labs.k7computing.com Open in urlscan Pro
172.104.56.202  Public Scan

Form analysis
2 forms found in the DOM

GET https://labs.k7computing.com/

<form action="https://labs.k7computing.com/" method="GET">
  <div class="minimal-form-input"><label for="id-0"><span class="text"><span class="text-inner">Search</span></span></label><input type="text" name="s" value=""></div>
</form>

POST #sendgrid_mc_email_subscribe

<form method="post" id="sendgrid_mc_email_form" class="mc_email_form" action="#sendgrid_mc_email_subscribe" style="padding-top: 10px;">
  <div class="sendgrid_mc_fields" style="padding: 10px 0px 0px 0px;">
    <div class="sendgrid_mc_label_div"> <label for="sendgrid_mc_email" class="sendgrid_mc_label sendgrid_mc_label_email">Email<sup>*</sup> :</label> </div>
    <div class="sendgrid_mc_input_div">
      <div class="minimal-form-input"><label><span class="text"><span class="text-inner"></span></span></label><input class="sendgrid_mc_input sendgrid_mc_input_email" id="sendgrid_mc_email" name="sendgrid_mc_email" type="text" value="" required="">
      </div>
    </div>
  </div>
  <div class="sendgrid_mc_button_div"> <input style="margin: 10px 0px 0px 0px;" class="sendgrid_mc_button" type="submit" id="sendgrid_mc_email_submit" value="SUBSCRIBE"></div>
</form>

Text Content

Search

 * Lab Blog
 * Vulnerability Information
 * Top Threats

 * More
   * Back

 * Home
 * Products
   * Home Products
   *   K7 Antivirus Premium
   *   K7 Total Security
   *   K7 Ultimate Security
   *   K7 Antivirus for Mac
   *   K7 Mobile Security – Android
   *   K7 Mobile Security – iOS
   *   K7 Ultimate Security Infiniti
   * Business Products
 * Company
   * About Us
   * Contact Us
   * Careers
   * Awards & Recognitions
   * Certifications
   * News & PR
   * Affiliates
   * K7 Academy
 * Resources
   * Product Downloads
   * Free Tools
   * Free Scanner
   * Blog
   * Technical Blog
   * Threat Reports
   * Videos
   * Refer & Earn
 * Partners
 * Free Trial
 * Renew




PUPY RAT HIDING UNDER WERFAULT’S COVER

Posted bySaikumaravel January 4, 2023January 4, 2023
Remote Access Trojan


PUPY RAT HIDING UNDER WERFAULT’S COVER

By SaikumaravelJanuary 4, 2023

We at K7 Labs recently identified an interesting technique used by threat actors
to execute a Remote Admin Tool. We all know that WerFault.exe is used for the
Windows Error Reporting. This blog describes how threat actors use the
legitimate WerFault.exe to execute Pupy RAT on the victims’ machine. 

Figure 1: Execution flow




ANALYSIS OF BINARY 


STAGE 1 – WERFAULT EXECUTION

Recently we came across an ISO image, recent inventory & our specialties.iso
from a twitter feed. The ISO contains four files, a legitimate WerFault.exe,a
malicious DLL named faultrep.dll, a shortcut file named recent inventory & our
specialties.lnk and a XLS file named File.xls. The shortcut file has the same
name as the ISO image. When the victim opens that shortcut file, it uses
scriptrunner.exe LOLBin via cmd to execute WerFault.exe from the ISO. 

Figure 2: ISO & shortcut file




STAGE 2 – PUPY RAT LOADER

Originally, Faultrep.dll is the name of DLL used by WerFault.exe is, which is
present in the default windows folder. When WerFault.exe starts executing, it
uses DLL Side-Loading technique to load the Faultrep.dll from the ISO and it has
a dummy export function WerpInitiateCrashReporting similar to the original
DLL.This malicious Faultrep.dll is compiled in C.

The DLL has a custom API resolving function with two arguments, DLL hash and
Function hash. 

Figure 3: API Resolving



We noticed that this loader uses the same API resolving function as Guloader.
The DLLs resolved were kernel32 and advapi32. 

After resolving the APIs, it starts to serve its purpose. Using the resolved
function CreateThread, it creates two threads. The first thread opens a lure
excel sheet named file.xls from the ISO. 



Figure 4: First thread opening Excel sheet

While manually resolving the function, we found that one of the functions it
resolved was SystemFunction032 from the advapi32.dll. This function is
undocumented in MSDN and on further searching we found the documentation on
WineAPI. With that documentation, we understood that the function is used for
RC4 encryption and accepts two arguments: key and data. On further analysis we
found the RC4 decryption function which contains the data and hard coded string
as key. 

Figure 5: Second thread doing RC4 decryption



The data is pointed to the address of the overlay. So we dumped the encrypted
overlay data and using the key we further decrypted it. After decrypting the
data, we confirmed that the data is a PE file with the magic bytes.

Figure 6: RC4 Decryption



We dumped the decrypted output data to a PE file. It was compiled with C &
Python and found that it is a Pupy RAT. This RAT is loaded into the memory and
executed while WerFault.exe was executing in the front.

Figure 7: Decrypted PE file




STAGE 3 – PUPY RAT

Pupy RAT is an open-source cross platform Remote Admin Tool available in Github
According to the sources, since 2013 it has possibly been used by APT33 and
APT35 from Iran for  cyber espionage operations like the one that was discovered
in 2020 and targeted a major European energy organisation.

Figure 8: Pupy RAT Github



It was executed from memory and based on the analysis of ReflectiveLoader
function, is capable of executing any PE file in-memory, remotely. It tries to
make a C2 connection in the background when the victim believes WerFault is
running. Since the C2 was down at the time of analysis, RAT was unable to
establish a connection for carrying out any further malicious activity. With the
XLS sheet in Chinese, we believe that the victim is from China. 

Figure 9: Pupy RAT C2 connection



We at K7 Labs provide detection against latest threats and also for this newer
variant of Loader. Users are advised to use a reliable security product such as
“K7 Total Security” and keep it up-to-date so as to safeguard their devices.


IOCS




FilenameHashK7 Detection NameStage 1 – WerFault Execution         
                                                  
recent inventory & our specialties.iso
D069812AA63B631897498621DE353519Trojan ( 0059ce2b1 )Stage 2 – Pupy RAT loader
faultrep.dll42A5798608F196CE7376CE196F4452FETrojan ( 0059ce2b1 )Stage 3 – Pupy
RAT
Decrypted PupyRATF365A8BDFD9B39C4F8B9D99613818207Trojan ( 0001140e1 )


 


C2

hxxp[://103[.79[.76[.40/


REFERENCES

https://twitter.com/SBousseaden/status/1603425101528956935






LIKE WHAT YOU'RE READING? SUBSCRIBE TO OUR TOP STORIES.

If you want to subscribe to our monthly newsletter, please submit the form
below.

Email* :



CATEGORIES

Activators Cracks KeygensAdvanced Persistent ThreatsAdvisoryAndroidAnti-Analysis
TechniquesBackdoorBanking MalwareBotnetBreakingCloud malwareCobalt StrikeCode
Hosting PlatformCredential StealerCryptocurrencyCryptolockerCryptominingDark
WebData PrivacyDeceptive AppsDecryptorDownloadersEmailExploitsFake
ApplicationsInternetIoTKeyloggerLoggingmac malwareMacroMalicious DLLsMalicious
LinksMalware as a Service (MaaS)Malware CryptersObfuscation TechniquesPassword
StealerPersonally SpeakingPhishingPowerShellPrivilege
EscalationProtocolsPythonRansomwareRemote Access SoftwareRemote Access
TrojanRemote AdminRemote Code Execution AttacksScamsScript-Based
MalwareSecuritySecurity NewsSecurity TipsSmishingSocial Networking
AppsSpamSpear-phishingStagerStealer TrojanStorage Service AbuseTech
ArticlesTorrentsUncategorizedVirusesVulnerabilityWhatsAppWorms

FEATURED POSTS

 * 
   Pupy RAT hiding under WerFault’s cover
 * 
   Python crawling on your keys December 23, 2022
 * 
   Legitimate Apps a safe haven for IcedID January 2, 2023

RECENT POSTS

 * Pupy RAT hiding under WerFault’s cover January 4, 2023
 * Legitimate Apps a safe haven for IcedID January 2, 2023
 * Python crawling on your keys December 23, 2022


 * PREVIOUS POST« LEGITIMATE APPS A SAFE HAVEN FOR ICEDID


 * NEXT POST


MORE POSTS

Internet  Security  


A LOVE-HATE RELATIONSHIP

K7CTOJanuary 21, 2011
Security News  


PARKING TICKET RUSE OPENS UP VIRUS THREATS

administratorFebruary 6, 2009
Ransomware  Security  


K7 “RANSOMWARE PROTECTION” IS FIGHTING FIT AND READY

DhanalakshmiJuly 13, 2016


0 REPLIES ON “PUPY RAT HIDING UNDER WERFAULT’S COVER”



HOME

 * Home Products
 * K7 Antivirus Premium
 * K7 Total Security
 * K7 Ultimate Security
 * K7 Antivirus for Mac
 * K7 Mobile Security – Android
 * K7 Mobile Security – iOS
 * K7 Ultimate Security Infiniti
 * Renew
 * Free Trial

BUSINESS

 * K7 On-premises Endpoint Security
 * K7 Cloud Endpoint Security
 * K7 Unified Threat Management
 * K7 VPN Concentrator
 * K7 Connect 500
 * Small Office

COMPANY

 * About Us
 * Contact Us
 * Support
 * Careers
 * Awards
 * Certifications
 * News & PR
 * Affiliates
 * K7 Academy
 * Partners

LEGAL

 * Privacy Policy
 * Terms of Use
 * EULA
 * Anti-Piracy
 * Refund Policy

2022 K7 Computing. All Rights Reserved.
 * 
 * 
 *