www.zscaler.com
Open in
urlscan Pro
2606:4700::6812:1d4a
Public Scan
URL:
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols
Submission: On July 11 via api from US — Scanned from DE
Submission: On July 11 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
POST https://www.zscaler.com/search
<form action="https://www.zscaler.com/search" method="post" id="nav-search-form" accept-charset="UTF-8" data-drupal-form-fields="edit-keyword,edit-submit" role="search" aria-label="sitewide" __bizdiag="1663869817" __biza="WJ__">
<div class="js-form-item form-item js-form-type-textfield form-type-textfield js-form-item-keyword form-item-keyword form-no-label"> <input placeholder="Enter search" data-drupal-selector="edit-keyword" type="text" id="edit-keyword" name="keyword"
value="" size="60" maxlength="128" class="form-text"></div>
<div class="submit-wrapper"><i class="fa fa-search fg-color-white"></i> <input data-drupal-selector="edit-submit" type="submit" id="edit-submit" name="op" value="Submit" class="button button--primary js-form-submit form-submit"></div> <input
autocomplete="off" data-drupal-selector="form-upl1mrq6szfgnnndzfflpgriazjzvtqrsl4wqh1ygl4" type="hidden" name="form_build_id" value="form-UPL1mrQ6SZFGnNndzfFLPGriaZjZVtqrsL4WqH1ygl4"> <input data-drupal-selector="edit-nav-search-form"
type="hidden" name="form_id" value="nav_search_form">
</form>POST https://www.zscaler.com/forms/api
<form
class="webform-submission-form webform-submission-add-form webform-submission-blogs-subscription-form webform-submission-blogs-subscription-add-form webform-submission-blogs-subscription-node-44116-form webform-submission-blogs-subscription-node-44116-add-form fv-form fv-form-bootstrap4 text-center justify-content-center subscription-form js-webform-details-toggle webform-details-toggle"
data-submit-type="ajax" data-thankyou-text="Thanks for subscribing" data-thankyou-container="#blogs-subscription-thank-you" data-hide="elements" autocomplete="off" data-drupal-selector="webform-submission-blogs-subscription-node-44116-add-form"
action="https://www.zscaler.com/forms/api" method="post" id="webform-submission-blogs-subscription-node-44116-add-form" accept-charset="UTF-8" data-drupal-form-fields="edit-email,edit-actions-submit,edit-newfirstname" novalidate="novalidate"
__bizdiag="-47424131" __biza="WJ__"><button type="submit" class="fv-hidden-submit" style="display: none; width: 0px; height: 0px;"></button>
<div class="zmb-14 form-heading js-form-item form-item js-form-type-webform-markup form-type-webform-markup js-form-item-keep-in-touch-markup form-item-keep-in-touch-markup form-no-label" id="edit-keep-in-touch-markup">
<h2 class="fw-400 text-center fg-color-white h1">Stay up to date with the latest digital transformation tips and news.</h2>
</div>
<div class="form-group fv-has-feedback zmx-24 zp-0 align-middle d-inline-block col-10 col-md-6 col-lg-4 js-form-item form-item js-form-type-email form-type-email js-form-item-email form-item-email form-no-label"> <input
class="form-control rounded form-email required" data-drupal-selector="edit-email" type="email" id="edit-email" name="Email" value="" size="20" maxlength="80" placeholder="Email" required="required" aria-required="true"
data-fv-message="Email address is mandatory" data-fv-emailaddress-message="Please enter a valid email address" data-fv-emailremote-message="Please enter your corporate email address"
data-fv-field="Email"><i class="fv-control-feedback" data-fv-icon-for="Email" style="display: none;"></i><small class="form-control-feedback" data-fv-validator="emailAddress" data-fv-for="Email" data-fv-result="NOT_VALIDATED"
style="display: none;">Please enter a valid email address</small><small class="form-control-feedback" data-fv-validator="regexp" data-fv-for="Email" data-fv-result="NOT_VALIDATED" style="display: none;">Please enter a valid email
address</small><small class="form-control-feedback" data-fv-validator="remote" data-fv-for="Email" data-fv-result="NOT_VALIDATED" style="display: none;">Please enter your corporate email address</small><small class="form-control-feedback"
data-fv-validator="notEmpty" data-fv-for="Email" data-fv-result="NOT_VALIDATED" style="display: none;">Email address is mandatory</small><small class="form-control-feedback" data-fv-validator="stringLength" data-fv-for="Email"
data-fv-result="NOT_VALIDATED" style="display: none;">Email address is mandatory</small></div> <input class="webform-button--submit btn btn-primary button button--primary js-form-submit form-submit" data-drupal-selector="edit-actions-submit"
type="submit" id="edit-actions-submit" name="op" value="Subscribe">
<div class="d-block fg-color-white zmt-24 js-form-item form-item js-form-type-webform-markup form-type-webform-markup js-form-item-privay-policy-markup form-item-privay-policy-markup form-no-label" id="edit-privay-policy-markup">
<h6 class="fw-400 zmb-0">By submitting the form, you are agreeing to our <strong><a class="fs-inherit fg-color-white" href="/privacy-compliance/privacy-policy" title="Privacy policy">privacy policy</a></strong>.</h6>
</div>
<div class="col col-12 col-md-8 col-lg-7">
<div class="js-form-item form-item js-form-type-textarea form-type-textarea js-form-item-newfirstname form-item-newfirstname form-no-label"> <label for="edit-newfirstname" class="visually-hidden">newFirstName</label>
<div><textarea autocomplete="off" data-drupal-selector="edit-newfirstname" id="edit-newfirstname" name="newFirstName" rows="1" cols="60" class="form-textarea"
data-fv-field="newFirstName"></textarea><i class="fv-control-feedback" data-fv-icon-for="newFirstName" style="display: none;"></i></div>
</div><small class="form-control-feedback" data-fv-validator="stringLength" data-fv-for="newFirstName" data-fv-result="NOT_VALIDATED" style="display: none;">Spam Bot</small>
</div> <input data-drupal-selector="edit-subid" type="hidden" name="subid" value="106"> <input data-drupal-selector="edit-formid" type="hidden" name="formid" value="1944">
</form>POST https://www.zscaler.com/forms/api
<form class="webform-submission-form webform-submission-add-form webform-submission-subscription-form webform-submission-subscription-add-form subscription-form js-webform-details-toggle webform-details-toggle fv-form fv-form-bootstrap4"
data-submit-type="ajax" data-thankyou-text="Thanks for subscribing" data-thankyou-container=".subscription-thank-you" data-hide=".input-fields" autocomplete="off" data-drupal-selector="webform-submission-subscription-add-form"
action="https://www.zscaler.com/forms/api" method="post" id="webform-submission-subscription-add-form" accept-charset="UTF-8" data-drupal-form-fields="edit-email,edit-actions-submit,edit-newfirstname" novalidate="novalidate" __bizdiag="-47424131"
__biza="WJ__"><button type="submit" class="fv-hidden-submit" style="display: none; width: 0px; height: 0px;"></button>
<div class="row justify-content-center">
<div class="col col-12 col-md-4 col-lg-12 d-flex justify-content-center"></div>
<div class="col col-12 col-md-8 col-lg-7 fw-400 d-none text-center subscription-thank-you"></div>
<div class="col col-12 col-md-8 col-lg-7 position-relative input-fields d-flex justify-content-center zmt-16 zmt-lg-0">
<div class="form-group w-100 js-form-item form-item js-form-type-email form-type-email js-form-item-email form-item-email form-no-label fv-has-feedback"> <input class="form-control form-email required" autocomplete="off"
data-drupal-selector="edit-email" type="email" id="edit-email" name="Email" value="" size="60" maxlength="254" placeholder="EMAIL ADDRESS" required="required" aria-required="true" data-fv-message="Email address is mandatory"
data-fv-emailaddress-message="Please enter a valid email address" data-fv-emailremote-message="Please enter your corporate email address"
data-fv-field="Email"><i class="fv-control-feedback" data-fv-icon-for="Email" style="display: none;"></i><small class="form-control-feedback" data-fv-validator="emailAddress" data-fv-for="Email" data-fv-result="NOT_VALIDATED"
style="display: none;">Please enter a valid email address</small><small class="form-control-feedback" data-fv-validator="regexp" data-fv-for="Email" data-fv-result="NOT_VALIDATED" style="display: none;">Please enter a valid email
address</small><small class="form-control-feedback" data-fv-validator="remote" data-fv-for="Email" data-fv-result="NOT_VALIDATED" style="display: none;">Please enter your corporate email address</small><small class="form-control-feedback"
data-fv-validator="notEmpty" data-fv-for="Email" data-fv-result="NOT_VALIDATED" style="display: none;">Email address is mandatory</small><small class="form-control-feedback" data-fv-validator="stringLength" data-fv-for="Email"
data-fv-result="NOT_VALIDATED" style="display: none;">Email address is mandatory</small></div>
<div class="actions position-absolute h-100">
<div class="inner position-relative d-flex justify-content-between"> <input class="webform-button--submit button button--primary js-form-submit form-submit" data-drupal-selector="edit-actions-submit" type="submit" id="edit-actions-submit"
name="op" value="Subscribe"></div>
</div>
<div class="js-form-item form-item js-form-type-textarea form-type-textarea js-form-item-newfirstname form-item-newfirstname form-no-label"> <label for="edit-newfirstname" class="visually-hidden">newFirstName</label>
<div><textarea autocomplete="off" data-drupal-selector="edit-newfirstname" id="edit-newfirstname" name="newFirstName" rows="1" cols="60" class="form-textarea"
data-fv-field="newFirstName"></textarea><i class="fv-control-feedback" data-fv-icon-for="newFirstName" style="display: none;"></i></div>
</div> <input data-drupal-selector="edit-subid" type="hidden" name="subid" value="106"> <input data-drupal-selector="edit-formid" type="hidden" name="formid" value="1944"><small class="form-control-feedback" data-fv-validator="stringLength"
data-fv-for="newFirstName" data-fv-result="NOT_VALIDATED" style="display: none;">Spam Bot</small>
</div>
</div>
</form>Text Content
Skip to main content
This site uses JavaScript to provide a number of functions, to use this site
please enable JavaScript in your browser.
Protect your organization from cyberattacks associated with the Russia-Ukraine
conflict >
Open Open Open
Search Toggle
* Careers
* Blog
* Partners
* Risk Assessment
* Support
* Contact Us
* Sign In
* admin.zscaler.net
* admin.zscalerone.net
* admin.zscalertwo.net
* admin.zscalerthree.net
* admin.zscalerbeta.net
* admin.zscloud.net
* Zscaler Private Access
* en
* fr
* de
* it
* ja
* es
The world’s largest security platform built for the cloud
* See The Difference
* Zero Trust
* Zscaler Difference
* What is Zero Trust The strategy on which Zscaler was built
* How Zscaler Delivers Zero Trust A platform that enforces policy based on
context
* Zero Trust Resources Learn its principles, benefits, strategies
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI,
IoT, and OT technologies to become more agile and reduce risk
Learn More
* Customer Testimonials Hear first-hand transformation stories
* Case Studies Learn about pioneering Zscaler customers
* Analyst Recognition Industry experts weigh in on Zscaler
* See the Zscaler Cloud in Action Traffic processed, malware blocked, and
more
* Experience the Difference Get started with zero trust
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI,
IoT, and OT technologies to become more agile and reduce risk
Learn More
* Platform
* Platform
* Technology
* Platform Overview Unified platform for transformation
* Zero Trust Exchange
* Zscaler Client Connector
* Compliance
* Privacy
* Products Integrated services, infinitely scalable
* Zscaler Internet Access
* Zscaler Private Access
* Zscaler Business to Business
* Zscaler Cloud Protection
* Zscaler Digital Experience
* Zscaler Deception Technology
Accelerate your transformation
Protect and empower your business by leveraging the platform, process and
people skills to accelerate your zero trust initiatives
Learn More
* Technologies Global proxy-based cloud architecture
* Secure Web Gateway
* Cloud Firewall
* Cloud IPS
* Cloud DLP
* Cloud Sandbox
* Cloud Browser Isolation
* Cloud Configuration Security (CSPM)
* Cloud Identity and Entitlements (CIEM)
* Cloud Access Security Broker (CASB)
* Cloud Native Application Protection Platform (CNAPP)
* Capabilities Integrated services, infinitely scalable
* SSL Inspection
* Advanced Threat Protection
* Bandwidth Control
* Machine Learning Security
* Security Service Edge
* Secure Access Service Edge
* Zero Trust Network Access
Gartner Magic Quadrant Leader
Zscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge
(SSE) New Positioned Highest in the Ability to Execute
Read the report
* Solutions
* Modern Workplace Enablement
* Security Transformation
* Infrastructure Modernization
* Industries & Partners
* Modern Workplace Enablement Overview Create fast, secure experiences for
users everywhere
* Secure Work-from-anywhere Seamless access for the hybrid workforce
* VPN Alternative
* M&A Divestitures
* Security Cloud Migration
* Third-party Access
* ZTNA On-Premises
* Remote Collaboration
* Secure Access to OT Systems
* Ensure great digital experiences Seamless access through fast, secure and
reliable connectivity
* Zscaler Digital Experience Score
* SaaS/Application Monitoring
* Cloudpath Analytics
* Endpoint Monitoring
* UCaaS Monitoring
Make hybrid work possible
Secure work from anywhere, protect data, and deliver the best experience
possible for users
Get started
* Security Transformation Overview A modern cloud approach
* Prevent Cyberthreats Prevent phishing, ransomware, and other attacks
* Ransomware Protection
* Log4j
* Prevent Data Loss Protect data everywhere from exposure or theft
* Guest Wi-Fi Protection
The World’s Most Effective Ransomware Protection
Ransomware is the biggest threat to digital business. Learn how to take a
proactive, zero trust approach to safeguarding your enterprise
Get Started
* Infrastructure Modernization Overview Enable the new world of cloud and
mobility
* Simplify Branch Connectivity Simplify and secure direct-to-cloud
connections
* Office 365
* Rethink Network Security
* Direct-to-cloud Architecture
* Secure Workload Communications Secure communications between clouds and
workloads
* Posture Control Identify hidden risks across the cloud lifecycle
Enable the Agile Branch
Your network security is costing more than it’s worth. See how five companies
drove simplicity, savings and security
Watch Now
* Industries Our ecosystem of zero trust partners
* Zscaler for Public Sector
* Zscaler for Federal
* Zscaler for State and Local
* Zscaler for Education
* Zscaler for Australian Government
* Zscaler for China
* Zscaler for Banking and FS
* Partner Integrations Simplified deployment and management
* Microsoft
* CrowdStrike
* AWS
* Okta
* Splunk
* Aruba
* Cisco
* VMware
* SAP
* Salesforce
* ServiceNow
Secure your ServiceNow Deployment
It’s time to protect your ServiceNow data better and respond to security
incidents quicker
Get Started
* Resources
* Learn
* Act
* Engage
* Content Library Explore topics that will inform your journey
* Blog Perspectives from technology and transformation leaders
* Security Assessment Toolkit Analyze your environment to see where you
could be exposed
* Webinars and Demos A first-hand look into important topics
* Executive Insights App Security insights at your fingertips
* Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
Zero Trust Content Library
Dive into the latest security research and best practices
Get Started
* Security & Threat Analytics Threat dashboards, cloud activity, IoT, and
more
* Security Advisories News about security events and protections
* Vulnerability Disclosure Program Webinars, training, demos, and more
* Trust Portal Zscaler cloud status and advisories
Zero Trust Content Library
Dive into the latest security research and best practices
Get Started
* The Cloud-First Architect Tools and best practices for the cloud
* Zenith Community Discuss ideas and issues with peers
* CXO REvolutionaries Events, insights, and resources for CXOs
* Training and Certifications Ongoing programs via Zero Trust Academy
* Cloud Security Alliance Securing the cloud through best practices
* Events Upcoming opportunities to meet with Zscaler
Zero Trust Content Library
Dive into the latest security research and best practices
Get Started
* Company
* About
* Media
* Partners
* About Zscaler How it began, where it’s going
* Leadership Meet our management team
* Investor Relations News, stock information, and quarterly reports
* Customers Learn about their transformation journeys
* Compliance Our adherence to rigorous standards
* ESG Our Environmental, Social, and Governance approach
* Events Upcoming opportunities to meet with Zscaler
Zscaler Careers
Join a recognized leader in Zero trust to help organization transform
securely
Apply Now
* Media Center News, blogs, events, photos, logos, and other brand assets
* News and Press Zscaler in the news
Zscaler Careers
Join a recognized leader in Zero trust to help organization transform
securely
Apply Now
* Partner Portal Tools and resources for Zscaler partners
* Summit Partner Program Collaborating to ensure customer success
* System Integrators Helping joint customers become cloud-first companies
* Service Providers Delivering an integrated platform of services
* Technology Deep integrations simplify cloud migration
* Partner Inquiry Become a Zscaler partner
Zscaler Careers
Join a recognized leader in Zero trust to help organization transform
securely
Apply Now
* * Request a demo
* Request a demo
INSIGHTS AND RESEARCH
May 05, 2021
CATCHING RATS OVER CUSTOM PROTOCOLS
ANALYSIS OF TOP NON-HTTP/S THREATS
Adversaries generally use Standard Application Layer Protocols for communication
between malware and command and control (C&C) servers. This is for several
reasons: first, malicious traffic blends in more easily with legitimate traffic
on standard protocols like HTTP/S; second, companies that rely on appliances for
security often don’t inspect all SSL/TLS encrypted traffic as it is extremely
resource-intensive to do so.
However, the massive growth of SSL attacks – 260% higher in 2020 compared to
2019 – has turned many security teams’ attention to these encrypted channels.
For those that do inspect their encrypted traffic, modern network security
proxies, gateways, and firewalls are evolved enough to conveniently parse
application protocols and strip the SSL layer to scan the underlying data. And
by knowing the protocol, scan engines using heuristics or machine-learning
techniques can more easily differentiate between malicious and legitimate
traffic, giving security teams an advantage.
These trends have led some adversaries to turn to custom protocols. Although
custom protocols for malicious communication are nothing new, almost one-third
of prevalent malware families we recently analyzed support communication over
non-HTTP/S protocols. Almost all of these malware families are Remote Access
Trojans (RATs) and are found all over, from campaigns of mass infection to
highly targeted attacks.
In this article, we dissect the custom protocols used in some of the most
prevalent RATs seen in recent campaigns. At the end, we share a number of
signatures and Snort rules that aid in detecting these attacks.
Below are statistical representations of traffic that Zscaler blocked for
non-HTTP/S C&C communication, as well as the most active RAT families that we
observed over a three-month period.
Fig.1: Hits of top threats communicating over non-HTTP/S in the last quarter.
Fig.2: Hits of top non-HTTP/S based RAT families in last quarter.
REMCOS RAT
Remcos is remote access and surveillance software developed and distributed by
an organization called Breaking Security. The Remcos RAT appeared in hacking
forums in late 2016. Since then, it has been favored by many cyber criminals and
even adopted by APT actors such as the Gorgon Group and Elfin Group. Remcos is
primarily delivered to victims via malicious attachments in phishing emails. Its
capabilities range from logging keystrokes to executing commands, stealing
credentials, and capturing microphones and webcams. RC4 key and encrypted
configuration data is kept in the resource section “SETTINGS” under “RCData”.
The configuration contains the C&C address, port, mutex name, and encryption key
for C&C communication.
Fig.3: Encrypted configuration in resource.
Fig.4: Decrypted configuration
Remcos communicates over non-HTTP/S channels/ports on custom protocols. The bot
can be configured to communicate in plain text, which makes it fairly
straightforward to detect C&C traffic. The custom protocol contains the header
“[DataStart]” followed by the size of data and then followed by the exfiltrated
data.
Fig.5: Data sent to C&C server in plain text.
However, in most cases, the communication is encrypted using the RC4 algorithm
with a key present in the configuration. It is not possible to match signatures
in encrypted binary data. However, there is scope for heuristics-based
detection. Upon execution, Remcos sends system information to its C&C server,
and in return the server replies with commands to execute. As this request and
response is encrypted with the same symmetric key, the header “[DataStart]” will
generate the same encrypted stream of bytes in place of the header for all
communication generated by the executable.
Fig.6: Data sent to C&C server as RC4 encrypted.
As an example, it can be seen in the above image, a binary stream of bytes “08
b4 de f6 84 27 70 9a 57 17 5e” has taken place of the header “[DataStart]”. The
repeated stream pattern of 11 bytes in requests and responses—plus a combination
of other heuristics such as entropy and data length limits—can be considered for
flagging RC4 encrypted Remcos traffic.
CRIMSON RAT
Crimson RAT has been favored by threat actors for targeted attacks on
governments and organizations in the financial, healthcare, and space technology
sectors. In 2016, it was found to be used in targeted attacks against Indian
diplomatic and military resources. Last year, we found it targeting Indian
financial institutions. Crimson is typically delivered to the victim via a
phishing email containing a malicious .doc file or link to a malicious
executable.
Fig.7: Data sent to C&C server
NETWIRE RAT
The NetWire RAT is a malicious tool that emerged almost a decade ago and has
been updated many times since then. NetWire has been detected in various
campaigns such as Hydrojiin and advanced persistent threat (APT) attacks
including SilverTerrier and The White Company. Typically, the NetWire RAT is
downloaded as a second-stage payload to systems that have been compromised using
other malware such as GuLoader. Also, it was found to be delivered via exploit
kits.
NetWire communicates with custom protocols over TCP and communication is
encrypted with AES encryption. Each packet begins with a length of data followed
by one byte for the command and then followed by data. The initial packet sends
a 32-byte seed value along with 16-byte IV value and hardcoded password
specified in the binary to generate the AES key. The C&C server generates a
session key for this information.
Fig.8: Data sent to C&C server as AES encrypted.
As the communication is AES encrypted, it is not possible to scan for signature
patterns in communication. However, there is enough information in the initial
packet to flag the traffic as NetWire C&C communication.
ASYNCRAT
AsyncRAT is an open-source RAT designed to remotely monitor and control other
computers through a secure encrypted connection. AsyncRAT provides functionality
such as keylogger, screen viewer, command execution, and many more. Because of
its feature of secure communication, AsyncRAT is used for malicious motives by
cybercriminals and weaponized in APT campaigns such as "Operation
Spalax." AsyncRAT has been found to be delivered via various methods such as
spear-phishing, malvertising, and exploit kits.
AsyncRAT communicates over secure TCP channels. As the custom certificate is
carried in the binary itself and matched against the C&C certificate, it is not
possible to strip the TLS layer at the proxy/gateway level. However, such custom
certificates can be filtered out and communication can be blocked by other
preventing controls.
Fig.9: Server certificate having subject and issuer name as “AsyncRAT Server”
QUASAR RAT
Quasar is an open-source RAT that has been observed being used maliciously by
cybercriminals and APT actors including “Gorgon Group” and “Patchwork." Its
features include remote desktop, keylogging, password stealing, and many more.
Quasar encrypts communications using an AES algorithm with a pre-shared key
hardcoded in the client binary. It is not possible to scan for signature
patterns on AES-encrypted traffic. However, the distinctive characteristics of
encrypted data packets can be leveraged to flag Quasar's AES encrypted traffic.
Fig.10: Data sent to C&C server as AES encrypted.
The distinctive first 4 bytes of the payload can be used to identify Quasar
traffic. Specifically, the first 4 bytes can identify the first packet sent from
the server to the client following the TCP handshake. This packet is used to
initiate the server/client authentication process. The first 4 bytes of the TCP
payload contain "40 00 00 00" which is the size of the data that follows in
little endian.
AGENT TESLA RAT
The Agent Tesla RAT has been very active and prevalent. Over the last couple of
years, there have been huge ongoing phishing campaigns delivering Agent Tesla
RAT. Agent Tesla has evolved over time, varying its behavior from campaign to
campaign. Cybercriminals use this RAT to steal user credentials and spy on
victims through screenshots, keyboard logging, and clipboard capturing.
Credential stealing is supported across various software ranging from browsers
to mail clients, VPNs, and wallets.
Agent Tesla communicates and exfiltrates data to its C&C server on HTTP, FTP,
SMTP, and Telegram API. All collected data is encapsulated into an HTML page,
and that HTML page is sent to a C&C over one of the aforementioned protocols.
For communication over FTP, the HTML page is sent as a file to an FTP C&C
server. The file name is generated in format
“PW_<UserName>_<OS>_<Timestamp>.HTML”
Fig.11: Data to be sent via FTP.
Fig.12: Exfiltration over FTP
For communication over SMTP, the HTML page is sent as a mail body to the C&C
server. The mail subject is generated in format “PW_<UserName>/<ComputerName>”.
Fig.13: Exfiltration over SMTP
CYBERGATE RAT
CyberGate allows an attacker to browse and manipulate files, devices, and
settings on the victim's machine as well as download and execute additional
malware. It also has a wide range of information-stealing abilities including
browser credential theft, keylogging, screen capture, and remote enabling of
webcams.
The CyberGate RAT communicates on a custom protocol over TCP. CyberGate collects
the info as per the command received from the C&C server, compresses data by
ZLib, encrypts it by RC4 with a hardcoded key, and then sends it to the C&C
server.
Fig.14: Compressed and Encrypted data sent to C&C.
Packets begin with the data length followed by a marker then by a new line
delimiter followed by encrypted data. To flag the CyberGate RAT traffic, a
combination of data length, marker, and delimiter can be considered.
NANOCORE RAT
Though NanoCore RAT emerged almost a decade ago, it is still one of the most
prevalent RAT families, and multiple versions have appeared since then. NanoCore
RAT is modular malware which comes with plugin support to expand its
functionality. Basic plugins feature remote surveillance via remote desktop,
monitor webcam, capture audio, etc. Additional plugins have been found to be
used for cryptocurrency mining, ransomware attacks, credential stealing, and
more. NanoCore RAT has been found to be delivered via phishing emails containing
.doc macros that load a NanoCore binary with fileless infection techniques.
NanoCore communicates on a custom protocol over TCP and uses the DES algorithm
with hardcoded key and IV value to encrypt the communication between bot and its
C&C server. The communication packet begins with a 4-byte data length followed
by DES-encrypted data of that length.
Fig.15: Encrypted data C&C communication
It is not possible to scan for patterns in DES-encrypted data. However, we
observed that the publicly available bot builder does not have an option for
configuring the DES key. Thus, all samples generated from this bot-builder will
have the same DES key, which is “722018788C294897”. This results in some
encrypted traffic that will be the same across all bots generated using the
publicly available bot-builder. One such command from the server is “is alive”
which is 0x600; when encrypted with a key it will produce “c1 c3 d0 32 43 59 a1
78”.
However, there are other customized bot-builders available underground that
allow the user to configure the key. For a more generic detection, we need to
check for heuristics of data length value against TCP packet size and entropy of
data. The first response from the server will be always 0x24 bytes in length,
and the first 4 bytes will always be “20 00 00 00”. This response contains a
GUID of plugins that the bot will load. The bot responds back to this with 0x12
bytes data, which will always start with the 4-byte stream “08 00 00 00”. These
characteristics can be leveraged for detection.
Fig.16: Fix length first response from C&C server.
GH0ST RAT
Gh0st is an open-source RAT that has been observed being used maliciously by
cybercriminals and APT actors such as “TA459” and “APT18.". Its features include
remote desktop, logging keystrokes, stealing credentials, capturing microphone
and webcam, and many more. The source code of the Gh0stRAT is publicly
available and attackers have customized it to suit their needs. Thus, many
variants have been discovered.
Gh0st communicates on a custom protocol over TCP. It uses a sequential
byte-to-byte encryption algorithm to encrypt communication with the C&C server.
Upon execution, it collects system data such as system information, version,
processor description, installed antivirus, etc. Then, a marker and data length
are prepended to this data. Finally, collected data is encrypted with
single-byte operation of XOR and SUB on each byte.
Fig.17: Collected data before encryption and after encryption.
NJRAT
Discovered almost a decade ago, njRAT, also known as Bladabindi, is the most
active and prevalent remote access trojan. It allows attackers to do
surveillance and control the victim's computer. Its features include remote
desktop, logging keystrokes, stealing credentials, capturing microphone and
webcam, and many more. njRAT is mostly found to be delivered via phishing email
campaigns containing malicious Word document attachments. It is also found to be
delivered by masquerading as a legitimate application installer uploaded to
file-sharing services and luring victims via drive-by download campaigns.
Since the leak of source code 2013, njRAT has become widely adopted by
cybercriminals and APT actors including Gorgon Group and APT41. Numerous
variants have been detected over the years. Some variants have been found to be
communicating over standard HTTP protocol and others were found to be
communicating over custom protocols over TCP. The packet begins with data length
in a decimal format null-terminated string followed by command and then
delimiter followed by exfiltrated data.
Fig.18: Fix length first response from C&C server.
COVERAGE:
Zscaler’s multilayered cloud security platform detects indicators at various
levels.
The following are the Cloud IPS (non-HTTP/S) signatures that enable detection of
the above RATs:
Win32.Backdoor.RemcosRAT
Win32.Backdoor.NetwiredRC
Win32.Backdoor.CrimsonRAT
Win32.Backdoor.AsyncRAT
Win32.Backdoor.QuasarRAT
Win32.Backdoor.AgentTesla
Win32.Backdoor.Cybergate
Win32.Backdoor.Nanocore
Win32.Backdoor.Gh0stRAT
Win32.Backdoor.NjRat
CONCLUSION
All of the above-discussed RATs are communicating on custom and encrypted
protocols over TCP. When communication is encrypted, it is more difficult to
scan for their signature patterns in network traffic. However, we have discussed
alternative ways to flag RAT traffic based on the heuristics of encrypted data.
Four properties that are common to most RAT traffic on non-HTTP/S are:
1. Packets start with a length of encrypted data. Adding 4 to the little endian
value of the first 4 should give the total length of TCP data.
2. Entropy of data followed after data length is high.
3. The C&C server responds in the same packet format as the client.
4. Often, server responses have lengths in specific ranges as they send only
commands.
SNORT RULES
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Zscaler
Win32.Backdoor.CrimsonRat - CNC command"; flow:established,to_client;
content:"|00 00 00 00|"; offset: 1; depth: 4;
pcre:"/\x00\x00\x00\x00(thumb|filsz|rupth|dowf|endpo|scrsz|cscreen|dirs|stops|scren|cnls|udlt|delt|afile|listf|file|info|runf|fles|dowr|info|fldr)+=/";
classtype:trojan-activity; reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler
Win32.Backdoor.NetWiredRC - Check-in request"; flow:established,to_server;
dsize:69; content:"|41 00 00 00 99|"; offset:0; depth:5;
flowbits:set,ZS.NetwireRAT.Client; flowbits:noalert; metadata:
classtype:trojan-activity; reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler
Win32.Backdoor.NetWiredRC - Check-in response"; flow:established,to_server;
dsize:5; content:"|3f 00 00 00 9b|"; flowbits:isset,ZS.NetwireRAT.Client;
metadata: classtype:trojan-activity;
reference:url,https://research.zscaler.com;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Zscaler
Win32.Backdoor.AsyncRAT - Malicious SSL Cert"; flow:established,to_client;
content:"|16 03 01|"; offset:0; depth:3; content:"AsyncRAT"; distance:0;
fast_pattern; classtype:trojan-activity;
reference:url,https://research.zscaler.com;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Zscaler
Win32.Backdoor.QuasarRAT - CNC response header"; flow:established,to_client;
dsize:68; content:"|40 00 00 00|"; offset: 0; depth: 4;
classtype:trojan-activity; reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler
Win32.Backdoor.AgentTesla CNC via FTP/SMTP"; flow:established,to_server;
content:"|3C|html|3E|Time|3A|"; content:"|3C|br|3E|User Name|3A|";
content:"|3C|br|3E|Computer Name|3A|"; distance: 0; content:
"|3C|br|3E|OSFullName|3A|"; distance: 0; content:"CPU|3A|"; distance: 0;
content:"|3C|br|3E|RAM|3A|"; distance: 0; content: "URL|3A|"; distance: 0;
content: "Application|3A|"; distance: 0; classtype:trojan-activity;
reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> any any (msg:"Zscaler Win32.Backdoor.CyberGate - Data
Exfiltration"; flow:established,to_server; dsize:40<>300;
pcre:"/\d{2,3}[#$]{4,6}\x0d\x0a/"; content:"|23 23 24 23 23 0d 0a|";
classtype:trojan-activity; reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler
Win32.Backdoor.Nanocore Pulse check"; flow:established,to_server; dsize:12;
content:"|08 00 00 00|"; offset: 0; depth: 4; content:"/c1 c3 d0 32 43 59 a1
78|"; distance:0; within:8; classtype:trojan-activity;
reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler
Win32.Backdoor.Nanocore - Generic C&C command (request)";
flow:established,to_server; flowbits:isset,ZS.NanocoreGen; dsize:12;
content:"|08 00 00 00|"; offset:0; depth:4; byte_test:1,!=,0,5,relative;
reference:url,https://zscaler.com;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Zscaler
Win32.Backdoor.Nanocore - Generic C&C command (response)";
flow:established,to_client; flowbits:noalert; flowbits:set,ZS.NanocoreGen;
content:"|20 00 00 00|"; offset:0; depth:4; byte_test:1,!=,0,5,relative;
dsize:36; reference:url,https://zscaler.com;)
alert tcp any any -> any any (msg:"Zscaler Win32.Backdoor.Gh0stRAT - Possible
Data Exfil activity"; flow:to_server,established; byte_extract:1,10,varbyte;
byte_test:1,!=,varbyte,11; byte_test:1,=,varbyte,12; byte_test:1,=,varbyte,13;
byte_test:1,!=,varbyte,15; byte_extract:4,16,vardword;
byte_test:4,=,vardword,20; byte_test:4,=,vardword,24; byte_test:4,=,vardword,28;
byte_test:4,!=,vardword,0; sid:8000031; classtype:trojan-activity;
reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler Win32.Backdoor.NjRat
- Data Exfil activity"; flow:to_server,established; content:"|00|inf"; offset:3;
depth:4; pcre:"/\d{1,3}\x00\w{1,3}/";
pcre:"/(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?/";
flowbits:isset,ZS.njrat; flowbits:unset,ZS.njrat; classtype:trojan-activity;
reference:url,https://research.zscaler.com;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Zscaler Win32.Backdoor.NjRat
- Data Exfil activity"; flow:to_server,established; content:"|00|ll"; offset:3;
depth:3; pcre:"/^\d{1,3}\x00/";
pcre:"/(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?/";
flowbits:set,ZS.njrat; flowbits:noalert; classtype:trojan-activity;
reference:url,https://research.zscaler.com;)
* Security Research
* Insights and Research
*
*
*
*
*
AUTHORS
ANIRUDDHA DOLAS
MOHD SADIQUE
MANOHAR GHULE
RECOMMENDED FOR YOU
SSL INSPECTION COMES WITH GREAT RESPONSIBILITY
RETURN OF THE EVILNUM APT WITH UPDATED TTPS AND NEW TARGETS
RESURGENCE OF VOICEMAIL-THEMED PHISHING ATTACKS TARGETING KEY INDUSTRY VERTICALS
IN US
TECHNICAL ANALYSIS OF PURECRYPTER: A FULLY-FUNCTIONAL LOADER DISTRIBUTING REMOTE
ACCESS TROJANS AND INFORMATION STEALERS
STAY UP TO DATE WITH THE LATEST DIGITAL TRANSFORMATION TIPS AND NEWS.
Please enter a valid email addressPlease enter a valid email addressPlease enter
your corporate email addressEmail address is mandatoryEmail address is mandatory
BY SUBMITTING THE FORM, YOU ARE AGREEING TO OUR PRIVACY POLICY.
newFirstName
Spam Bot
* Platforms & Products
* Zero Trust Exchange
* Zscaler Client Connector
* Zscaler Internet Access
* Zscaler Private Access
* Zscaler B2B
* Zscaler Cloud Protection
* Zscaler Digital Experience
* Solutions
* Secure Work-from-Anywhere
* Modern Workplace Enablement
* Security Transformation
* Technologies & Capabilities
* Secure Access Service Edge
* Zero Trust Network Access
* Secure Web Gateways
* Cloud Firewall
* Cloud Sandbox
* Cloud IPS
* Cloud DLP
* Cloud Browser Isolation
* Technologies & Capabilities
* Cloud Configuration Security
* Cloud Identity and Entitlements
* CASB
* SSL Inspection
* Advanced Threat Protection
* Bandwidth Control
* Machine Learning Security
* Popular Links
* Careers
* About Zscaler
* Leadership
* Content Library
* News and Press Releases
* Media Kit
* CXO REvolutionaries
* Zenith Community
* Information
* Glossary
* Plans and Pricing
* Virtual Briefing Center
* Zscaler FAQs
* Contact Us
Please enter a valid email addressPlease enter a valid email addressPlease enter
your corporate email addressEmail address is mandatoryEmail address is mandatory
newFirstName
Spam Bot
*
*
*
*
* Sitemap
* Privacy
* Legal
* Security
©2022 Zscaler, Inc. All rights reserved. ZscalerTM and Zero Trust ExchangeTM are
either (i) registered trademarks or service marks or (ii) trademarks or service
marks of Zscaler, Inc. in the United States and/or other countries. Any other
trademarks are the properties of their respective owners.
Zscaler uses cookies to personalize content and ads, to provide social media
features and to analyze our traffic. We also share information about your use of
our site with our social media, advertising and analytics partners.Please review
our Cookies Policy for more information.
Cookies Settings Accept Cookies