Countercept by MWR has discovered a new RAT – dubbed Luminosity
The term “sophisticated” is often linked to “Advanced Persistent Threats”, but other generic malware families have become more sophisticated and often have no issue getting past traditional security solutions.
We recently discovered a new variant of the Luminosity Remote Access Trojan (RAT) that leverages the use of the AutoIt script tool. AutoItis a legitimate system administration tool that is designed for task automation using scripts written by administrators. The benefit of using AutoIt is that it is legitimate software that is likely to evade detection from traditional security solutions.
Luminosity RAT was first seen in 2015 and contains features from a tool provided by the company LuminosityLink. Its key features include key logging, password recovery, RDP and the ability to manage files on the infected system.
How was this discovered?
We observed that a new scheduled task was created on a single host on one client’s network. This particular scheduled task was an anomaly in that it was only present on this particular system across the client estate and had not been seen on any other network Countercept monitored.
Further investigation revealed that the task launched a binary with the filename of ‘bambo.exe’ that was located ina randomly named directory in the user’s profile. Upon analysis of the binary, we found it was a renamed version of ‘AutoIt3.exe’.The command line arguments passed to the binary supplied a randomly named file within the same directory.
Parent process: %USERPROFILE%\njiop\bambo.exe
Child process: %USERPROFILE%\njiop\afget.xkl
Further analysis of the directory containing these files revealed the presence of another unique file with the name of “efkmcutt.gqz”. Both of the data files were unknown and had not been seen onVirusTotalat the time.
This type of behaviour will often easily bypass traditional security solutions due to the fact that AutoIt is a legitimate script binary that is not malicious by nature. It’s only malicious when it is abused and used to run malicious scripts. However, custom written scripts will have unique new hashes that are not seen in the wild, hence signature based solutions will typically not easily detect these.
In addition to the persistence entries discovered and process launch events, live memory analysis techniques had also reported other indicators of compromise on the system. A reflective DLL load had been observed in the legitimate Microsoft regsvcs.exe process, which had been launched by the AutoIt script. Additionally, evidence of thread injection into a number of other legitimate processes on the system were seen.
Reflective loading of DLLs is a technique often used by malware to dynamically inject malicious code into legitimate processes that are loaded on the system. The benefit of this is that it helps blend into the environment amongst normal processes so as to avoid detection from traditional security solutions. As these techniques do not make any changes to the disk, it is also especially effective against standard anti-virus solutions.
What caused the initial infection?
In order to discover the infection vector, a timeline of all related events was created. We traced backthe first execution of the ‘bambo.exe’ binary and found the parent process with the name of “Facture SonatelSN10 1001 922783 602.exe”. The metadata of this binary was described as “Adobe Acrobat Reader DC”, though that was clearly not the case. The binary filename ‘Facture Sonatel’ is translated to ‘Sonatel bill’ in English and Sonatel is the principle telecommunications provider of Senegal.
Correlation of other data sources with the timeline constructed showed that the user was accessing attachments via Gmail at the time of the event. Given the affected user’s name and the specific social engineering technique, the most likely explanation was that the malware was generic African malware that had reached an African employee via their personal Gmail account that they were accessing from their corporate system with the phishing technique delivering malicious code under the guise of being a standard phone bill.
Command and Control
Most malware will typically have some form of command and control (C2) channel, which often will involve initiating some form of connection back to an internet hosted server. Further correlation of other data sources with the infection timeline revealed that the legitimate “regsvcs.exe”we had observed as being the target of code injection techniques process had been making outbound connections to a server IP address traced back to Côte d’Ivoire using TCP port 6600.
Heavy obfuscation of the malware scripts themselves made static analysis time consuming but dynamic analysis of the malware quickly revealed that a connection to the same IP address and port was made by the malware, confirming that the traffic we had identified previously was the command and control traffic. The standard beacon packet made periodically had a structure similar to the following:
|CONNECT=P4CK3T=ATPS-2711472^$0$00:00:01$^[explorer] ^$^WIN-7LOLVM1\jo _pets^$Microsoft Windows 7 Professional 64-bit$0$1$True$Desktop$^1.5 .1^$08-10-2016$N/A$^8dde18c34015b91824834f7f8060b04eed2adeac6e6348810c37f8e6 038a91b4^$ATPS$N$^8_=_8|
The communication starts with the CONNECT followed by commands preceded with =P4CK3T such as, “=P4CK3T=ATPS-2711472”. The C2 server will then acknowledge back with “=P4CK3T=8_=_8”.
In this instance, the infection had been discovered and reported to the client quickly and no evidence of lateral movement on the network or large scale data transfer to this server had been identified.
Further Indicators of Compromise
This malware variant was also found to write key logs and other binary files into another randomly named directory in the users profile(“%USERPROFILE%\AppData\Roaming\aoa\Logs”)and was identified as actively sending back contents of the log file in ‘aoa\Logs’. Based on the beacon behaviour and other behaviour seen, the malware could then clearly be identified as being related to the LuminosityLink Remote Access Trojan (RAT) family.
Would traditional security solutions detect this?
When infected with this variant of RAT, it will most likely remain undetected due to the techniques specifically aimed at evading traditional anti-virus, giving the attackers full control of the target system. The longer the malware remains active on the system, the more opportunity the attackers have to pivot and infect other systems across an enterprise network.
While the techniques used by the malware are not fundamentally new, this is an example of common malware families becoming more sophisticated and traditional security solutions struggling to catch up with them. Whilst traditional anti-virus can never protect against sophisticated targeted attacks, even generic widespread malware is increasingly slipping past anti-virus solutions with greater success.
However, with good visibility of key endpoint data, network traffic and application logs supplemented with a range of anomaly detection techniques, this new malware variant stood out easily and allowed us to quickly identify the techniques used, the extent of the compromise and the infection vector, which allowed the compromise to be quickly contained and weaknesses in the client’s security controls and processes to be highlighted.
Ø Is this attack currently active?
This particular example was very recent. We see new variants of malware regularly. The instance we saw has been contained but it is likely that there other systems out there infected by similar variants.
Ø How many people or organizations are impacted?
We can’t answer this, we have no idea.
Ø What are the risks of this RAT – what damage can be done – i.e. why should organizations care?
This malware has dangerous functionality that could allow files to be stolen, passwords to be captured and remote access to the network the compromise is on. Even if the original targeting is aimed at home users, it doesn’t stop the attack from being changed once the attackers realize they have gained access to a sensitive corporate network.
Ø What countries are involved?
We saw evidence of this originating from West Africa and locally targeted but the affected person in this case was working in Western Europe and so it was a Western European company that was put at risk
Ø Are you the first to discover this RAT?
The malware family is not new but the particular sample we saw was a previously unseen variant when we discovered it.
Ø What makes this RAT significant/different to others?
It is available commercially as a system administration tool but has questionable functionality and can and is used for malicious purposes.
Ø How can organizations mitigate against this attack?
The variant we observed could have been prevented by strong application control, such as Microsoft’s AppLocker. Beyond that, a strong attack detection capability is required with the right technologies and people to detect previously unseen malware and other attack techniques.