State of the RAT, Part 1

Malware News
1

By: Zori Bennett

Remote Access Tools (RATs) are software that allow users to gain access to their computer system remotely from another location. Some key features with these tools include file sharing, cloud storage, video/text chat capabilities, etc. Although it can be deemed genuine for a commercial user, threat actors can utilize these systems to carry out malicious attacks and steal data. In this report, the following commonly exploited remote access tools used by malicious actors will be focused on: RemotePC, Ultraviewer, MSP360, PDQDeploy, and ZohoAssist.

RemotePC

RemotePC is a free commercial tool created by iDrive Inc. that allows users to remotely access and control their Windows, Mac, or Linux computers from other devices. Features with the software include messaging tools, file transfer and multiple monitor support. Currently there have been confidential reports stating its relevance and usage in threat actor breaches.

Vulnerability Reports/CVE

The most recent vulnerability reports on RemotePC were taken in July of 2022 (CVE-2021–34688 and CVE-2021–34687)[7]. Previous versions allowed for several security threats such as denial of service, authentication bypasses, privilege escalation, information disclosure and man-in-the-middle attacks.

Verified Signer(s):

iDrive Inc.
ProSoftnet Corporation

Associated File Names:

RemotePC
RPC DND Console
RemotePCService
RemotePC Suite
RPC Performance Service
RpcOTADND_Console.exe
Remotepcservice.exe
RemotePCUIU.exe
RPCPerformanceService.exe
RemotePC.exe

Associated Domains:

version.remotepc[.]com
web1.remotepc[.]com
www1.remotepc[.]com

Associated IPs:

172.67.37.123
64.90.202.200
64.90.202.245

Associated Hashes:

8e6357da8f7666f608b38c36aacca109348ada83cf10179dd253d90d04fdbf1e
9c1c06d4cd5e02f306bd4fea5f8d74c9ac1a00f81c36f61a687fd7c75cd9dafe
04a672ae9aaf36afe78c4d20f39090e423c86379c9b8bc994c87321cb2347b2d
f20dc5a076e1e7e3ad731748a2e57e2cc04397b7e18b4aa825cd439375af63e6
3d11cf1d5f83678258e790b34e99f5c71c2dc3f14a27dd5f14192ab10b4d0217

Under normal circumstances, RemotePC typically executes from these paths:

%SAMPLEPATH%\RemotePC.exe
%USERPROFILE%\AppData\Local\Temp\is-VHFM6.tmp\RemotePC.tmp
%USERPROFILE%\AppData\Local\Temp\is-KO4JJ.tmp\RemotePC1.exe
%USERPROFILE%\AppData\Local\Temp\is-UG36L.tmp\RemotePC1.tmp
C:\Windows\SysWOW64\taskkill.exe
C:\Program Files (x86)\RemotePC\RPDUILaunch.exe
C:\Program Files (x86)\RemotePC\PreUninstall.exe
C:\Program Files (x86)\RemotePC\RPCFirewall.exe
C:\Program Files (x86)\RemotePC\SuiteLauncher.exe
C:\Program Files (x86)\RemotePC\RemotePCLauncher.exe
C:\Windows\SysWOW64\sc.exe
C:\Windows\System32\msiexec.exe
C:\Program Files (x86)\RemotePC\RPCDownloader.exe
C:\Program Files (x86)\RemotePC\RemotePCService.exe
C:\Program Files (x86)\RemotePC\RPCPrinterDownloader.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\sc.exe
C:\Program Files (x86)\RemotePC\RemotePCUIU.exe
C:\ProgramData\RemotePC\Codec\RemotePCPerformance.exe
C:\Windows\regedit.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Program Files (x86)\RemotePC\RemotePCPerformance\RPCPerformanceService.exe
C:\Program Files (x86)\RemotePC\RemotePCPerformance\RpcApp\Tools\RpcUtility.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RegAsm.exe
C:\Windows\System32\bcdedit.exe
C:\Windows\SysWOW64\netsh.exe
C:\Program Files (x86)\RemotePC\RemotePCPerformance\PluginInstaller.exe
C:\Program Files (x86)\RemotePC\RemotePCPerformance\RemotePCPerformancePlugins.exe
C:\Program Files (x86)\RemotePC\RemotePCPerformance\RemotePCPerformancePrinter.exe
C:\Program Files (x86)\RemotePC\RemotePCPerformance\RpcPrinter\InstallPrinter.exe
%SAMPLEPATH%\3d11cf1d5f83678258e790b34e99f5c71c2dc3f14a27dd5f14192ab10b4d0217.exe
%USERPROFILE%\AppData\Local\Temp\is-G102D.tmp\3d11cf1d5f83678258e790b34e99f5c71c2dc3f14a27dd5f14192ab10b4d0217.tmp
%USERPROFILE%\AppData\Local\Temp\is-H2LAQ.tmp\RemotePC1.exe
%USERPROFILE%\AppData\Local\Temp\is-K8CKA.tmp\RemotePC1.tmp
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Program Files\RemotePC\rootcert.pem
"C:\Windows\System32\msiexec.exe" /qn /i "C:\ProgramData\RemotePC\PrinterSetup\Printer.msi"

Ultraviewer

Ultraviewer, signed by DucFabulous Co., Ltd, is a tool with various capabilities including support on all versions of Windows, chat boxes and remote file sharing.

One of the latest occurrences of a threat actor utilizing Ultraviewer is its feature detected by AT&T Alien Labs in a remote access trojan called ‘FatalRAT’[1]. The malware allowed for attackers to run tests that checked for virtual machines within the system before executing commands to infect the system remotely. A key factor of this malware was that it actively uninstalled Ultraviewer and installed AnyDesk. Under suspected circumstances, the malware will spread on the victim’s network by brute-forcing weak passwords through IPC$. If successful, the malware copies itself to the dedicated folder as %Folder%\hackshen.exe and will execute the copied file remotely.

Another usage of UltraViewer was as a tool in an exam hacking scheme, Delhi Police arrested three Russian hackers who were hired to supply answers for various reputable exams (e.g. GMAT, IBM, CCISO, etc.)[2]. The hackers claimed to have helped hundreds of candidates and have been ongoing since 2019. On exam day, the hackers would send a link to the ‘Ultraviewer’ software for their clients to download. From there, the clients would use Ultraviewer to grant access to the hacker who inputs the correct answers to the test.

Verified Signer(s):

DucFabulous Co., Ltd

Associated File Names:

UltraViewerDesktop
UltraViewerService
UltraViewer_Service.exe
is-AQ77Q.tmp
UltraViewer_Desktop.exe
is-273TE.tmp

Associated IPs:

20.99.132.105:443 (TCP)
91.199.212.52:80 (TCP)
172.64.155.188:80 (TCP)
104.18.32.68:80 (TCP)
23.216.147.64:443 (TCP)
13.107.4.50:80 (TCP)
192.168.0.1:137 (UDP)
23.216.147.76:443 (TCP)

Associated Hashes:

e18e537dd5869f41e09eee5e598a6fb0817f79b3b7d38d9fdd36015d9f5596ec
c92d5dfc09749554afd9175bf2dc31995f38565bd43d63497acf98ab0a0866f1
7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a

Under normal circumstances, Ultraviewer typically executes from these paths:

%SAMPLEPATH%\UltraViewer_setup_6.5_en.exe
%USERPROFILE%\AppData\Local\Temp\is-3QM76.tmp\UltraViewer_setup_6.5_en.tmp
C:\Windows\System32\wuapihost.exe
%SAMPLEPATH%\7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a.exe
%USERPROFILE%\AppData\Local\Temp\is-61CG1.tmp\7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a.tmp
%USERPROFILE%\AppData\Local\Temp\is-T02CO.tmp\7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a.tmp
%USERPROFILE%\AppData\Local\Temp\is-CQM9G.tmp\7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a.tmp
%USERPROFILE%\AppData\Local\Temp\is-6SFKI.tmp\7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a.tmp
%USERPROFILE%\AppData\Local\Temp\is-VIO6F.tmp\7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a.tmp
%USERPROFILE%\AppData\Local\Temp\is-376TQ.tmp\7db985064e0bf2f94ee071a83f57f8611e06039f0adcced38065deedf621526a.tmp

MSP360

MSP360, formerly known as CloudBerry Lab, is a software with not only remote access capabilities, but disaster recovery and backup management. The platform can be used across various operating systems (Windows, MacOS, Linux) and platforms including, VMWare, Google Workspace and Microsoft365. Currently, there have been confidential reports involving the software, msp360[.]com in threat actor breaches.

Verified Signer(s):

CloudBerry Lab
MSPBytes, Corp.
Sectigo Public Code Signing CA

Associated File Names:

MSP Connect
CloudRaService.exe
CloudRaWpf.exe
Connect.exe
ConnectStandaloneSetup_v3.0.0.60_netv4.5.1.exe

Associated IPs:

13.107.4.52:80 (TCP)
52.251.79.25:443 (TCP)
23.216.147.76:443 (TCP)

Associated Hashes:

35c46ce77a20732eac2db689befa652107670df51a96d6de48365765c3579010
27032e70a9bac6889d4775ca73aa31bf50213e3d585d899d5450d1d396bc7eff
609ee1b83cc15f4bc0a3036bb18ad7bc47089619a75e5d69ebb3b6ed93a4a420

Registry Keys:

HKLM\SYSTEM\ControlSet001\Services\Connect Service
HKEY_LOCAL_MACHINE\SOFTWARE\CloudBerryLab\CloudBerry Remote Assistant

Under normal circumstances, MSP360 typically executes from these paths:

%user%\Desktop\CloudBerry Remote Assistant.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloudBerryLab\CloudBerry Remote Assistant\Uninstall.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloudBerryLab\CloudBerry Remote Assistant\CloudBerryLab Web Site.lnk
C:\ProgramData\CloudBerryLab\CloudBerry Remote Assistant\Logs\CloudBerry Remote Assistant.log
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloudBerryLab\CloudBerry Remote Assistant\CloudBerry Remote Assistant.lnk
C:\Program Files\Connect
C:\Program Files\Connect\AudioProcessingModuleCs.dll
C:\Program Files\Connect\Cloud.Backup.RM.SIO.dll
C:\Program Files\Connect\Cloud.Base.dll
C:\Program Files\Connect\Cloud.Client.dll
C:\Program Files\Connect\Cloud.RA.dll
C:\Program Files\Connect\Cloud.Ra.AppConfig.dll
C:\Program Files\Connect\Cloud.Ra.Client.dll
C:\Program Files\Connect\Cloud.Ra.Common.XmlSerializers.dll
C:\Program Files\Connect\Cloud.Ra.Common.dll
C:\Program Files\Connect\Cloud.Ra.CommonHelpers.dll
C:\Program Files\Connect\Cloud.Ra.DirectConnection.dll
C:\Program Files\Connect\Cloud.Ra.FileTransfer.dll
C:\Program Files\Connect\Cloud.Ra.Firewall.dll
C:\Program Files\Connect\Cloud.Ra.Server.dll
C:\Program Files\Connect\Cloud.Ra.ServiceContract.dll
C:\Program Files\Connect\Cloud.Ra.TransportController.dll
C:\Program Files\Connect\Cloud.Ra.Video.dll
C:\Program Files\Connect\Cloud.Ra.WinApi.dll
C:\Program Files\Connect\CloudRaCmd.exe
C:\Program Files\Connect\CloudRaCmd.exe.config
C:\Program Files\Connect\CloudRaSd.exe
C:\Program Files\Connect\CloudRaSd.exe.config
C:\Program Files\Connect\CloudRaService.InstallLog
C:\Program Files\Connect\CloudRaService.InstallState
C:\Program Files\Connect\CloudRaService.exe
C:\Program Files\Connect\CloudRaService.exe.config
C:\Program Files\Connect\CloudRaUtilities.exe
C:\Program Files\Connect\CloudRaUtilities.exe.config
C:\Program Files\Connect\Connect.exe
C:\Program Files\Connect\Connect.exe.config
C:\Program Files\Connect\ICSharpCode.SharpZipLib.dll
C:\Program Files\Connect\InstallUtil.InstallLog
C:\Program Files\Connect\LZ4.dll
C:\Program Files\Connect\MagnifierCapture.dll
C:\Program Files\Connect\NAudio.dll
C:\Program Files\Connect\NAudio.xml
C:\Program Files\Connect\Newtonsoft.Json.dll
C:\Program Files\Connect\Open.Nat.dll
C:\Program Files\Connect\Open.Nat.xml
C:\Program Files\Connect\install.log
C:\Program Files\Connect\librtc.dll
C:\Program Files\Connect\license.txt
C:\Program Files\Connect\mainicon.ico
C:\Program Files\Connect\x86
C:\Program Files\Connect\x86\librtc.dll
C:\ProgramData\Connect
C:\ProgramData\Connect\ExternalRequests
C:\ProgramData\Connect\Logs
C:\ProgramData\Connect\Logs\Connect.log
"C:\Program Files\CloudBerryLab\CloudBerry Remote Assistant"

PDQ Deploy

PDQ Deploy is a software tool that allows users to create custom deployment packages. Essentially, users can install software remotely on any system.

PDQ Deploy used by threat actors:

A Ransomware-as-a-service (RaaS) software by the name of Avos Locker utilized multiple remote access tools to carry out attacks and exploit vulnerabilities. The attackers were utilizing the safe mode configuration to disable most Windows third party drivers and endpoint security software[3]. Thus Avos Locker attackers were rebooting the machines into Safe Mode and running the IT management tool AnyDesk. The attackers also leverage PDQ Deploy to push out batch scripts to their targeted machines. This in return would carry out their attack in deploying the Avos Locker ransomware.

Verified Signer(s):

PDQ.COM Corporation

Associated File Names:

PDQDeploy Setup
PDQDeploy Service
PDQDeployService.exe
PDQDeployConsole.exe
PDQDeploySetup.exe
PDQDeploy.19.3.310.0.exe
PDQDeploySetup.exe
Deploy_19.3.310.0.exe

Associated IPs:

192.168.0.54:137 (UDP)
23.61.187.27:80 (TCP)
20.99.132.105:443 (TCP)
23.216.147.76:443 (TCP)
23.49.139.27:80 (TCP)
23.216.147.64:443 (TCP)

Associated Hashes:

07ccb95db2924e2e2b70dfb2a1275d15d36bbe014390a4a5619557698e3a077a
03406847b2d1fb9ce71ac96f59f2c751b5502889e0233c2d32f0269f804077a4

Under normal circumstances, PDQ Deploy typically executes from these paths:

%SAMPLEPATH%\Deploy_19.3.310.0.exe
C:\Windows\Downloaded Installations\Admin Arsenal\PDQ Deploy\19.3.310.0\PDQDeploySetupPrep.exe
%SAMPLEPATH%\PDQDeploySetup.exe

ZohoAssist

ZohoAssist is a remote access tool that emphasizes initiating and scheduling remote support sessions and troubleshoot issues via the web browser.

ZohoAssist used by threat actors:

Luna Moth Phishing Attack (July 12th, 2022)

The Luna Moth ransom group, also named Silent Ransom Group, have carried out a phishing scam using commercial remote access tools such as Atera, Anydesk, Syncro and Splashtop. The group was recognized by the Incident Response team at Sygnia . Luna Moth’s tactic included luring victims with false subscriptions for Zoho Masterclass or Duolingo.[4] The victim is initially sent a counterfeit invoice to renew a subscription for selected services that were not originally purchased. When prompted to dispute the charge or cancel the subscription, the victim would contact customer service which would be one of the threat actors via phone. The threat actor would then provide instructions to install remote access tools on the victim’s system. Further after receiving access, the threat actor would install other tools such as Rclone, SharpShares and SoftPerfect network Scanner to steal user data.

Zoho ManageEngine Vulnerability Incident (February 16, 2022)

Threat actor that goes by the name, ”unindicted”, exploited a Zoho ManageEngine vulnerability that allowed them to execute code. Without authentication to the International Committee of the Red Cross network.[5] The vulnerability tracked as CVE-2021–40539 allowed the actor to execute privilege escalation and exfiltrate registry hives and active directory files through web shells.

Verified Signer(s):

Zoho Corporation Private Limited

Associated File Names:

Zoho Assist
Connect.exe
za_connect.exe
ZohoURSService.exe
ZAService.exe
zaservice.exe
ZohoAssist
ZohoMeeting.exe

Associated Domains:

downloads.zohocdn.com
assist.cs.zohohost.com
zohoassist.com
zohohost.com
assistlab.zoho.com
assist.zoho.com
join.zoho.com

Associated IPs:

136.143.191.95:443 (TCP)
136.143.190.0/23

Associated Hashes:

4f98f565336d5bb142239c4007ec1d9492caf4c31020176de380c8b31c9129ed
b72f8cb789ebb129640e8fc8616e3e1422448196d29f0d3533688ab4fc126965

Registry Keys:

HKLM\System\CurrentControlSet\Services\Zoho Assist-Remote Support
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zoho Assist
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zoho Assist Customer Plugin
HKEY_CURRENT_USER\Software\Classes\zohoassistlaunch
HKEY_CURRENT_USER\Software\Classes\zohoassistlaunchv2HKLM\System\CurrentControlSet\Services\Zoho Assist-Remote Support
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zoho Assist
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zoho Assist Customer Plugin
HKEY_CURRENT_USER\Software\Classes\zohoassistlaunch
HKEY_CURRENT_USER\Software\Classes\zohoassistlaunchv2

Under normal circumstances, Zoho Assist typically executes from these paths:

‘C:\Program Files (x86)\ZohoMeeting\agent.exe’ -agent -k 106052736 -s gwlabin1.zohoassist.com -altgw gwlab-wa.zohoassist.com -fileTransferGateways ft1-in1.zohoassist.com -ms assistlab.zoho.com -ssl true -email Arjun -authkey 0tWHPnTrsFAmRLJgEsaMp9Bizvry/FqxYLVMuFpj59nsRLUlmLb+ewcWgZXJiAx3exDxNdyuWDAhFXagn9DnaA== -authtype 1 -SERVICEAGENT -demo_mode false -demo_tech false -ShowInit 0 -group AUL -productID 1 -js join.zoho.com -c_check false

References

1: https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis

2: https://indianexpress.com/article/cities/delhi/russian-hackers-jee-gmat-exams-arrested-7708815/

3: https://news.sophos.com/en-us/2021/12/22/avos-locker-remotely-accesses-boxes-even-running-in-safe-mode/

4: https://www.bleepingcomputer.com/news/security/new-luna-moth-hackers-breach-orgs-via-fake-subscription-renewals/

5: https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/

6: https://www.ultraviewer.net/en/200000026-summary-of-ultraviewer-s-security-information.html

7: https://www.opencve.io/cve?cvss=&search=remotepc

State of the RAT, Part 1 was originally published in Walmart Global Tech Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: State of the RAT, Part 1. By: Zori Bennett | by Jason Reaves | Walmart Global Tech Blog | Aug, 2022 | Medium