This is the second of a 2-part blog about BlackNET RAT wherein the threat actors can use this tool to access the victim’s system from a Command and Control (C2) server. We have already explained a few interesting features of BlackNET RAT in Part-1 and have now got into the nuances of its other behaviours like disabling windows defender, updating the malware in the victim’s system, persistence technique used, stealing passwords & browser cookies and XMR Mining in here. Let us now look at them one by one. 

C&C Connection

When the malware is executed it connects to the C&C server and shares the compromised system’s information like system name, windows version, Anti-Virus product installed, user/admin privilege and the unique id (generated by the malware) for the victim’s system to the attacker as depicted in Figure 1.

Figure 1: Sharing system details

In Figure 2 we can see the Base64 encoded data (shared to the attacker’s server) when decoded shows all the computer information shared to the attacker. BlackNet RAT uses BN (BlackNet) as a separator in its decoded data.

Figure 2: Decoded data from network traffic

Here, the malware uses the “ManagementObjectSearcher” function and queries all the Anti-Virus names available in the system as depicted in Figure 3 and shares it with the attacker.

Figure 3: Detecting Anti-Virus present in the victim’s system

Command and Controller

Attacker uses a separate function called CommandController to operate the bot based on the instructions provided by the attacker. In Figure 4, value of ID is predefined as “Company” and HWD() function generates the hex value of the compromised system’s “volume serial number” to create a unique id for the victim’s system. This victim’s ID will be shared through GetCommand.php script,  available on the server domain. With that unique ID the attacker sends instructions to the bot file which are passed as arguments for the CommandController function as depicted in Figure 4 and few of the commands passed to the bot are depicted in Figure 5.

Figure 4: Code to receive instruction from attacker through C&C server

The commands are sent as a parameter to the CommandController function, one by one,  which then starts the respective attack as depicted in Figure 5.

Figure 5: Commands from the attacker to the victim via CommandController function

Malware Naming Convention

When the malware loads, it initially checks whether the victim’s system is listed in the C&C server’s blacklist data. If blacklisted, it removes all the footprints from the system and self destroys the file. If it is not blacklisted, the malware checks whether there is a file named “updatedpayload.exe” under temp folder to confirm whether the system is already infected and running with the updated malign features. If found, then the current running malware self destroys itself because there is already an updated BlackNet RAT running in the system. If not, then it checks whether the current running malware file name ends with “windows_update.exe” to find whether the running file is spread through USB or not. If the file name matches with windows_update.exe then it takes a copy of the file in the temp folder as “BlackNET.dat” as depicted in Figure 6.

Figure 6: Code to Check the file name

BlackNET RAT uses different name for different techniques like “windows_update.exe” for USB spread, “updatedpayload.exe” for the latest, updated client file and “Adobe photoshop cs.exe” for Dropbox spread. This is to compare the available file name against these names to check what type of propagation to be used to infect other systems as depicted in Figure 7.

Figure 7: Predefining the filename for USBSpread

Password Stealer

The attacker uses Fileless technique to execute the “PasswordStealer.dll” plugin from the C&C server using DownloadData API and is stored in an array of memory. Using the LoadDLL API the stored binary is executed with the Base64 encoded argument “RUN” and “PasswordStealer.Stealer” as depicted in Figure 8. The executed PasswordStealer.dll function stores all the stolen credentials in a text file, “Passwords.txt” under the temp folder that is forwarded to the attacker. 

Figure 8: StealPasswords function downloading and loading PasswordStealer.dll 

Stealing Browser Cookies

The attacker steals Mozilla Firefox cookies by searching the cookies.sqlite file name under “%appdata%\mozilla\Firefox\Profiles\”. If the file exists and the file size is greater than 0, the file is copied to “%temp%\cookies.sqlite” and uploaded to the attacker’s server as depicted in Figure 9.

Figure 9: Copying Mozilla Firefox cookies to temp folder

For collecting Chrome cookies, it checks for the cookies file under “%localappdata%\Google\Chrome\User Data\Default”. If available, it copies the file and places it in a temp folder and renames it as CookiesCh.sqlite and uploads it to the attacker’s server as depicted in Figure 10.

Figure 10: Copying Chrome cookies to temp folder

XMR Miner

This feature is used to mine cryptocurrency from the victim’s system. Attacker sends the instructions to the victim’s system as mentioned in Figure 11 and the malware file executes Runminer function using those arguments.

Figure 11: XMRMiner commands  passed from attacker’s server

RunMiner function runs only in the 64-bit operating system and proceeds to download the xmr.exe file from the server. It executes the downloaded xmr.exe file using the parameters poolURL, poolUsername, poolPassword, CPUPriority, CPUMaxTreadHint and mode. It then starts mining cryptocurrency from the victim’s system as depicted in Figure 12.

Figure 12: Downloading the XMRMiner from the attacker’s server

Disable Windows Defender

Attacker uses two methods to disable Windows Defender. The first method is through registry. In Figure 13, we can note that the attacker confirms whether the user has an administrator account. If yes, then the attacker disables Windows Defender by changing the following registry key values 

“HKLM\Software\Microsoft\Windows Defender\Features\TamperProtection” value to 0, “HKLM\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware” as 1, “HKLM\Software\Policies\Microsoft\Windows Defender\Real-time Protection\DisableBehaviourMonitoring” as 1, 

HKLM\Software\Policies\Microsoft\Windows Defender\Real-time Protection\DisableOnAccessProtection” as 1 and “HKLM\Software\Policies\Microsoft\Windows Defender\Real-time Protection\DisableScanOnRealtimeEnable” as 1. 

But this technique fails on the updated Microsoft Defender Antivirus version 4.18.2007.8, because after August 2020 Microsoft had discontinued the settings for disabling Windows Defender using registry.

Figure 13: Changing Windows Defender Registry Key Values

From then on, the attacker uses the second method of disabling Windows Defender through powershell. Attacker verifies the current status of Windows Defender on the victim’s system by executing powershell with “Get-MpPreference -verbose” argument in hidden windows style as depicted in Figure 14, which displays the preference for scanning and updating Windows Defender. 

Figure 14: Collecting Windows Defender preference using powershell 

Now the malware reads each line of the received cmdline output and compares it with the predefined string “DisableRealtimeMonitoring” and the boolean value “False”. If the string and the value matches, the attacker uses the Set-MpPreference command to change the values accordingly to disable the Windows Defender. For example, if DisableRealtimeMonitoring value is false then the malware changes the value as true to disable real time monitoring of Windows Defender’s feature as depicted in Figure 15.

Figure 15: Disabling Windows Defender feature using powershell

Updateclient

This is one of the important features of this BlackNET RAT which helps attackers to update the latest hostile technique available in BlackNET RAT to its malware bot existing on the victim’s system. It uninstalls the older version and downloads currently updated file from malicious domain and places it at the temp folder as “updatedpayload.exe” with hidden attributes to keep it stealth as depicted in Figure 16 and changes the registry run entry to the current file. Later it starts executing the updated malware to keep the victim’s system with updated malicious behaviour until victims realise any suspicious behavior on their system. 

Figure 16: Updating the malware

Persistence Technique

BlackNET RAT uses 2 common persistence techniques, one is Run entry in registry and the second one is scheduled task.

When the attacker calls the “AStartup()” function, it creates a sub-key under “HKCU\Software\Microsoft\Windows\currentVersion\Run” and links the malware in the temp folder to execute the file and Turn-ON as depicted in Figure 17.

Figure 17: Run Entry

In scheduled tasks, it creates an instance using schtasks.exe and instructs to execute the malware on starting the system as can be seen in Figure 18. It links the file path as “%temp%\Microsoft\Myclient\Windowsupdate.exe” 

Figure 18: Task Scheduler

Malware these days are keen on stealing information as nowadays data is money. However, BlackNET RAT goes a step further by monitoring its victims for lifetime, unless the victims find out about their system compromise. It is also capable of updating itself with  new features and  propagating itself to other machines using various techniques making it a threat that cannot be ignored easily. We therefore recommend  users to

  • Be vigilant about their activities while using social media applications and not to trust any anonymous URLs or endorsements.
  • Use a good and reputable Anti-Virus such as “K7 Total Security” for protecting yourself from the world of hackers and for keeping your data secure

Indicators Of Compromise (IOCs)

MD5File NameK7 Detection Name
2494fe715a0561b2b56c6aba3b635026 faucet collect.exeTrojan ( 0052d5341 )
bd63bc88bc5d5890667e28897eb20344svchost.exeTrojan ( 0052d5341 )
aeae61828555a5c2e42901347ee9b443 laptop.exeTrojan ( 004b9b591 )
ca151ae9d53b999b98a3cd1c6b865dfe Updater.exeTrojan ( 0056a86a1 )

MITRE ATT&CK

ExecutionUser Execution: Malicious file (T1204.002)
PersistenceScheduled Task/Job: Scheduled Task (T1053.005), Boot or Logon Autostart Execution: Registry Run Keys (T1547.001)
Defence EvacuationVirtualization/Sandbox Evasion: System Checks (T1497.001)
Credential AccessCredentials from Password Stores: Credentials from Web Browsers (T1555.003)
DiscoverySoftware Discovery: Security Software Discovery (T1518.001)
Lateral MovementReplicating through Removable media (T1091)
CollectionScreen capture (T1113)
Command and ControlApplication Layer Protocol: DNS (T1071.004)

Yara Rule

rule Blacknet

{

meta:

date = “16/12/2020”

description = “BlackNet Payload”

strings:

$fun1 = “MAINWINDOWTITLE” nocase

$fun2 = “getkeystate” nocase

$fun3 = “getkeyboardstate” nocase

$fun4 = “mapvirtualkey” nocase

$fun5 = “copyfromscreen” nocase

$fun6 = “uploadfile” nocase

$filename1 = “Windows_update.exe” nocase wide

$filename2 = “Adobe Photoshop CS.exe” nocase wide

$filename3 = “updatedpayload.exe” nocase wide

condition:

     (uint16(0) == 0x5A4D and (3 of ($fun*) and (1 of ($filename*))))

}

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Dark Side Of BlackNET RAT – Part 2”