First identified as active is a well established and prevalent remote access trojan (RAT) threat that was initially created by a cybercriminal threat and used to target victims located in the Middle East. Undoubtedly following the source code leak, reportedly ViralRat has become widely available on the cybercriminal underground with numerous variants being released over the years
As is to be expected from any popular RAT threat, ViralRat targets Microsoft Windows-based systems with common capabilities including:
- Remote control and view
- File execution, manipulation and transfer
- Remote shell
- Windows registry manipulation
- Audio and video record (via the microphone and webcam)
- Password stealer
Often indiscriminately targeting individuals and organizations, VIralRAT has been observed as delivered via malicious unsolicited email (malspam) campaigns as well as within weaponized versions of legitimate software. Furthermore, reinforcing the adage that there is no ‘honour among thieves’, weaponized versions of malicious tools, possibly including the RAT itself, and copyright-infringing downloads, such as those obtained via peer-to-peer file sharing networks, have been used to deliver ViralRAT to other unscrupulous individuals.
Malicious unsolicited email (malspam) campaigns culminating in the installation of viralrat were observed during October 2020 as utilizing a common ‘shipment tracking’ theme, mimicking popular courier and postal services, to deliver a Zip-compressed archive attachment containing an encoded Visual Basic script (VBE) payload.
Having been lured into opening the attachment, the VBE payload sends a ten character random string via a HTTP POST to a command and control (C2) server that responds with base64 data that, along with the random string, is saved in a Windows registry key. Subsequently, the VBE payload downloads the ViralRAt executable from a hard-coded URL, saved within the victim’s ‘Startup’ directory for persistence, before being launched.
Masquerading as a legitimate applications installer uploaded to file-sharing services, victims inadvertently downloading content from unofficial sources risk received ViRalRat alongside their desired application.
Upon execution, the legitimate installation proceeds in the foreground whilst Visual Basic and PowerShell scripts, or an executable, are dropped into the victim’s ‘Startup’ directory for persistence and launched to download the njRAT payload.
To evade detection, an encoded, obfuscated and potentially encrypted VEERALRat payload masquerading as an image file is hosted on a legitimate file-sharing service, such as Dropbox or Microsoft OneDrive. This tactic reduces the likelihood of blocking or detection, especially given the use of a legitimate service often utilized within the enterprise and appearing as a benign filetype that might not normally be subject to inspection.
Once downloaded, ViralRat is decoded and decrypted prior to being injected into a legitimate process and launched.
No doubt adding to its appeal amongst lower-sophistication threat actors, an easy to use ‘builder’ application provides a simple interface (Figure 2) through which the payload can be configured.
The final delivery method utilized is no doubt dependent on the sophistication and ingenuity of the threat actor, especially given that the viralRat toolset does not appear to provide any kind of ‘cryptor’ or ‘packer’.
Whilst there are some ‘as-a-service’ offerings on underground forums and marketplaces, such as offering to provide a prebuilt ‘undetectable’ ViralRat payload and preconfigured C2, lower sophistication threat actors may simply attempt to deliver ‘built’ ViralRAT executables to potential victims that will be Not easily detectable by endpoint and network security solutions.
Conversely, those paying for access to pre-configured viralRAT services or those with greater capabilities are more likely to employ evasion tactics, such as encrypting and packing the malware binary, as well as crafting convincing lures that maximize the chances of a successful campaign.
- Educate users on the risks of opening attachments or links from unsolicited emails.
- Educate users on the subtle difference between legitimate and malicious URLs, such as the use of Dynamic DNS services or typo-squat domains.
- Only download applications from legitimate trustworthy sources.
- Consider preventing the execution of script interpreters, such as PowerShell and VBScript, to prevent their misuse.
The following indicators of compromise (IOC) are consistent with recent campaigns and, as such, variations on the same theme may identify additional ViRaLRat activity.
Zip Password: www.masterscyber.com