LimeRAT Malware Analysis: Extracting Config
Remote Access Trojans (RAT) have taken the third leading position in ANY. RUN Q1 2023 report on the most common types of malware, so it is highly likely that your organization is facing this threat.
While LimeRAT may not be the most well-known RAT family, it’s versatility is what sets it apart. Capable of carrying out a broad spectrum of malicious activity, it excels not only in data exfiltration, but also in creating DDoS botnets and facilitating crypto mining. Its compact footprint allows it to circumvent endpoint detection systems, making it a stealthy enemy. Interestingly, LimeRAT shares similarities with njRAT, which ANY.RUN ranked as the third most popular malware family in terms of uploads during Q1 2023.
WHATEVER. RUN researchers recently conducted an in-depth analysis of the LimeRAT samples and managed to extract their configurations. In this article, we will provide a brief overview of the analysis.
Collected artifacts
|
SHA1 |
14836dd608efb4a0c552a4f370e5aafb340e2a5d |
|
SHA256 |
6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334 |
|
MD5 |
d36f15bef276fd447e91af6ee9e38b28 |
|
SSDEEP |
3072:DDiv2GSyn88sH888wQ2wmVgMk/211h36vEcIyNTY4WZd/w1UwIwEoTqPMinXHx+i:XOayy |
IPv4:
| IOC | Information |
|
20(.)199.13.167:8080 |
LimeRAT Command and Control Server |
Domain:
| IOC | Information |
|
https://pastebin(.)com/raw/sxNJt2ek |
PasteBin is used by LimeRAT to hide its original Command and Control server |
MITER ATT&CK®
| Tactics | Technique | Information |
|
TA0005: Defensive Evasion |
T1027: Obfuscated Files or Information |
The malware uses the obfuscator to delete method names, class names, etc. |
|
TA0005: Defensive Evasion |
T1027: Obfuscated Files or Information |
The malware uses the Base64 algorithm to encode and decode data |
|
TA0005: Defensive Evasion |
T1027: Obfuscated Files or Information |
The malware uses the AES algorithm to encrypt and decrypt data |
ANY.RUN is running a limited time offer, celebrating the 7th Cyberbirthday
ANY.RUN is an interactive cloud malware sandbox that can extract malware configurations automatically for multiple families, saving researchers time.
The service celebrates its 7th anniversary and invites all researchers to try the advanced analysis features usually provided for the pro plan, completely free until May 5th. This includes configuring the execution environment with Windows 8, 10, or 11.
If you find that ANY.RUN improves your malware analysis workflow, they also offer a limited promotionavailable until May 5: get 6 or 12 months of free use when you sign up for an annual or bi-year subscriptioneach.
Breaking the LimeRAT decryption algorithm
We will share a condensed version of the article here. For a full search and advanced analysis, visit ANY. RUN’s blog if you’re interested in learning more about the workflow they use.
Since the sample under review was written in .NET, researchers used DnSpy to examine the code. Immediately, it’s clear that obfuscation techniques are being used:
 |
| Example overview on DnSpy; note that the use of obfuscation technique |
Closer inspection of the code reveals a class that resembles a malware configuration. Inside this class, there is a field that contains a base64 encoded and encrypted string.
 |
| Maybe, the malware configuration class |
Continuing to examine the code, the ANY.RUN researcher pinpoints the function responsible for decrypting the string. Using the “Read by” filter in DnSpy, they keep track of the method by which the string is being read, resulting in a total of two methods. The first method proved fruitless, but the second looks interesting:
 |
| The second X-ref is more interesting. It seems to use our string in the WebClient.DownloadString method |
This method turns out to be responsible for the decryption. By examining them carefully, it is possible to reconstruct the process by which LimeRAT decrypts its configuration:
- Example from Rijndael Managed And MD5CryptoServiceProvider instantiated class. MSDN compliant, Rijndael Managed is an obsolete implementation of the AES encryption algorithm (MITER T1027), when MD5CryptoServiceProvider calculate MD5 hashes.
- A 32-byte array, initialized with zeros, is created to store the AES key.
- The key is generated by first calculating the MD5 hash of the different strings in the configuration class (in our analysis, that string is “20(.)199.13.167”).
- The initial 15 bytes, followed by the first 16 bytes of the computed hash, are copied into the previously created array. The last element of the array remains null.
- The derived key is assigned to the from key property Rijndael Managed For example, while the Mode property is configured as CipherMode. ECB.
- In the end, the main string undergoes decoding via Base64 algorithm and decryption using AES256-ECB algorithm.
Decrypting the string reveals a link to the PasteBin record: https://pastebin(.)com/raw/sxNJt2ek. On this note, is the Command and Control (C2) LimeRAT server:
 |
| LimeRATs C2 found with decrypted data |
To complete
We hope that this brief overview of the LimeRAT configuration decryption process was useful to you. For a more comprehensive check, head over to full article on ANY.RUN blog, to get additional context on the steps and check the decryption process using CyberChef.
Also, remember that ANY. RUN is currently offering a limited time offer, featuring subscription discounts and an expanded feature set for the free plan, including the ability to configure execution environments with the Windows 8, 10, and 11 operating systems. This offer ends on May 5.
This is an ideal opportunity to test ANY.RUN and determine if it streamlines your workflow, or to get a subscription at an unbeatable price and reap the benefits of significant time savings through static and behavioral analysis.
To learn more about this offer, visit Plan ANY. RUN.
