ReverseRat Reemerges with a (Night)Fury: New Campaign and New Developments, Same Familiar Side-Actor
In early June 2021, Black Lotus Labs identified ReverseRat, a remote access trojan (RAT) operated by a suspected Pakistani actor that was targeting government and energy sector organizations in South and Central Asia. After publishing our initial research, we have continued to track this actor and recently uncovered an updated version of the ReverseRat agent, which we are calling ReverseRat 2.0.
Some of the more prominent modifications allowed for added functionality such as taking remote photos via webcams and retrieving files on USB devices inserted into the compromised machines. We also uncovered an updated version of the preBotHta loader file, which included new evasion techniques to counter Kaspersky or Quick Heal antivirus (AV) products, if either were detected on the host machine.
Lastly, we observed a new agent the actor referred to as NightFury, which was sideloaded with a legitimate Microsoft binary charmap.exe. Metadata from the campaign indicates that it began on June 28, 2021. Once the tools were deployed, we observed network telemetry from at least one government entity in addition to other targeted organizations located in Afghanistan, and to a lesser extent, Jordan, India and Iran.
ReverseRat 2.0 differs from its predecessor in three main ways. First, the AllaKore agent that was installed in parallel is now replaced by a new agent that runs before ReverseRat 2.0. The second is that ReverseRat 2.0 leverages new functionality and modified command calls from the original version, including commands relating to creating, listing and deleting registry keys. Finally, ReverseRat 2.0 adds new capabilities to take photos via webcams from infected machines and to steal files from USB connections.
Figure 1: Multi-step infection process observed in the campaign – updated for ReverseRat 2.0
Microsoft Shortcut File Retrieves preBotHta
In this campaign, the infection process began when a victim received a zip file that contained a Microsoft shortcut file (.lnk) posing as a PDF. If invoked by the user, the shortcut file downloaded an HTA file from a presumed compromised WordPress domain, hxxps://medizz[.]co/wp-content/base/phr/shareddocuments/Agenda/1.hta. The HTA file then decoded and executed preBotHta, which displayed a benign PDF file, as depicted in Figure 2. The PDF served as a decoy to distract the user as the shortcut file covertly executed the HTA file. One rather odd feature of the shortcut file was that it contained an unused PDF titled “Offense Security Kali Linux User Guide” that was not displayed during execution.
Once downloaded, the HTA deobfuscated and executed the first of two “preBotHta” loader files. The file checked for the presence of AV products that are installed on the host machine using Windows Management Instrumentation (WMI):
var WaMISeerviceObjective =
var WaMIQuueryReesult = WaMISeerviceObjective.ExecQuery(“Select * From AntiVirusProduct”, null, 48).
It then called the start function within the .NET file and its execution flow was altered depending on the AV products that were detected; in all cases, though, it loaded a decoy PDF document and then at least one, if not both, of the agents. The PDF titled “Agenda” appeared to be a briefing document with an agenda for a United Nations meeting on organized crime with a Microsoft Teams link. While the Teams link appears to be valid and uses the teams.windows.com domain, the document itself appears to have been fabricated as the UN Journal lists no such meeting on that topic.
Figure 2: Decoy United Nations briefing document
Once it was running in memory, the preBotHta file deleted itself and decompressed another file with the internal name “preBotHta” that was written to disk with the hardcoded path:
Figure 3: preBotHTA checks for the presence of AV products on the host machine
There were three possible infection paths depending on the AV detected:
- If “Kaspersky” was found in the detected AV list, preBotHta dropped both NightFury and ReverseRat 2.0. Notably, while ReverseRat 2.0 was dropped when Kaspersky was detected, it was not executed. We suspect this was to allow the actor to execute it in the future. The preBotHTA then copied the legitimate Windows binary charmap.exe from the system directory to C:\Windows\Tasks\ and decompressed the NightFury DLL passed to the first preBotHTA file from the HTA file, saving it as C:\Windows\Tasks\MSFTEDIT.dll. The valid C:\Windows\Tasks\charmap.exe was then executed using PowerShell, which sideloaded the malicious MSFTEDIT.dll.
- In the second path, “Quick” was searched for in the detected AV list. We believe this to be related to the Quick Heal security products. Quick Heal is based in India and fits the targeting that we have seen in previous campaigns. If “Quick” was found, the second preBotHta first launched NightFury as described above and then ReverseRat 2.0 via PowerShell from where it was dropped in C:\Windows\Tasks\Updater.hta.
Figure 4: Execution of charmap.exe in ExecuteCommandLine
- In the final path, the preBotHTA dropped both the new agent and ReverseRat 2.0. The preBotHTA also dropped, executed and finally deleted the file ‘regadd.bat’ that created a registry key to run charmap.exe:REG ADD “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /V “Security Updater” /t REG_SZ /F /D “C:\Windows\Tasks\charmap.exe”. This allowed the threat actor to achieve persistence on the infected machine via the Run registry key. Upon reboot, the valid charmap.exe was executed, which in turn sideloaded the malicious MSFTEDIT.dll.
In all three paths, the function copyRunBat was called (lines 27, 36 and 44 in Figure 3) to drop the batch file C:\Windows\Tasks\run.bat, which executed the dropped ReverseRat 2.0 with the following commands:
@echo off\r\nstart /b mshta.exe “C:\\Windows\\Tasks\\Updater.hta”\r\nexit.
We hypothesize that during testing, the threat actor realized Kaspersky and Quick Heal products signatured and blocked certain aspects of the infection chain. Therefore, the threat actor added these different logic paths to avoid AV-specific detection and to ensure the ability to infect the targeted machines.
One of the files that was written to disk by the preBotHta file was named MSFTEDIT.dll; however, internal debug strings suggest that this was part of a project called NightFury, hence the name we’re using to refer to it. One interesting note is that the same project name “NightFury” was discovered in samples from a 2019 report by Seqrite called Operation SideCopy. Note the typo “NigthFury” in the file paths.
The new agent first checked for the existence of two .lnk files at the following file paths:
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Security Updater.lnk
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Updater.lnk.
If they were not present, the new agent created them. The first lnk file, “Security Updated.lnk”, dropped by NightFury executed the previously mentioned run.bat file:
C:\Windows\System32\cmd.exe /c start /b C:\Windows\Tasks\run.bat.
The second lnk file, “Windows Update.lnk”, called charmap.exe from the C:\windows\tasks folder which initiated the execution of the NightFury agent. The agent then initiated a “recv” call to the C2 located at 62.171.191[.]230:5310.
The response from the C2 dictated the subsequent action of the agent. Through debugging the executable, we identified that there were 20 pre-built functions; however, not all functions were utilized. In fact, eleven of them resulted in a loop and attempted to recontact the C2. This suggests that NightFury is still under development and is not yet fully implemented.
If NightFury received a response of 0x0, it collected information about the infected computer including computer name, username and Windows version information, and then sent the collected information to the C2.
Figure 5: Initial beacon to C2
NightFury then searched the computer for document files (txt, pdf, xlsx, xls, pptx, ppt, docx, doc, jpg, png, accdb, mdb) and put the file names and related metadata into a new file located at the path: C:\Users\<username>\AppData\Local\Temp\MVC\wordpress.in. It did the same for archive files (zip and rar) and saved the output to C:\Users\<username>\AppData\Local\Temp\MVC\rar.in. The format for the output was:
Filename | Last modified date | File creation date | File Size | Terminator(?)
In another case (response 0x01), NightFury sent the wordpress.in file containing the information for the document files to the C2. Many of the other functions relied on soliciting a response from the C2, which did not respond at the time of investigation. However, through debugging the agent, we were able to identify other commands that allowed for remote file transfers enabling the agent to download and execute additional payloads. Based upon the functionally detailed above, we suspect that this is a first stage agent, and that the threat actor has subsequent payloads at its disposal that allow for more functionality on targeted machines.
The ReverseRat 2.0
ReverseRat 2.0 leverages new and modified command calls from the original version. Where its predecessor called functions by numbers, ReverseRat 2.0 calls functions by command prompts such as, “list,” “run,” and so on. As before, when the agent was first executed it collected information about the host machine. However, one new function is that it attempted to take a picture of the host environment with the web camera, which was a feature not observed in the previous iteration. There was one other small change: it obtained the IP address information by querying the network interface rather than making a request to an external third-party site.
Data gathered about the host environment included:
- MAC address
- Physical memory on the device converted to MBs
- Information about the processor
- Max clock speed in GHz
- Data width converted to bits
- Name (e.g. Intel® Core™ i7-8569U CPU @ 2.80GHz)
- Manufacturer (e.g. GenuineIntel)
It also used the .NET framework to obtain the following:
- Computer name
- Operating system
- IP address
- Picture via the web camera
The updated agent called functions to create, list and delete registry keys, in addition to pulling a list of installed programs on the machine by querying the following path: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
Figure 6: ReverseRat 2.0 list of commands
Like the previous iteration of the agent, this version encrypted its communications with the C2, http://drigablockszip.sytes[.]net/, and used RC4 with the hardcoded key of express@dailyNews33. Finally, in addition to the functions listed in the core class of the binary, there was a class called ‘Changeforfun’ that housed functions related to handling USB devices connected to the infected machine which granted the actor the ability to steal documents stored on a USB drive inserted into an infected computer. Specifically, it looked for and uploaded files that had the following extensions:
If found, these files were sent back to the aforementioned C2 server.
Figure 7: ReverseRat 2.0 ‘Changeforfun’ functions
Black Lotus Labs Telemetry
Telemetry – Victim
Once we curated a list of indicators associated with this threat actor, we ran those and other indictors through our internal databases. Black Lotus Labs’ global visibility suggests that the campaigns associated with this threat actor were quite targeted. A small number of entities exhibited bi-directional communications with the identified nodes.
For this campaign, most of the organizations that exhibited signs of compromise were in Afghanistan, with a handful of targets in Jordan, India and Iran. We were able to identify one entity that was associated with a government organization. We do not believe that this list entails the totality of their operations, as some potential victims were associated with dynamic IP addresses, making it difficult to correlate those IP addresses to a single organization.
As we have noted in our prior blog, this threat actor has continued to deploy agents to expand functionality and implement new features to further evade detection. The most prominent example of evasion comes from the expansion of the logic paths in the preBotHta, which altered the flow and execution based upon AV products detected on the host machines. The actor continues to diversify its tool set and began implementing different techniques such as using different Microsoft binaries to sideload their agents. This allows the actor to wean off some open-source tools such as AllaKore. We continue to believe that this actor poses a threat to government and energy organizations in the South and Central Asia regions.
In order to combat this particular campaign, Black Lotus Labs null-routed the threat actor infrastructure across the Lumen global IP network and notified the affected organizations. Black Lotus Labs continues to follow this threat group to detect and disrupt similar compromises, and we encourage other organizations to alert on this and similar campaigns in their environments.
For additional IOCs such as file hashes associated with this campaign and this threat actor’s larger activity cluster, please visit our GitHub page.
If you would like to collaborate on similar research, please contact us on Twitter @BlackLotusLabs.
This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.