Cybersecurity

LimeRAT Malware Analysis: Extracting Config


April 27, 2023Hacker NewsMalware / Cyber ​​Threat Analysis

Remote Access Trojans (RAT) have taken the third leading position in ANY. RUN Q1 2023 report on the most common types of malware, so it is highly likely that your organization is facing this threat.

While LimeRAT may not be the most well-known RAT family, it’s versatility is what sets it apart. Capable of carrying out a broad spectrum of malicious activity, it excels not only in data exfiltration, but also in creating DDoS botnets and facilitating crypto mining. Its compact footprint allows it to circumvent endpoint detection systems, making it a stealthy enemy. Interestingly, LimeRAT shares similarities with njRAT, which ANY.RUN ranked as the third most popular malware family in terms of uploads during Q1 2023.

WHATEVER. RUN researchers recently conducted an in-depth analysis of the LimeRAT samples and managed to extract their configurations. In this article, we will provide a brief overview of the analysis.

Collected artifacts

SHA1

14836dd608efb4a0c552a4f370e5aafb340e2a5d

SHA256

6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334

MD5

d36f15bef276fd447e91af6ee9e38b28

SSDEEP

3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy

IPv4:

IOC Information

20(.)199.13.167:8080

LimeRAT Command and Control Server

Domain:

IOC Information

https://pastebin(.)com/raw/sxNJt2ek

PasteBin is used by LimeRAT to hide its original Command and Control server

MITER ATT&CK®

Tactics Technique Information

TA0005: Defensive Evasion

T1027: Obfuscated Files or Information

The malware uses the obfuscator to delete method names, class names, etc.

TA0005: Defensive Evasion

T1027: Obfuscated Files or Information

The malware uses the Base64 algorithm to encode and decode data

TA0005: Defensive Evasion

T1027: Obfuscated Files or Information

The malware uses the AES algorithm to encrypt and decrypt data

ANY.RUN is running a limited time offer, celebrating the 7th Cyberbirthday

ANY.RUN is an interactive cloud malware sandbox that can extract malware configurations automatically for multiple families, saving researchers time.

The service celebrates its 7th anniversary and invites all researchers to try the advanced analysis features usually provided for the pro plan, completely free until May 5th. This includes configuring the execution environment with Windows 8, 10, or 11.

If you find that ANY.RUN improves your malware analysis workflow, they also offer a limited promotionavailable until May 5: get 6 or 12 months of free use when you sign up for an annual or bi-year subscriptioneach.

LimerRAT malware

Breaking the LimeRAT decryption algorithm

We will share a condensed version of the article here. For a full search and advanced analysis, visit ANY. RUN’s blog if you’re interested in learning more about the workflow they use.

Since the sample under review was written in .NET, researchers used DnSpy to examine the code. Immediately, it’s clear that obfuscation techniques are being used:

LimerRAT malware
Example overview on DnSpy; note that the use of obfuscation technique

Closer inspection of the code reveals a class that resembles a malware configuration. Inside this class, there is a field that contains a base64 encoded and encrypted string.

LimerRAT malware
Maybe, the malware configuration class

Continuing to examine the code, the ANY.RUN researcher pinpoints the function responsible for decrypting the string. Using the “Read by” filter in DnSpy, they keep track of the method by which the string is being read, resulting in a total of two methods. The first method proved fruitless, but the second looks interesting:

LimerRAT malware
The second X-ref is more interesting. It seems to use our string in the WebClient.DownloadString method

This method turns out to be responsible for the decryption. By examining them carefully, it is possible to reconstruct the process by which LimeRAT decrypts its configuration:

  1. Example from Rijndael Managed And MD5CryptoServiceProvider instantiated class. MSDN compliant, Rijndael Managed is an obsolete implementation of the AES encryption algorithm (MITER T1027), when MD5CryptoServiceProvider calculate MD5 hashes.
  2. A 32-byte array, initialized with zeros, is created to store the AES key.
  3. The key is generated by first calculating the MD5 hash of the different strings in the configuration class (in our analysis, that string is “20(.)199.13.167”).
  4. The initial 15 bytes, followed by the first 16 bytes of the computed hash, are copied into the previously created array. The last element of the array remains null.
  5. The derived key is assigned to the from key property Rijndael Managed For example, while the Mode property is configured as CipherMode. ECB.
  6. In the end, the main string undergoes decoding via Base64 algorithm and decryption using AES256-ECB algorithm.

Decrypting the string reveals a link to the PasteBin record: https://pastebin(.)com/raw/sxNJt2ek. On this note, is the Command and Control (C2) LimeRAT server:

LimerRAT malware
LimeRATs C2 found with decrypted data

To complete

We hope that this brief overview of the LimeRAT configuration decryption process was useful to you. For a more comprehensive check, head over to full article on ANY.RUN blog, to get additional context on the steps and check the decryption process using CyberChef.

Also, remember that ANY. RUN is currently offering a limited time offer, featuring subscription discounts and an expanded feature set for the free plan, including the ability to configure execution environments with the Windows 8, 10, and 11 operating systems. This offer ends on May 5.

This is an ideal opportunity to test ANY.RUN and determine if it streamlines your workflow, or to get a subscription at an unbeatable price and reap the benefits of significant time savings through static and behavioral analysis.

To learn more about this offer, visit Plan ANY. RUN.

Found this article interesting? Follow us on Twitter And LinkedIn to read more exclusive content we post.





Source link

Related Articles

Back to top button