CyberWire Daily - InnaputRAT exfiltrates victim data. [Research Saturday]
Episode Date: April 21, 2018Researchers with Arbor Networks ASERT team have been tracking a malware campaign targeting commercial manufacturing, and have uncovered various samples dating back to at least 2016. Richard Hummel is... Threat Intelligence Manager for Arbor Networks' ASERT Team, and he takes us through what they've discovered. https://www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
This particular one came to our attention via some spam messaging.
That's Richard Hummel. He's the threat intelligence manager for Arbor Network's ACERT team.
The research we're discussing today is titled,
In-a-put actors utilize remote access Trojan since 2016, presumably targeting victim files.
We were able to look at some of the metadata and look at the actual payloads attached.
And from there, it kind of led us to what we call the input rat.
So everything here is spawned from the phishing emails.
And, you know, typically phishing emails are a dime a dozen.
So what brought us our attention to this and made us focus on it was the themes.
Some of the senders were masquerading as what appear to be political entities,
and it appeared they were targeting commercial aspects just based on the theme of the message,
the subject lines, the body of the messaging, and then who it's actually targeting. So we didn't
capture all of the phishing messages themselves, but we were able to retrieve the content,
which led us to kind of the path but we were able to retrieve the content, which led us to
kind of the path that we were walking here. Well, let's start with those phishing messages.
What was the content that got the people hooked? One thing I would just kind of call out as
anecdotal initially, a caveat, is we don't typically look into victim environments.
We observe a lot of things from a network perspective. And if you look into our Atlas data set, it's primarily just network-based data.
So I can't confirm that any victims actually were compromised by this. So we're looking at
the outside, right? We know that it was sent to X victims, but we don't know the follow-through.
I see. So yeah, so I can't, I can really go into like, you know, what made them click on it.
But essentially, the phishing emails themselves come at a time where there's a lot of political
upheaval, various different geopolitical discussions and disagreements going on.
And then when you're targeting commercial manufacturing, a lot of players are in different
countries.
Right.
So they have they have awareness of what's happening in the geopolitical space. So it's definitely something that comes at an opportune time for attackers
to then go ahead and manipulate would-be victims by using those themes.
So let's dig in some and talk about this input rat element of this. Describe to us what's going
on here. Sure. So when we first came across this, like I said, we started with the phishing messages.
And then from there, we were basically able to look at the command and control infrastructure.
From there, we found our initial payload, which was directly tied to the phishing email.
We started looking at it, analyzing it.
One of our reverse engineers ripped it apart, figured out exactly what it did.
It's fairly trivial as far as a rat goes. There's a lot of rats out there that have a whole lot of functionality.
This one's not necessarily full function. It's pretty basic in what it does. It's able to profile
the system that it's on and then able to exfiltrate data. Now, there's no additional components to it,
right? So how an attacker is using it, we don't know. Again, we don't sit in that victim environment.
We suspect, though, that the rat is used as kind of a backdoor.
And then once the attacker has compromised victims, they're then able to use that rat to exfiltrate data that they manually find on those systems.
But again, that's speculation at this point since we don't actually see inside that environment.
So the rat itself could be a first step in compromising a system.
It's definitely part of that.
We also saw later versions of it being distributed with Godzilla Loader, which is a fairly common cybercriminal tool that you can purchase in underground forums.
And that's basically the stager, right?
So phishing email is kind of ground zero.
That's not to say they don't use other methods to get on the network,
but phishing emails is definitely the one that we observed.
Then we saw the Interport RAT that was distributed directly.
But then later on, we saw the Godzilla loader as kind of the intermediary.
So maybe they didn't have enough success distributing Interport RAT directly.
And so they then use Godzilla loader because it's a paid for service. They're fairly good about getting around security and things like that in victim
environments for successful infections. And what are some of the details? What do we need to know
about Godzilla Loader itself? So we didn't spend a whole lot of time analyzing Godzilla Loader just
because there's a plethora of sites out there and other security researchers that have done
ample research dissecting Godzilla Loader.
I guess the main thing to note is that they are using it.
So any number of research blogs out there could go through the details of stripping Godzilla Loader apart.
The important thing to note here, and I think kind of lending to attribution a little bit,
is it's a cyber criminal tool purchased in underground form.
That's not to say
that APT type actors don't use it. We have seen more of that, but it is cyber criminal world. So
it could lend credit to the fact that these guys are organized crime. They could be just criminals
moonlighting. We don't really necessarily know who they are, but the fact that they're finding
Godzilla Loader and that it's typically purchased on underground forums is of note. So one of the things you noted in your research was this
evolution of InnoPut RAT and how that allowed you to sort of rewind the clock and see how far back
this might have gone. Can you take us through that evolution and how the functionality changed
over time? The changes themselves aren't super important, right?
It doesn't really change the functionality
and the capabilities of the RAT itself.
What we noticed over time is evolution
of how they're distributing the bot
as well as how it gets installed.
So going chronologically,
we could start with sample one,
which goes all the way back to 2016.
The third sample that we have listed
in our chronological order here is the one that we first started with. So we started doing binary analysis.
We did a bunch of different searches using a bunch of different tools. We have our internal
Mauer sandboxing system. We have millions of samples that are categorized and stored.
We also have some partnerships with other vendors that have sample sources. So we were able to basically do some searching.
We created some ER signatures looking for particular aspects of it.
We looked at the actual command and control, looking for additional samples.
And through the course of analyzing all the different binaries, we found a couple of different ones.
And then we found even more looking at the actual infrastructure itself.
So we found a total of five binaries,
at least the ones that we analyzed. I think we have hundreds of them at this point.
But the ones that we pulled out were ones that had differences or were tied together through the infrastructure, which is kind of why we have five samples listed here. So starting with the
first one, I think the most notable difference between sample one and sample two is that they
changed the order of the commands
that they use. So the command options are basically API calls in a Windows environment that it's using
to perform various functions, right? So here we see it reading files. It can write files,
it can delete files, and basically do some system scanning. The way that they call this particular
API, the read file,
change from the first sample to the second sample.
So that's one change.
The other thing is the infrastructure itself has an overlap.
And then when we actually go and we match these binaries together,
there's a bunch of different functions in a particular binary.
And so the more matches you have, the more likely it is.
It's the same compiled code.
Although typically when you have a new variant,
there's going to be functions that stand out as different.
That's pretty atypical when you're analyzing samples over time.
That read call is the main thing that changed,
and then also the persistence method.
So the first sample would create a Windows service.
That was kind of how it installed its persistence.
It was called Office Update Service. And that's fairly common for a lot of different binaries.
That is the second most common. The first most common would be creating a Windows registry key
to auto run upon booting your system up. And that's the change that happened between the
first sample and the second sample. So sample one, we have a Windows service that's created. And then sample two, it actually creates a persistence key in the Windows registry to run upon system boot up.
Moving into sample three, not a whole lot changed from one to the other. The biggest change here
was going to be the actual file name. So we went from something called safe app.exe to neutral app.exe.
The whole command options was persistent from sample two to sample three.
We didn't do any diff matching like diafor differential matching with the sample
because this was our ground zero sample.
But it does match a lot of the other ones as well.
So then moving on to sample four, we can look at, again,
some of the same command and control infrastructure overlap,
persistence with the naming of the sample, neutral app.exe as well.
And then you can see that we matched 33 of the particular functions with 13 unmatched.
In this particular sample, sample four is when they started doing a little bit of anti-analysis.
So some of the API names, the various strings within the binary are obfuscated.
Now, they're not using a super sophisticated method for this.
They're just using a simple XOR with an 8-byte key.
It's fairly simplistic, but it's enough to get around some of the different pattern matching signatures that we might have.
For instance, if we were looking for a particular string or a particular function call using Yara,
and we were just looking at regular ASCII text, if they did this obfuscation with XOR,
we're not going to see that unless we know that key
and then we can basically decode those
before we do our pattern matching.
And then in sample five, we basically,
the biggest change here is that more of those strings
and more of those API calls were obfuscated.
And you'll note that the matching function
diminishes slightly.
So we have 27 unmatched as opposed to the 13.
And that's just because they're adding that additional obfuscation. So things aren't going
to match one for one. Yeah. And so when you look at how it changed over time, is there a story
there, you know, behind the scenes of what their goals were, what they were trying to do? Was it,
I mean, it seems to me like the obfuscation is the main thread through this. Is that accurate? Yeah, I would say that's probably the biggest
change. The biggest change that's really going to impact the RAT itself. The changes of the
various read calls, the change of the persistence mechanism, those aren't really going to change a
whole lot. I mean, both of those are fairly common as far as persistence mechanisms, and they're both
really commonplaces for security
applications and tools to look for malicious apps. So that's not really going to impact
the bot itself. It's not going to really impact their viability to stay on a system.
The obfuscation, though, is what's going to enable them to get around a particular set of scanning
rules. So that's probably going to be the biggest change that occurred between the variations. And
honestly, if you look at the actual evolution, it's fairly trivial. I mean, they're minor increments of code
updates. It could just be that over time they figure new ways to do things or, hey, why aren't
we obfuscating? Let's go ahead and add that in. So I don't think it's like super significant.
They're not using a very complex algorithm, but it is sufficient to deny pattern matching for certain
things. And so what's your perception of the sophistication of these actors? And I guess
second part of that would be for the type of information they're looking for,
is sophistication necessary? I wouldn't say that they're highly sophisticated. I mean,
when you compare them against other threats, it seems like more the run-of-the-mill stuff to me.
And is it necessary? I don't know.
When we look at a lot of potential APT actors, for instance,
a lot of times they don't necessarily care about stealth, right?
They want to get into the system.
They're all going to exfiltrate as much as they can,
and they're going to get out.
A lot of the tools they use, Poison Ivy and J-Rat,
they're very noisy, right?
So it's not like they're trying to evade stuff, but if they accomplish their goal of exfiltrating certain data mission accomplished
right so i don't think they have to be highly sophisticated it could be a highly sophisticated
actor using primitive tools to do something like this maybe they're doing it uh moonlighting or a
side project or something like that they did go to the effort of using Godzilla Loader,
which means they did drop some funds in order to acquire the use of that software. So there is some
aspect here where they're paying to increase their sophistication slightly or increase their success
rate. But I don't necessarily think that these guys are super highly sophisticated in that sense.
So let's talk about the attribution. Take us through what your conclusions are.
Just kind of based anecdotally here in a caveat before we go into this, we're basing this largely
on information presented to us and available online, right? Any actor anywhere could basically
masquerade this data. They could create fake entries. They could create fake email addresses.
So take kind of what we've written here as a grain of salt. We've, you know, appropriately caveated that, hey, we believe
this based on what we found. But that's saying, you know, an attacker could go in and create all
these personas. They could create these fake Twitter accounts, these fake Facebook accounts,
all to make them look more legitimate. So that said, we can dive into this. Basically,
what we first looked at is the initial infrastructure in that phishing message.
From there, it led us to Interport RAT.
And then we started looking at who registered them, looking at their email addresses,
the phone numbers within various who-is information.
And then we started doing some chain analysis.
So whatever graphing tool you might be used to,
is it Analyst Notebook or Maltego or
something like that, we started plotting these various entities out, highlighting their names,
their addresses, their phone numbers, their email addresses, and then from there pivoting to
additional infrastructure that they might have registered. And that led us to additional samples
of InnoPort RAT. And so through basically a series of looking at different domains,
looking at the IP addresses and the hosting, as well as the registrar data, we were able to basically find these five different samples, as well as a bunch of different infrastructure
that matches our original phishing message theme, like the MFA events. We saw US Embassy Report.
So these same themes are things that we identified.
On top of that, we had some more generic stuff like Google and Microsoft.
So some of the different campaigns and themes that I've seen over the years working these types of threats, a lot of times you'll have actors that zero in or home in on a specific AO that they're really interested in.
But oftentimes,
you also have them do more generic stuff. So a lot of the crime actors, they shoot shotgun
shots out, right? They want to hit wide. They don't necessarily care about necessarily specific
entities, but sometimes they will drill down a little bit further. If maybe they're contracted
out by somebody or they have a particular interest in
a certain financial organization then they might single them out to go a little bit further but a
lot of times they like to try to go wide get as many people compromised as possible because they're
going to get a better return of their investment in their time so we'll often even though we might
see some targeted activity we'll also see the stuff that kind of targets wide with google
the microsoft various webmail providers, and things like that.
Through the course of all of our investigation
and tying all this together,
we came across three particular entities.
And again, they could be made up.
We don't know.
But based off of what we were able to see,
they all have kind of a Russian flavor to them.
Whether that's APT or crime, at this point, we don't know.
We basically just prevented the facts of our findings and then highlighted the differences
and what led us to believe that it might be a Russian type nexus.
Is this still an active campaign? And if so, how can folks protect themselves against it?
Yeah. So as of yesterday, I was just talking to the researchers that are
primarily responsible for this, and we were still seeing some of the activity, the command and
control infrastructure for at least one of them is still live. We've been looking at contacting
various ISPs to see what we can do to try to help eliminate some of this malicious activity.
But right now, the biggest thing that you can do really is practice good hygiene, right? Don't open emails from untrusted senders. If something looks a little bit suspicious,
forward it to your support desk and ask them for guidance. A lot of these threats, I'd say
probably the number one threat impacting organizations going back how many years,
I don't know at this point, is email. Attackers like to include malicious attachments.
They'll include links. The link might appear to be benign, but the actual hyperlink text itself
is leading you to a malicious site. So really just practice a little bit of caution. When you're
opening up an email, ensure it's from somebody you trust. If you're uncertain, reach out to them
separately. Ask them, hey, did you send this to me?
When you are opening things, just ensure you're not actually executing a binary. If you open up
a document and it has macros or some type of script content inside, don't enable that without
getting a verification of where that came from. So there's a lot of just general use practices
that can be done to help
eliminate this threat. One of the things that we do here is all the indicators of compromise that
we see, as well as signatures for the particular activity, we include those into our system so that
when we're blocking the activity, whether it's via our Atlas intelligence feed or one of our systems like APS. We're pushing all of these IOCs and what we call policy or a signature to our systems
so that we can then block the malicious activity.
Our thanks to Richard Hummel from Arbor Network's ACERT team for joining us.
The research is titled,
Input Actors Utilize Remote Access Trojans Since 2016, Presumably Targeting Victim Files. You can find it in the blog section of the Arbor Network's website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.