Terminator RAT became more sophisticated in recent APT attacks

Terminator RAT Advanced Persistent Threat
Advanced Persistent Threat (APT) is a term referring to targeted attacks on enterprises and other organizations and recently referred to what appeared to be nation-state intelligence agencies using cyber assaults for both conventional espionage and industrial espionage.
 
Advanced threats have targeted control systems in the past and these attacks use commercially available and custom-made advanced malware to steal information or perpetrate fraud.
 
Terminator RAT has been used against Tibetan and Uyghur activists before and while tracking attack against entities in Taiwan, the Cyber Security company FireEye Labs recently analyzed some new samples of ‘Terminator RAT‘ (Remote Access Tool) that was sent via spear-phishing emails to targets in Taiwan.

 
A word document as an attachment was sent to victims, exploited a vulnerability in Microsoft Office (CVE-2012-0158), which subsequently drops a malware installer named “DW20.exe”.

Sometimes the simplest techniques can foil the complex systems created by security firms and large enterprises to detect malicious programs and files. Lets see – What Evasion techniques this Advance version of Terminator RAT is using:

This executable will first create its working folders located at “%UserProfile%\Microsoft” and “%AppData%\2019”, where it will store configurations and executable files (svchost_.exe and sss.exe).

edit startup forder path in regisrty

Malware terminates and remove itself after installation. The malware will only run after reboot. This is one effective way to evade sandbox automatic analysis, as malicious activity will only reveal after a reboot.

The RAT (svchost_.exe) will collaborate with its relay (sss.exe) to communicate with the command and control server at liumingzhen.zapto.org / 123.51.208.69 and liumingzhen.myftp.org / 123.51.208.69.

This component plays the role as a network relay between the malware and the proxy server, by listening over port 8000.

This folder “2019” was then configured to be the new start up folder location by changing the registry “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startupdeter forensics investigation.” to deter forensics investigation by changing the startup location.

Also to deter file-based scanning that implements a maximum file size filter, by expanding the size of svchost_.exe to 40MB.

It is clear cybercrime is getting more organized and cybercriminals are becoming so much more sophisticated. Hackers are using stealth or advanced malware, usually to infiltrate hosts in networks and steal valuable data and APT attacks are increasingly becoming more sophisticated and harder to detect.

Cr0w Tom
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s