Threat Analysis Unit – Threat Intelligence Notification
Title: MagicRAT
Summary
A new remote access trojan named MagicRAT was discovered linked to the threat actor Lazarus Group. It was found that the command and control server that hosts and serves MagicRAT were linked to TigerRAT, which is another implant created by the Lazarus Group.
Behavioral Summary
Upon execution, MagicRAT will create a configuration file in the %ProgramData% directory and a shortcut (.LNK) file in below %AppData% directory to execute itself during Start up:
%AppData%/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/{MagicRAT}.lnk
In addition, it also executes the following command to create persistence on the compromised machine:
cmd.exe /c schtasks /create /tn “OneDrive AutoRemove” /tr “C:\Windows\System32\cmd.exe /c del /f /q “{MagicRAT.exe}”” /sc daily /st 10:30:30 /ru “SYSTEM”cmd.exe /c schtasks /create /tn “Microsoft\Windows\light Service Manager” /tr “{MagicRAT.exe}” /sc onstart /ru SYSTEM
Furthermore, it will perform reconnaissance activity in the compromised machine and make connections to the Command & Control (C&C) server. MagicRAT is able to perform further malicious activity such as exfiltrating sensitive information, deploying additional malicious payload or deleting files in the compromised machine.
Other than that, it could create below BAT file to delete the malicious payload on the compromised machine.
@echo off
:Repeat
taskkill /F /IM %1
del /f /s /q “%2”
if exist “%3” goto Repeat
del /s /q “%4”
Following is the overall process chart of this malware’s activity.
Processes | Operation Attempt | Action |
Unknown application or process | Communicates over the network Invokes an untrusted process | Deny Operation |
VMware Carbon Black App Control
The most effective way of blocking this malware is by running App Control in High or Medium enforcement. Other than that, customers in low enforcement can enable the following Rapid Config as additional layer of protection to prevent and alert on malware that executes during different phase of attacks:
- Browser Protection
- Microsoft Office Protection
- PowerShell Protection
- Ransomware Protection
- Reconnaissance and Exfiltration Protection
- Suspicious Command Line Protection
- Suspicious Application Protection
- WMI Protection
Implementation: As always, our best-practice recommendation is to create all custom rules in “Report” mode first, assess for false positives, and create any higher ranking execute allow rules to prevent legitimate blocks. After confirming no false positives in your environment, you can then change to Block.
Customer Action: Ban known hashes from the IOC in environment
VMware Carbon Black EDR and Cloud Enterprise EDR
The PSC Threat Feeds will detect the known hashes for this malware. Customers can ban known hashes as well, which are located in the IOC section of this report.
Many existing queries that are located in the MITRE ATT&CK, SANS, CB Endpoint Visibility, and CB Advanced Threat feeds will also alert on characteristics associated with these families.
Name | Query |
Discovery – System Information Discovery | VMware Carbon Black EDR: ((((cmdline:dir OR cmdline:ver OR cmdline:set OR cmdline:hostname OR cmdline:systeminfo) os_type:windows) and -(digsig_publisher:”Google LLC” or digsig_publisher:”Google, Inc” or process_name:netsh.exe))) Cloud Enterprise EDR: (((((process_cmdline:dir OR process_cmdline:ver OR process_cmdline:set OR process_cmdline:hostname OR process_cmdline:systeminfo) device_os:WINDOWS) AND -(process_publisher:”Google\ LLC” OR process_publisher:”Google,\ Inc” OR process_name:netsh.exe)))) -enriched:true |
Discovery – System Owner/User Discovery #1 | VMware Carbon Black EDR: (process_name:whoami.exe OR cmdline:whoami) Cloud Enterprise EDR: ((process_name:whoami.exe OR process_cmdline:whoami)) -enriched:true |
Discovery – System Network Configuration Discovery #5 | VMware Carbon Black EDR: (process_name:nbtstat.exe OR process_name:ipconfig.exe OR (process_name:arp.exe AND cmdline:-a) OR (process_name:net*.exe AND cmdline:config)) Cloud Enterprise EDR: ((process_name:nbtstat.exe OR process_name:ipconfig.exe OR (process_name:arp.exe process_cmdline:\-a) OR (process_name:net*.exe process_cmdline:config))) -enriched:true |
Discovery – System Profiling | VMware Carbon Black EDR: ((childproc_name:net.exe OR childproc_name:nbstat.exe OR childproc_name:ipconfig.exe) AND childproc_name:systeminfo.exe) Cloud Enterprise EDR: ((childproc_name:net.exe OR childproc_name:nbstat.exe OR childproc_name:ipconfig.exe) AND childproc_name:systeminfo.exe) -enriched:true |
Impact – Interactive BCDEdit or BCDBoot Execution Detected | VMware Carbon Black EDR: (process_name:bcdboot.exe or process_name:bcdedit.exe) Cloud Enterprise EDR: (process_name:bcdboot.exe OR process_name:bcdedit.exe) -enriched:true |
Implementation: As always, our best practice recommendation is to tune for any false positives before creating new watchlists.
Customer Action: Test and Deploy Watchlist and ban known hash values. For any hits, investigate the file modifications, network connections, cross process injection(s) and child processes.
MITRE ATT&CK TIDs
TID | Tactics | Technique |
T1059 | Execution | Command and Scripting Interpreter |
T1053.005 | Execution, Persistence, Privilege Escalation | Scheduled Task/Job: Scheduled Task |
T1547.001 | Persistence, Privilege Escalation | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
T1027 | Defense Evasion | Obfuscated Files or Information |
T1070.004 | Defense Evasion | Indicator Removal on Host: File Deletion |
T1497 | Defense Evasion, Discovery | Virtualization/Sandbox Evasion |
T1124 | Discovery | System Time Discovery |
T1016 | Discovery | System Network Configuration Discovery |
T1082 | Discovery | System Information Discovery |
T1012 | Discovery | Query Registry |
T1105 | Command and Control | Ingress Tool Transfer |
Indicators of Compromise (IOCs)
Indicator | Type | Context |
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4 | SHA256 | MagicRAT |
9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592 | SHA256 | MagicRAT |
f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332 | SHA256 | MagicRAT |
8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5 | SHA256 | MagicRAT |
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f | SHA256 | MagicRAT |
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469 | SHA256 | MagicRAT |
a6d63439404b38f28606566f8b95298c624bc1e1 | SHA1 | MagicRAT |
2cae41e7c770d49c85afd90903e6cf65871228aa | SHA1 | MagicRAT |
a3555a77826df6c8b2886cc0f40e7d7a2bd99610 | SHA1 | MagicRAT |
b786191ce03237229db2df511c1b7ecd51c49d5f | SHA1 | MagicRAT |
870694a1defa9f9df70b6857038be1c5f5150865 | SHA1 | MagicRAT |
130baec325e6ae41517404e76f911f071f613567 | SHA1 | MagicRAT |
6c2b947921e7c77d9af62ce9a3ed7621 | MD5 | MagicRAT |
d9ce494a22390a7dd4ad8a86ad50ec03 | MD5 | MagicRAT |
b4c9b903dfd18bd67a3824b0109f955b | MD5 | MagicRAT |
ff3194d3d5810a42858f3e22c91500b1 | MD5 | MagicRAT |
9a481bc83fea1dea3e3bdfff5e154d44 | MD5 | MagicRAT |
ddb1f970371fa32faae61fc5b8423d4b | MD5 | MagicRAT |
hxxp://gendoraduragonkgp126[.]com/board/index.php | Domain | Command & Control Server |
hxxp://64.188.27[.]73/adm_bord/login_new_check.php | Domain | Command & Control Server |
hxxp://172.16.3[.]81/proxy.php | Domain | Command & Control Server |
hxxp://mudeungsan.or[.]kr/gbbs/bbs/template/g_botton.php | Domain | Command & Control Server |
hxxp://www.neohr.co[.]kr/bbs/data/notice/notice.php | Domain | Command & Control Server |
hxxp://www.easyview[.]kr/board/mb_admin.php | Domain | Command & Control Server |
hxxp://www.easyview[.]kr/board/Kheader.php | Domain | Command & Control Server |
hxxp://155.94.210[.]11/news/page.php | Domain | Command & Control Server |
hxxp://155.94.210[.]11/news/images/header/74ba82f92f6425ba5efde22b242553ec.gif | Domain | Command & Control Server |
hxxp://192.186.183[.]133/bbs/images/header/90d777e7c5500bee2ba213f743279517.gif | Domain | Command & Control Server |
hxxp://192.186.183].]133/bbs/board.php | Domain | Command & Control Server |
hxxp://54.68.42[.]4/mainboard.php | Domain | Command & Control Server |
hxxp://213.32.46[.]0/board.php | Domain | Command & Control Server |