Threat Spotlight: Breaking Down FF-Rat Malware

Introduction

FF-RAT is a family of malware used in a number of targeted attacks over at least the last five years. It is by no means a new threat, but it is still actively used and developed and worthy of a breakdown in an effort to defend against it.

FF-Rat malware has managed to stay under the radar and does not yet have robust, widespread industry coverage. In this post, we’re going to look at a recent sample the Threat Guidance team came across.

The Dropper

The sample we’ll be analyzing is the main dropper component:

SHA256: 7a4528821e4b26524ce9c33f04506616f57dfc6ef3ee8921da7b0c39ff254e4e

The first thing the dropper does is identify the architecture of the targeted host. If the host is a 64-bit system, then a 64-bit version of the dropper will be written to disk and executed, as shown below: 

Path: %WinDir%TempS[8 Byte Hex String].dat
SHA256: 8ef257058cbb22fbab54837dc0af1bdd93c2a6bae18ca4a26e0a436656e591e1

Otherwise, if the host is a 32-bit system, then the 32-bit dropper will continue to its next phase of execution.

Both droppers (32- and 64-bit) will proceed to decrypt and decompress an embedded DLL named SetupDll.dll. This DLL contains the primary functionality of the dropper, and is executed entirely in memory – never touching the disk. Next, we’ll cover the process of extracting the DLL.

Decoding and Decompression

The recent dropper and different components of FF-RAT make heavy use of a combination of RC4, single byte XOR and LZ compression to protect the payloads and configuration. We have also observed older variants using aPACK instead of LZ compression.

The basic workflow for the decryption and decompression looks like this:

1) Generate the decryption key. The decryption key is generated by taking a hard coded DWORD and formatting it as an 8-byte hex string through a call to snprintf(). For example, given the value 0x12345678, (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog