Home » Cybersecurity » Malware » Saefko: A new multi-layered RAT

Saefko: A new multi-layered RAT

by [email protected] on August 8, 2019

Recently, the Zscaler ThreatLabZ team came across a new remote-access trojan (RAT) for sale on the dark web. The RAT, called Saefko, is written in .NET and has multiple functionalities. This blog provides a detailed analysis of this piece of malware, including its HTTP, IRC, and data stealing and spreading module. Background A RAT is a type of malware that includes a backdoor for remote administrative control of the targeted computer. RATs are usually downloaded as a result of a user opening an email attachment or downloading an application or a game that has been infected. Because a RAT enables administrative control, the intruder can do just about anything on the targeted computer, such as monitoring user behavior by logging keystrokes, accessing confidential information, activating the system’s webcam, taking screenshots, formatting drives, and more. Upon successful infection, the Saefko RAT stays in the background and executes every time the user logs in. It fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more. It sends the data it has collected to its command-and-control (C&C) server and requests for further instructions. The C&C instructs the malware to provide system information and the RAT will begin to collect a range of data including screenshot,videos, keystroke logs and more. The C&C can also instruct the malware to download additional payload onto the infected system. RATs present a unique business threat. They have the ability to steal a lot of data without being detected and spread to other systems across the network. The ThreatLabZ team also detonated the Saefko RAT in the Zscaler Cloud Sandbox to determine its functionality, communications, and the potential threat. Technical Analysis of the Saefko RAT Saefko malware unpacks itself and places the saefkoagent.exe file in “/%AppData%/Roaming/SaefkoAgent.exe” and executes it. It also copies itself to “/%AppData%/Roaming/windows.exe” and “/%AppData%/Local/explorer.exe” and executes them. Autostart Key The Saefko malware creates a startup key to execute the malware at every login. If it is executing from an admin account, it creates the following registry key: “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Otherwise, it creates a registry key in the following path: “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer” Functionality Saefko first checks to see whether the internet connection is active by connecting to “clients3.google.com/generate_204”. It then uses a unique technique to identify if the infected system contains any vital information. It fetches the browser history and searches for particular websites that have been visited by the user and makes a count based on the categories mentioned below. From the counts, the attacker can determine which systems it should target first from all the infected systems. The list of different categories it searches include: Credit card possibility paypal.com 2c2p adyen.com volusion.com pay.amazon.com apple.com/apple-pay/ atos.net authorize.net BIPS bitpay.com bpay.com braintreepayments.com centup.org cm.com creditcall.com cybersource.com mastercard.com digi.cash digitalriver.com dwolla.com elavon.com euronetworldwide.com eway.io firstdata.com fortumo.com pay.google.com/send/home heartlandpaymentsystems.com ingenico.com ippayments.com klarna.com emergentpayments.ne moduslink.com mpay.com neteller.com ofx.com pagseguro payoneer.com paymentwall.com paypoint.co paysbuy.com paysafe.com paytm.com payzone.co.uk crunchbase.com qiwi.com globalpaymentsinc.com reddotpayment.com sagellc.com skrill.com stripe.com squareup.com tencent.com transfermate.com transferwise.com wmtransfer.com trustly.com wepay.com verifone.com xendpay.com pay.weixin.qq.com money.yandex.ru wirecard.com truemoney.com xsolla.com myshopify.com/admin payza.com 2checkout.com 3dcart.com paysafecard.com weebly.com Gaming activity value origin.com steampowered.com g2a.com twitch.tv nichegamer.com techraptor.net gematsu.com estructoid.com pcgamer.com gamefaqs.gamespot.com gamespot.com siliconera.com rockpapershotgun.com gameinformer.com decluttr.com glyde.com gamestop.com microsoft.com/account/xboxlive playstation.com/en-us/network/store nintendo.com/games gog.com game.co.uk itch.io gamefly.com greenmangaming.com gaming.youtube.com Cryptocurrency value etoro.com 24option.com puatrack.com/coinbull2/ luno.com paxforex.com binance.com coinbase.com cex.io changelly.com coinmama.com xtrade.ae capital.com paxful.com kraken.com poloniex.com gemini.com bithumb.com xcoins.io cobinhood.com coincheck.com coinexchange.io shapeshift.io bitso.com indacoin.com cityindex.co.uk bitbay.net bitstamp.net cryptopia.co.nz pro.coinbase.com kucoin.com bitpanda.com foxbit.com.br bitflyer.com bitfinex.com bit-z.com quadrigacx.com quadrigacx.com big.one lakebtc.com wex.nz kuna.io yobit.io zebpay.com hitbtc.com bx.in.th trezor.io electrum.org blockchain.com crypto.robinhood.com exodus.io mycelium.com bitcointalk.org btc-e.com moonbit.co.in bitcoinaliens.com bitcoinwisdom.com coindesk.com cointelegraph.com ccn.com reddit.com/r/Bitcoin/ bitcoin.org/en/blog newsbtc.com blog.spectrocoin.com blog.coinbase.com bitcoinist.com forklog.com abitcoinc.com bitcoin.stackexchange.com news.bitcoin.com blog.bitfinex.com blog.genesis-mining.com Instagram activity instagram.com m.instagram.com Facebook activity facebook.com m.facebook.com Youtube activity youtube.com m.youtube.com Google+ activity plus.google.com m.plus.google.com Gmail activity gmail.com mail.google.com Shopping activity boohoo.com gymshark.com mail.google.com prettylittlething.com showpo.com athleta.com ae.com ruelala.com asos.com superdry.com zaful.com zafulswimwear.com luckybrand.com forever21.com urbanoutfitters.com nastygal.com jcrew.com anthropologie.com allsaints.com uniqlo.com armaniexchange.com fashionnova.com saksoff5th.com target.com macys.com barneys.com zappos.com sneakersnstuff.com yoox.com nike.com simmi.com amazon.com ebay.com walmart.com newegg.com bestbuy.com ftd.com 1800flowers.com glossier.com sephora.com thebodyshop.com ulta.com horchow.com homedepot.com pier1.com bedbathandbeyond.com wayfair.com shoptiques.com viator.com etsy.com cloud9living.com seatgeek.com aliexpress.com alibaba.com Business value linkedin.com twitter.com nasdaq.com ft.com reuters.com nyse.com tsx.com marketwatch.com thestreet.com wsj.com investing.com investopedia.com finance.yahoo.com seekingalpha.com fool.com investorguide.com zacks.com home.saxo forexbrokers.com swissquote.com cmcmarkets.com fxpro.co.uk forex.com dukascopy.com interactivebrokers.com tdameritrade.com bankofinternet.com ally.com bankpurely.com redneck.bank Saefko also collects additional user application data, including: Command Description irc_channel IRC channel name irc_nickname Nickname irc_password IRC channel Password irc_port IRC Port for communication to a server irc_server Server name machine_active_time System uptime machine_artct Machine Architecture machine_bitcoin_value Number of cryptocurrency sites visited by the user machine_business_value Number of business sites visited by the user machine_calls_activity 0 machine_camera_activity No. of “.png” files present on the desktop machine_country_iso_code Country code fetch from “ipinfo.io/geo” machine_lat latitude machine_lng longitude machine_creadit_card_posiblty Checks the number of payment sites visited by the user machine_current_time Taking machine current time machine_facebook_activity Checks the number of times the user visited facebook machine_gaming_value Checks the number of times the user visited gaming websites machine_gmail_avtivity Checks the number of times the user visited gmail machine_googleplus_activity Checks the number of times the user visited google+ machine_instgram_activty Checks the number of times the user visited Instagram machine_ip Machine IP machine_lat The geographic location of the system (latitude) machine_lng The geographic location of the system (longitude) machine_os_type 1 machine_screenshot Captures screenshot and encode it in base 64 machine_shooping_activity Checks number of times shopping sites visit by the user The RAT sends the collected data to a command and control server as shown below: After getting an “ok” response from the server, Saefko begins the “StartServices” function, which has four different infection modules: HTTPClinet IRCHelper KEYLogger StartLocalServices (USB spreading) HTTP Clinet (Possible misspelling of HTTP Client by the author) The RAT sends a request to the server, requesting for a new task. It sends a command “UpdateAndGetTask” and also sends other information, including machine_ID, machine_os, and privateip, as shown below: The task is the URL from which the malware downloaded the new payload and executed it on the infected machine. Key Logger The malware uses the SetWindowsHookEx API for capturing keystrokes. It stores the captured keystrokes into a “log.txt” file. The filepath is: “\%AppData%\Local\log.txt.” IRC Helper First, the malware disconnects the current IRC connection. Then, it sends status information to the C&C as shown below: pass: password command: UpdateHTTPIRCStatus machine_id: unique id sent by C&C in an earlier request irc_status: 1 Next malware fetch Serverlist: it selects a server from the list below. Port: port Nickname: generates a random 7 character name List of IRC servers and ports IRC server Port IRC server Port irc.afterx.net 6667 irc.cyanide-x.net 6667 chat.freenode.net 6667 irc.europnet.org 6667 irc.azzurra.org 6669 irc.rizon.net 6669 irc.dal.net 6667 irc.efnet.org 6667 irc.gamesurge.net 6667 open.ircnet.net 6669 irc.quakenet.org 6667 irc.swiftirc.net 6667 eu.undernet.org 6667 irc.webchat.org 7000 irc.2600.net 6667 irc.abjects.net 6669 irc.accessirc.net 6667 irc.afternet.org 6667 irc.data.lt 6667 irc.allnetwork.org 6667 irc.alphachat.net 6667 irc.austnet.org 6667 irc.axenet.org 6667 irc.ayochat.or.id 6667 irc.beyondirc.net 6669 irc.blitzed.org 6667 irc.bongster.org 6669 irc.caelestia.net 6667 irc.canternet.org 6667 irc.chatall.org 6669 irc.chatcafe.net 6667 irc.chatspike.net 6667 irc.chatzona.org 6667 irc.criten.net 6667 irc.cyberarmy.net 6667 irc.d-t-net.de 6667 irc.darkmyst.org 6667 irc.deepspace.org 6667 irc.dream-irc.de 6667 irc.drlnet.com 6667 irc.dynastynet.net 6667 irc.echo.com 6667 irc.ecnet.org 6667 irc.enterthegame.com 6667 irc.epiknet.org 6667 irc.esper.net 6667 irc.euirc.net 6669 irc.evolu.net 6667 irc.explosionirc.net 6667 irc.fdfnet.net 6668 irc.fef.net 6667 Saefko connects to one of these servers and waits for a response. In the response, it checks for “T_T” string and any separate messages using that string. Below is the list of IRC functions that the RAT can perform. According to the command it receives, Saefko will respond with corresponding data. List of IRC Commands IRC Command Description dexe Download a file from a given URL and execute it hdexe Download a file from a given URL and execute it (UseShellExecute=false) vistpage Open URL hvistpage Open URL (UseShellExecute = false) snapshot Captures video frame, converts into Base64 and sends to C&C (Detailed information explained below); also replies “.oksnapshot” shell Executes command using cmd.exe tcp Makes a tcp connection using a given IP and port. identify Send system information: OS type: Microsoft windows OS version: OS version OS Username: username OS MachineName: System name OS SystemDirectory: System Directory opencd Open CDROM drive. Command: set CDAudio door open closecd Close CDROM drive. Command: set CDAudio door closed screenshot Capture screenshot, encode it into Base64 and send to C&C ping Reply “okping” camlist Gets the video devices from the system and sends information to the C&C.Detailed information explained below. pwd Current directory location Gets the system location using “https://ipinfo.io/geo” IP, city, region, country, latitude and longitude keylogs Encode the keylog file (log.txt) using base64 and send it to C&C uninstall Delete the autostart registry key (RUN) and terminate itself. Camlist Saefko also searches for the following payloads in the system: AForge.dll AForge.Video.DirectShow.dll AForge.Video.dll Sqlite3.dll If these files are not present, the malware sends a request to the C&C to download these files. Next, it searches for a list of video input devices on the targeted system and sends the related information to the C&C. Snapshot Saefko also captures videos from the device present on the system, encodes the video frame with Base64 and sends it to the C&C. Start USB Service Saefko checks to see if the drive type is either removable or networked, after which it starts the infection and copies the files below onto a removable drive. Sas.exe USBStart.exe usbspread.vbs Sas.exe is a copy of the malware itself. USBStart.exe is fetched from the resource section of the main binary. It contains code to execute Sas.exe. It creates a usbspread.vbs file then executes it. It searches every directory and all the files and creates a “lnk” file for each file and directory with a target path USBStart.exe file. When the removable device is plugged in any other system, the user is tricked into clicking a lnk file as the main files and folder are hidden. Lnk file executes the USBStart.exe that ends up executing Sas.exe which is the main payload. So it futher infect other Systems. Below is the code of the usbspread.vbs file: One online forum has an ad for a cracked Saefko RAT tool as shown below. It is a multi-protocol, multi-operating system remote administration tool that can be used to launch the malware on Windows and Android devices. Conclusion To protect systems from RATs, users must refrain from downloading programs or opening attachments that aren’t from a trusted source. At the administrative level, it’s always a good idea to block unused ports, turn off unused services, and monitor outgoing traffic. Attackers are often careful to prevent the malware from doing too much activity at once, which would slow down the system and possibly attract the attention of the user and IT. Zscaler ThreatLabZ team continues to monitor this threat and others to ensure that Zscaler customers are protected. IOCs Md5: D9B0ECCCA3AF50E9309489848EB59924 C4825334DA8AA7EA9E81B6CE18F9C15F 952572F16A955745A50AAF703C30437C 4F2607FAEC3CB30DC8C476C7029F9046 7CCCB06681E7D62B2315761DBE3C81F9 5B516EAB606DC3CC35B0494643129058 Downloader URL: industry.aeconex[.]com/receipt-inv.zip 3.121.182[.]157/dwd/explorer.exe 3.121.182[.]157/dwd/vmp.exe deqwrqwer.kl[.]com.ua/ex/explorer.exe maprivate[.]date/dhl-miss%20craciun%20ana%20maria%20#bw20feb19.zip Network URL: acpananma[.]com/love/server.php 3.121.182[.]157/smth/server.php f0278951.xsph[.]ru/server.php maprivate[.]date/server.php