BlackRemote is a relatively new commodity RAT discovered in September 2019. Similar to other Remote Access Trojans, it offers typical functionality such as keylogging, remote desktop, file transfer, credential harvesting, and more. Despite the discovery of this RAT being caught early, and while the individual responsible for BlackRemote has since been reported to the relevant authorities, variants of BlackRemote may likely surface in the future as a result of the customizable builder component that allows tailor made RAT client configurations to be used for attacks.
Behavioral Summary
The TTP’s for this particular sample discussed in this report, are displayed within CB Defense as shown below.
Details
BlackRemote is written in .Net, and includes multiple obfuscators to delay reverse engineering efforts. The DarkRemote client component of the RAT may likely be found attached to phishing emails. In this example, the client was attached as a compressed ZIP file. The ZIP file contains an executable file, which when run, unpacks itself to C:\users\<user>\appdata\roaming\microsoft\windows as hgreg.exe. Once hgreg.exe is invoked, it first starts by creating a shortcut to itself in the Windows Startup folder, saving the shortcut filename as system.ini although it is in fact a “.url” shortcut file. Next it creates the following registry key in the currently logged on user’s SID registry location.
HKEY_USERS\<SID>\g↑Dl\dU(ÿ ID REG_SZ rena
After that, hgreg.exe creates two folders: one in C:\Users\<user>\AppData\Roaming\Microsoft\Windows\77316404 and the other in C:\Users\<user>\AppData\Roaming\1824396. The first folder contains a raw binary file qt6bIXtKRzHJklNNL9 which when viewed in a text editor contains the string “ON”. The second folder contains a file in the format “Day, Month MM, YYYY – HH.MM.SS.lg“, which contains a log of the command history of keystrokes typed by the victim, which includes the application name where the text is typed into. An outbound network connection is established with the C2 controller, details of which are found in the IOC’s section of this report.
The process activity from CB ThreatHunter is shown below.
For more information, click here.
Remediation:
MITRE ATT&CK TIDs
|
TID |
Tactic |
Description |
|
T1045 |
Defense Evasion |
Software Packing |
|
T1057 |
Discovery |
Process Discovery |
|
T1060 |
Persistence |
Registry Run Keys / Startup Folder |
|
T1056 |
Collection, Credential Access |
Input Capture |
|
T1179 |
Privilege Escalation, Credential Access, Persistence |
Hooking |
|
T1158 |
Defense Evasion, Persistence |
Hidden Files and Directories |
|
T1096 |
Defense Evasion |
NTFS File Attributes |
Indicators of Compromise (IOCs)
|
Indicator |
Type |
Context |
|
682dc98e57fba5b50dedeacd158e5b58 |
MD5 |
DarkRemote Dropper |
|
2b3cda455f68a9bbbeb1c2881b30f1ee962f1c136af97bdf47d8c9618b980572 |
SHA256 |
DarkRemote Dropper |
|
192.169.69.25 |
TCP/7722 |
C2 IP address |
|
renaj.duckdns.org |
domain |
C2 domain |
The post Threat Analysis Unit (TAU) Threat Intelligence Notification: BlackRemote RAT appeared first on VMware Carbon Black.
Article Link: https://www.carbonblack.com/2019/12/13/threat-analysis-unit-tau-threat-intelligence-notification-blackremote-rat/