Look inside a Dark Comet Campaign

As many of you who read this blog will know i have a fondness for researching RATS. In this post im going to stay on the same topic but im going to change the perspective. To date i have concentrated on understanding how the ‘Server’ was holding the configs and how to extract them.

Now im going to look at the data that is extracted by theses tools.

The Tool

DarkComet, a free ‘semi publicly’ available RAT. The client and the server for Dark Comet are well understood at this point and there are hundreds of blog posts by researchers far better then myself so im not going to dwell too much on these points except to say its easy to get hold of, its easy to use and its fairly powerful if it gets installed on your system.

If your unfortunate enough to become infected and even worse your infected ...

Read More

BSides London

This is a little late to post, but here it is anyway.

BSides is a framework for a security conference by the community for the community. it’s designed that anyone who can get a space and some sponsorship can organise a conference with a lot of the hard work already covered by the framework. T hats not to say that the organisers, volunteers and sponsors don’t put a lot of work in behind the scenes.

BSides London has been around for a couple of years and grows every year. This year I decided, with a little prompting, to submit a Talk and a Workshop. The talk didn’t make it on to the main agenda but my workshop did, A practical session showing how I reverse a RAT and extract the config. Small session with no more than 8 in attendance but feedback was positive.

One of the things that bsides L...

Read More

RAT Decoders

I have talked about decoding RATS several times now in previous posts and if you have read them you will know that im creating Static decoders for the most common Remote Access Trojans.

In this post ill be releasing a handful of the static decoders i have written so far.

I have set up a Repo on GitHub that will hold a collection of Python Scripts that will extract and decode the configuration settings from common rats.

Each of these decoders is already running on http://malwareconfig.com and has additional features that are not included in the scripts. like Snort rules IOC Files and VirusTotal Linking.

You can read more about MalwareConfig.com in upcoming posts or read more here http://malwareconfig.com/about

Current Rats

Here is a list of the currently supported RATS:

  • Adwind
  • Arcom
  • BlackN...
Read More

I Hear you like Mount Points

tl;dr

Having just finished my SANS 508 Course i want to share a quick script to help mount partitions and disk images acquired as part of a forensic analysis.

I Hear You Like Mount Points

The SANS 508 is an Advanced Computer Forensics course and the majority of the course is examining Disk Images. The course uses E01 Images of a single partition, this is done to simplify the classroom activities, copying full disk images is time consuming and detrimental to a learning experience.

How does this scale to real life? In the real world you will have mixes of Full disk images with multiple partitions and in some cases different formats for each partition, think dual Boot Linux and windows with recovery partitions. Needless to say real world examples can get complex quickly.

When it comes to the ...

Read More

MalwareConfig

For those of you who read this blog on a more regular basis you will know what i talking about, for those of you who just landed here let me explain.

My project over the last several months has been looking at Remote Access Trojans / Tools. My aim was not to discover how they operate, RATS for the most part operate in the same way.

What i was interested in was how to detect these RATS and more importantly how could i share the information I was gathering with anyone else who could make use of it. The data set will largely contain Samples from ‘Script Kiddies’ who mass target individuals just to get Slaves, but it will also capture samples that have been used by Crime Packs and potentially even APT Actors.

Most methods of capturing this data use sandboxes to run the sample and observe its b...

Read More

Blue Banana RAT Config

Following on from my last post on Adwind rat i found another Java Based Rat that is freely available to the public. Blue Banana has been around for a couple of years and looks very similar to early versions of frutas.

Here is the pitch from the coder.

Info1

My aim was much the same as my last analysis on Adwind Rat. Im not so interested in its capabilities more about how its config is stored and how i can get to it.

Opening up the .Jar file i immediately see the bit i want “config.txt” :)

config.txt contains a long string of chars that look like hex values, could a simple hex decoder be all i need?

No sadly not. Looks like im going to be reading through some Java class files to figure this one out.

Attempting to de-compile the java byte code didn’t work very well, i tried a few different de...

Read More

AdWind Rat Analysis

If you have been reading my recent posts you will know that I’m working on a project to provide a public facing web application that will allow people to upload samples and in return they will get the configuration, Snort Rule, Yara Rule and IOC files specific to each instance.

This post will show you how i muddle my way thought figuring out how to extract a config file so it can be added to the collection of extraction scripts.

AdWind RAT Brief history

adWind has 4 Major milestones in its history.

  1. Starsting life as a proof of concept on indetectables.net it was named futas and was free in its original Spanish, and later in translated English.
  2. From frutas it became AdWind and went up for sale as a “Premium” RAT. Prices ranged from $75 for a single license to $ 250 for multiple licences.
Read More

Malware Sample Configuration Extractor

First of all

MERRY CHRISTMAS / SEASONS GREETINGS AND A HAPPY NEW YEAR

In my last post I talked about extracting configurations from malware samples . If you haven’t already read it you can find it here.

In the article I created several python scripts that would extract the relevant configuration sections. There are also many scripts and techniques out on the interwebs that other researchers have created and shared.

My project for the upcoming months is to create a public framework and web application that will simplify the process of extracting, storing, searching and sharing these configurations.

Currently and somewhat unimaginatively named as the “Malware Sample Configuration Extractor” it is capable of extracting Configs from the following:

Supported Malware

  1. Bozok Rat
  2. Jrat
  3. DarkComet
Read More

Extracting Configurations From Malware Samples

I like RAT’s and i don’t mean the furry creatures that live in cages or sewer lines, I am of course talking about Remote Access Trojans. Used by Script Kiddies, E Crime Rings and APT groups alike. they provide a wide range of tools and capabilities for any one who manages to get one implanted on your network or system.

Over the last few weeks i  have been working with two different RATS looking at their C2 Traffic and trying to dissect their network protocol. Having this understanding of the network protocol for each rat allows for some very bespoke IDS rules to be created.

The other aspect i was looking at was , as described in the title, extracting the configuration information...

Read More

Setting up a malware Zoo with VXCage

If your going to research Malware your going to need some samples. Any researcher worth his weight will have a well maintained Zoo.  This post is going to explore the world of malware collection and a few nice ways to store your samples.

*DISCLAIMER* There are many ways to collect and share samples, and many ways to store them for your lab. The methods i discuss might not be the best for your setup but hopefully they can point you in the right direction.

Before we dive in to collecting our samples lets figure out how and where we are going to store them

Storage

As with most things in life there are a variety of methods that can be used for storing malware samples, each with their own set of pros and cons. Lets start with the where.

Your malware needs to be accessible from where ever your ...

Read More