Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Lets see – What Evasion techniques this Advance version of Terminator RAT is using:
This executable will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”, where it will store configurations and executable files (svchost_.exe and sss.exe).
Malware terminates and remove itself after installation. The malware will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.
The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server at liumingzhen.zapto.org / 126.96.36.199 and liumingzhen.myftp.org / 188.8.131.52.
This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000.
This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startupdeter forensics investigation.” to deter forensics investigation by changing the startup location.
Also to deter file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.
It is clear cybercrime is getting more organized and cybercriminals are becoming so much more sophisticated. Hackers are using stealth or advanced malware, usually to infiltrate hosts in networks and steal valuable data and APT attacks are increasingly becoming more sophisticated and harder to detect.