load the library into each and every process executed on the infected system,” the researcher said in a blog post.

In order to evade detection, ComRAT communicates with the command and control server through the browser process, which is less likely to end up discovered by security solutions available on the compromised computer, such as a firewall or an antivirus product.

The domain the malware connects to is “weather-online.hopto.org,” which also appeared in previous campaigns, researchers said.

The code used in ComRAT is partially the same as the one used by a previous tool associated with Uroburos, named Agent.BTZ by G Data, Rascagneres said. Because of this, security products detect the new RAT as Uroburos.

The compilation date of the more recent version of the threat is January 3, 2013. However, Rascagneres said the datestamp may or may not be true because an earlier sample, which does not feature the improvements, has the compilation date of February 6, 2014.

“The persistence mechanism discovered in October 2014 makes it possible to intrude into a system in a really discreet manner and we estimate that other actors will use the same persistence mechanism in the near future,” Rascagneres said.



Leave a Reply

You must be logged in to post a comment.