RAT Hides and then Attacks

Wednesday, November 5, 2014 @ 08:11 AM gHale

There is a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection, researchers said.

The RAT, dubbed “COMpfun,” does some of the usual things like log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks, said researchers at G DATA Software’s SecurityLabs.

Gmail Draft Messages Steal Data
Tool to Spy on Bad Guys
Malware Team Uses RAT
Faux Security Program is a RAT

The threat can run on 32- and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.

What makes COMpfun interesting is it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.

COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.

When installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs already have two Microsoft libraries used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals end up replaced with the new ones.

Once this occurs, the malicious libraries load into processes instead of the legitimate Microsoft libraries. This ensures not only the RAT remains persistent, but it also makes it more difficult to detect.

“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères said in a blog post.

Antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères said while this RAT is one of the first to do it, any type of malware could use this technique to become stealthy.

COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, bad guys have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.

Leave a Reply

You must be logged in to post a comment.