Malware posing as popular Windows tools

Vishal Thakur
Article by Vishal Thakur

InfoSec researcher specialising in Incident Response and Malware Analysis.

There's an interesting new malware that is currently being distributed actively around the globe through phishing campaigns.

This malware is a Trojan RAT, that poses as a version of the popular open-source archive utility PeaZip. The authors of this malware have copied the file info and make it look like a legit version of PeaZip. Careful analysis of this malware shows us that this infact is a Trojan RAT, that is falsely adverstised as PeaZip. In this article, we analyse this malware and discuss the findings. There are strong indicators that suggest that this is a re-packaged version of DarkComet RAT. We're calling this version PeaRAT for the purpose of this analysis.

In the past, a version of this malware has also targeted another popular software, PE EXPLORER by Heaven Tools - which tells us that we're dealing with the same MalActor. We'll see how we were able to make that connection in this article.

Let's start by taking a look at the malware and the real software side-by-side. As you can see in the image comparison below, there is a lot more information in the malware config and most of it is copied from the original software to make it look legit.

1-comparison
Side-by-side comparison of the two binaries

4-config-1
Config file of the malware

Heaventools
As discussed at the start of this article, this malware has targetted PE Explorer, a tool by Heaventools in the past as well. It has been packaged to look like PE Explorer and distributed through phishing campaigns.

heaventools
Malware packaged as a Heaventools software product

The code we found in PeaRAT comes packed (packer is ASProtect) and can be seen as encrypted data in the binary itself. When compared to the code of malware posing as PE Explorer by Heaventools (also packed by ASProtect), we can see similarities in the code. Some of the data strings are identical. Also, RCData of both the binaries is the same.
Here's an example:

rcdata

PeaRAT
There are also enough indicators in the binary itself that point to the MalActor being Russian (or at least Russian-speaking). Here're some of the smiley icons that were extracted from the binary:

6-russian

Now that we've established the connection between the past versions and history of the MalActor and the malware itself, it's time to start the analysis of this malware.

Let's take a look at the few interesting modules that we extracted from this malware and the functions that included.

User32.dll
GetKeyboardType

CreateWindowExA

Comctl32.dll
_TrackMouseEvent

Urlmon.dll
URLDownloadToFileA

Shell32.dll
ShellExecuteA

Winspool.drv
OpenPrinterA

Code Analysis

Now let's take a quick look at the code and see how this malware executes.

The malware comes packed, the packer used is ASProtect v1.0. After unpacking, the malware creates a child process which is launched from the Music folder.

For the purpose of this analysis, we will work on this child process.

As you can see below, it uses the basic functions to get the data into and out of the stack, for further processing.

2-getmessage

We can also see the other usual RAT-like code - pushing values onto the stack (time, date etc).

3-time

This is where it starts to get interesting. We can see a file being written to disk. We'll follow the code execution at this point and see where it leads.

2-log-dc

As you can see below, the file that we looked at above, in the memory, is now on the disk.

3-log-dc

And here are the file contents. You can see that this is a log of all the activities that took place on the computer!

4-log-dc

I have numbered the events in the image above. Let's take a look at them one by one:

  1. We launch the process through our debugger (Olly)
  2. A value it copied to the clipboard (this is me copying a regex to find IP addresses in the memdump)
  3. I'm trying to launch notepad from the start menu
  4. I run a string search on the memdump
  5. I save a file
  6. I open the properties of the malicious process

Pretty neat as far as RATs go!

Now let's take a look at the networking side of the code.
For the purpose of extracting the network IOC from this binary, we insert a memory (read/write) interrupt on the section of the networking functions (WS2-32 in this case). When the execution hits this region, we get an interrupt and we can see the C2 IP being written to the memory.

7-IP

Once the code has been executed successfully, the values are then passed on to the registers:

8-IP-reg

Follow the cursor in the below GIF to see how this function executes:

tcp
Follow the cursor in the above GIF to see the flow of execution for C2 callout

And here's some more information that is passed on to the stack (function was discussed earlier in the article) for processing before it's ready to be accessed by the C2:

conn-time-date

Conclusion

This malware has been around for a while, under different versions. AV vendors are still not correctly identifying it. Even the older versions are identified as 'generic' or 'Dynamer' or 'Barys', which really doesn't means much more than it's malicious.

As the MalActor tries to push this malware through as legit software, it wouldn't be a surprise to see them target other companies' products.

It is a very clever move by the MalActor to package this malware as PeaZip. Since PeaZip is well-known archive tool, it'll be easy to bundle it up with other malware in the same phishing email and ask the victims to use this malware to unzip the other malware.

Always make sure that you check the legitimacy of the software before installing it (checking the hash is a good start) and keep you AV up-to-date.

References

The sample was taken from Virus Total:
https://www.virustotal.com/#/file/ccf07ed87ce33179ba77b74372818958a04236860738ce96993976493488e7b4/detection

Sample: CD1974C09F7171E19634DE0E00D7EFB7

C2: 95.140.125.42:1908

Sample phishing email:

phish