vebula logo
MALWARE AS A SERVICE OPERATION USING DCRAT & ASYNC-RAT
Threat Intelligence
11 days ago
3 min read

MALWARE AS A SERVICE OPERATION USING DCRAT & ASYNC-RAT

Nathaneal MeththanandaCEO & Founder of ZavenTrek Offensive Security Consultant
MALWARE AS A SERVICE OPERATION USING DCRAT & ASYNC-RAT
Our Threat Hunting Framework has identified critical intelligence regarding an active Malware-as-a-Service (MaaS) operation. Leveraging advanced analytics and real-time data correlation, the framework detected and traced malicious infrastructure associated with this operation. 

Intelligence

ops1.png
ops1.png

Two malicious IP addresses have been identified, indicating the hosting and operation of Remote Access Trojans (RATs). This discovery highlights the presence of malicious infrastructure actively supporting unauthorized remote access activities.

Initial Investigation

Leveraging the capabilities of Censys, our analysts initiated a comprehensive investigation to trace the entirety of the malware infrastructure. By analyzing network patterns and asset associations, they were able to map the malicious ecosystem, providing critical insights into its architecture and operational reach.

ops2.png
ops2.png

Through the search engine platform, analysts observed anomalous open ports and labels such as 'DcRat' and references to other Remote Access Trojans (RATs).

Further analysis revealed an operational oversight by the threat actor, where the Common Name (CN) field in the SSL/TLS certificate contained their username, inadvertently exposing their identity.

ops3.png
ops3.png

With the username the analysts we able to find the github profile as well as the exact malware DCRAT in the repository.

ops4.png
ops4.png

Upon identifying the threat actor's portfolio website, analysts successfully uncovered communication channels associated with the individual, providing valuable opportunities to gain further insights into their operations.

ops5.png
ops5.png

Something didnt add up when the analysts so the below image in the DCRAT github repo.

ops6.png
ops6.png

So basically ‘qwqdanchun’ is not our threat actor but he is the main developer of this malware and is not responsible of the malware operation.

Advancing the malware as a Service Operation

In this operation, the threat actors utilized the Kodiak open-source Command and Control (C2) framework to generate payloads designed for embedding within the Remote Access Trojans (RATs). Among the recovered artifacts, analysts identified a batch script payload, offering critical insight into the adversary's tactics and techniques.

ops7.png
ops7.png

The powershell command which executes when the victim runs the batch script

ops8.png
ops8.png

Malware Analysis

Upon executing the batch script generated by the Kodiak framework, the payload initiates a connection to a specified domain to download additional malicious components, including a PDF file, another batch script named 'startuppp.bat,' and several ZIP archives. This activity highlights the multi-stage delivery mechanism employed by the threat actors. 

ops9.png
ops9.png

The domain the threat actors use to download the second stage payload into the victims machine.

ops10.png
ops10.png

Conclusion

The investigation revealed a sophisticated Malware-as-a-Service (MaaS) operation leveraging the Kodiak open-source Command and Control (C2) framework to deploy Remote Access Trojans (RATs) and associated payloads. Analysts uncovered critical intelligence, including the identification of malicious IP addresses, open ports with RAT indicators, and operational missteps by the threat actor, such as exposing their username in SSL/TLS certificate fields.

Furthermore, the threat actor’s infrastructure included a portfolio website and accessible communication channels, providing deeper insights into their operations. The payload analysis demonstrated a multi-stage infection strategy, involving the download of additional malicious files such as batch scripts, PDFs, and compressed archives.

These findings underscore the advanced tactics and adaptive methodologies employed by the threat actor, reinforcing the necessity of robust threat hunting and proactive security measures to mitigate such threats. This intelligence offers actionable insights to enhance organizational defenses and disrupt malicious operations effectively.

Related Posts