TAU-TIN – MagicRAT  

Spread the love

Threat Analysis Unit – Threat Intelligence Notification 

Title: MagicRAT 

Summary 

A new remote access trojan named MagicRAT was discovered linked to the threat actor Lazarus Group. It was found that the command and control server that hosts and serves MagicRAT were linked to TigerRAT, which is another implant created by the Lazarus Group.  

Behavioral Summary 

Upon execution, MagicRAT will create a configuration file in the %ProgramData% directory and a shortcut (.LNK) file in below %AppData% directory to execute itself during Start up: 

%AppData%/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/{MagicRAT}.lnk 

In addition, it also executes the following command to create persistence on the compromised machine: 

cmd.exe /c schtasks /create /tn “OneDrive AutoRemove” /tr “C:\Windows\System32\cmd.exe /c del /f /q “{MagicRAT.exe}”” /sc daily /st 10:30:30 /ru “SYSTEM”cmd.exe /c schtasks /create /tn “Microsoft\Windows\light Service Manager” /tr “{MagicRAT.exe}” /sc onstart /ru SYSTEM 

Furthermore, it will perform reconnaissance activity in the compromised machine and make connections to the Command & Control (C&C) server. MagicRAT is able to perform further malicious activity such as exfiltrating sensitive information, deploying additional malicious payload or deleting files in the compromised machine. 

Other than that, it could create below BAT file to delete the malicious payload on the compromised machine. 

@echo off  
:Repeat  
taskkill /F /IM %1  
del /f /s /q “%2”  
if exist “%3” goto Repeat  
del /s /q “%4”  

Following is the overall process chart of this malware’s activity. 

Figure 2: MagicRAT Process Chart 
 
Customer Protection 
VMware Carbon Black Cloud Endpoint Standard
The recommended policy for Endpoint Standard at a minimum is to block all types of malware from executing (Known, Suspect, and PUP) as well as delay execution for cloud scan to get maximum benefit from Carbon Black’s PSC reputation service. The PSC Threat feeds will detect the known hashes for this malware. 
Sensors running with version 3.8 or greater will have default prevention rules to block TTPs that are often used by threat actors such as AMSI protection, Credential Access protection. 
Otherwise, Endpoint Standard could alert on this malware with the following rules. 
Processes Operation Attempt Action 
Unknown application or process Communicates over the network 
Invokes an untrusted process 
Deny Operation 

VMware Carbon Black App Control

The most effective way of blocking this malware is by running App Control in High or Medium enforcement. Other than that, customers in low enforcement can enable the following Rapid Config as additional layer of protection to prevent and alert on malware that executes during different phase of attacks: 

  • Browser Protection 
  • Microsoft Office Protection 
  • PowerShell Protection 
  • Ransomware Protection 
  • Reconnaissance and Exfiltration Protection 
  • Suspicious Command Line Protection 
  • Suspicious Application Protection 
  • WMI Protection 

Implementation: As always, our best-practice recommendation is to create all custom rules in “Report” mode first, assess for false positives, and create any higher ranking execute allow rules to prevent legitimate blocks. After confirming no false positives in your environment, you can then change to Block. 

Customer Action: Ban known hashes from the IOC in environment 

VMware Carbon Black EDR and Cloud Enterprise EDR

The PSC Threat Feeds will detect the known hashes for this malware. Customers can ban known hashes as well, which are located in the IOC section of this report. 

Many existing queries that are located in the MITRE ATT&CK, SANS, CB Endpoint Visibility, and CB Advanced Threat feeds will also alert on characteristics associated with these families. 

Name Query 
Discovery – System Information Discovery VMware Carbon Black EDR: 
((((cmdline:dir OR cmdline:ver OR cmdline:set OR cmdline:hostname OR cmdline:systeminfo) os_type:windows) and -(digsig_publisher:”Google LLC” or digsig_publisher:”Google, Inc” or process_name:netsh.exe))) 
 
Cloud Enterprise EDR: 
(((((process_cmdline:dir OR process_cmdline:ver OR process_cmdline:set OR process_cmdline:hostname OR process_cmdline:systeminfo) device_os:WINDOWS) AND -(process_publisher:”Google\ LLC” OR process_publisher:”Google,\ Inc” OR process_name:netsh.exe)))) -enriched:true 
Discovery – System Owner/User Discovery #1 VMware Carbon Black EDR: 
(process_name:whoami.exe OR cmdline:whoami) 
 
Cloud Enterprise EDR: 
((process_name:whoami.exe OR process_cmdline:whoami)) -enriched:true 
Discovery – System Network Configuration Discovery #5 VMware Carbon Black EDR: 
(process_name:nbtstat.exe OR process_name:ipconfig.exe OR (process_name:arp.exe AND cmdline:-a) OR (process_name:net*.exe AND cmdline:config)) 
 
Cloud Enterprise EDR: 
((process_name:nbtstat.exe OR process_name:ipconfig.exe OR (process_name:arp.exe process_cmdline:\-a) OR (process_name:net*.exe process_cmdline:config))) -enriched:true 
Discovery – System Profiling VMware Carbon Black EDR: 
((childproc_name:net.exe OR childproc_name:nbstat.exe OR childproc_name:ipconfig.exe) AND childproc_name:systeminfo.exe) 
 
Cloud Enterprise EDR: 
((childproc_name:net.exe OR childproc_name:nbstat.exe OR childproc_name:ipconfig.exe) AND childproc_name:systeminfo.exe) -enriched:true 
Impact – Interactive BCDEdit or BCDBoot Execution Detected VMware Carbon Black EDR: 
(process_name:bcdboot.exe or process_name:bcdedit.exe) 
 
Cloud Enterprise EDR: 
(process_name:bcdboot.exe OR process_name:bcdedit.exe) -enriched:true 

Implementation: As always, our best practice recommendation is to tune for any false positives before creating new watchlists. 

Customer Action: Test and Deploy Watchlist and ban known hash values. For any hits, investigate the file modifications, network connections, cross process injection(s) and child processes. 
 
MITRE ATT&CK TIDs 

TID Tactics Technique 
T1059 Execution Command and Scripting Interpreter 
T1053.005 Execution, Persistence, Privilege Escalation Scheduled Task/Job: Scheduled Task 
T1547.001 Persistence, Privilege Escalation Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 
T1027 Defense Evasion Obfuscated Files or Information 
T1070.004 Defense Evasion Indicator Removal on Host: File Deletion 
T1497 Defense Evasion, Discovery Virtualization/Sandbox Evasion 
T1124 Discovery System Time Discovery 
T1016 Discovery System Network Configuration Discovery 
T1082 Discovery System Information Discovery 
T1012 Discovery Query Registry 
T1105 Command and Control Ingress Tool Transfer 

Indicators of Compromise (IOCs) 

Indicator Type Context 
90fb0cd574155fd8667d20f97ac464eca67bdb6a8ee64184159362d45d79b6a4 SHA256 MagicRAT 
9dc04153455d054d7e04d46bcd8c13dd1ca16ab2995e518ba9bf33b43008d592 SHA256 MagicRAT 
f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332 SHA256 MagicRAT 
8ce219552e235dcaf1c694be122d6339ed4ff8df70bf358cd165e6eb487ccfc5 SHA256 MagicRAT 
c2904dc8bbb569536c742fca0c51a766e836d0da8fac1c1abd99744e9b50164f SHA256 MagicRAT 
dda53eee2c5cb0abdbf5242f5e82f4de83898b6a9dd8aa935c2be29bafc9a469 SHA256 MagicRAT 
a6d63439404b38f28606566f8b95298c624bc1e1 SHA1 MagicRAT 
2cae41e7c770d49c85afd90903e6cf65871228aa SHA1 MagicRAT 
a3555a77826df6c8b2886cc0f40e7d7a2bd99610 SHA1 MagicRAT 
b786191ce03237229db2df511c1b7ecd51c49d5f SHA1 MagicRAT 
870694a1defa9f9df70b6857038be1c5f5150865 SHA1 MagicRAT 
130baec325e6ae41517404e76f911f071f613567 SHA1 MagicRAT 
6c2b947921e7c77d9af62ce9a3ed7621 MD5 MagicRAT 
d9ce494a22390a7dd4ad8a86ad50ec03 MD5 MagicRAT 
b4c9b903dfd18bd67a3824b0109f955b MD5 MagicRAT 
ff3194d3d5810a42858f3e22c91500b1 MD5 MagicRAT 
9a481bc83fea1dea3e3bdfff5e154d44 MD5 MagicRAT 
ddb1f970371fa32faae61fc5b8423d4b MD5 MagicRAT 
hxxp://gendoraduragonkgp126[.]com/board/index.php Domain Command & Control Server 
hxxp://64.188.27[.]73/adm_bord/login_new_check.php Domain Command & Control Server 
hxxp://172.16.3[.]81/proxy.php Domain Command & Control Server 
hxxp://mudeungsan.or[.]kr/gbbs/bbs/template/g_botton.php Domain Command & Control Server 
hxxp://www.neohr.co[.]kr/bbs/data/notice/notice.php Domain Command & Control Server 
hxxp://www.easyview[.]kr/board/mb_admin.php Domain Command & Control Server 
hxxp://www.easyview[.]kr/board/Kheader.php Domain Command & Control Server 
hxxp://155.94.210[.]11/news/page.php Domain Command & Control Server 
hxxp://155.94.210[.]11/news/images/header/74ba82f92f6425ba5efde22b242553ec.gif Domain Command & Control Server 
hxxp://192.186.183[.]133/bbs/images/header/90d777e7c5500bee2ba213f743279517.gif Domain Command & Control Server 
hxxp://192.186.183].]133/bbs/board.php Domain Command & Control Server 
hxxp://54.68.42[.]4/mainboard.php Domain Command & Control Server 
hxxp://213.32.46[.]0/board.php Domain Command & Control Server 

Spread the love

Under Attack

Please fill out the form and we will be in touch shortly

Subscribe