SectopRAT: New version adds encrypted communication

[harlan4096]

SectopRAT, also known as 1xxbot or Asatafar, had been an unknown, in-development threat when we discovered it a year ago. Now it infects systems in Germany. What is the new version capable of?

Infections and aliases

New appearances of SectopRAT infection attempts in our telemetry prompted me to investigate the threat that seemed in its infancy at the time of the first article. The malware has been refined and gotten more features since. To sum up the first article: SectopRAT uses a second, hidden desktop to allow remote control. Parts of it seem unfinished.

While the previous article states that SectopRAT was first mentioned in 15. November 2019, I have now discovered that earlier tweets by @nao_sec from March 2019 use a different name for the malware: ArechClient. Other aliases are 1xxbot, ArechSoft and Asatafar. Most names stem from the module name of the RAT or the PDB path. This name has changed in the course of development, likely to evade detection and identification. For the sake of consistency and clarity I will stick with SectopRAT because the use of a second desktop seems to be the most notable core-feature. Many antivirus naming policies also forbid using a name that the malware developer has chosen.

Three packing layers

The analysed sample has three layers which need to be unpacked. The first one is obfuscated with SmartAssembly. The method with token 0x060001C6 invokes a .NET injection library .

The injection library[2] has a configuration that allows multiple options, one of them being RunPE for native files. However, only a small portion is used which will decompress a file that is embedded as byte array and execute that. The code in the screenshot below shows the method reposonsible for the decompression stub.

Configuration and encrypted CnC communication

The analyzed sample[1] saves configuration data as well as the IP of the server in a different class. The class that contained the IP in previous versions now shows the localhost. This is most likely an attempt to evade automatic extraction of the command and control (CnC) server. If such extration tools are static, they might now yield 127.0.0.1 which won't raise as much suspicion as a non-working IP extraction. Dynamic analysis of course still shows the actual IP.

The configuration has now additional entries, such as a build ID and an encryption key for the CnC communication. The build ID shows "Build 3".

The CnC communication encryption key is saved in a 32 byte array named rawData. This key changes with different build versions. The CnC communication data is encrypted and decrypted with AES256 using said key and a randomly generated 16 byte intitialization vector (IV). This IV is prepended to the encrypted data before it is sent.

New commands

Besides added encryption, the server also supports a number of new commands. These are triggered via a JSON (a data-interchange format) string that contains one of the following command strings.
...

Continue Reading