Dutch
English
Dit artikel is alleen beschikbaar in het English
blue teaming
malware analysis

Malware analysis report: MagicRAT (Lazarus)

Zhassulan Zhussupov
05 May, 2023


MagicRat malware is a remote access trojan (RAT) that is primarily distributed through exploiting vulnerabilities such as Log4j in VMware Horizon. Malware is software that is designed to give its creators remote access and control over a computer that has been compromised.

After the malicious software has been installed on a computer, it will initiate a connection with a command and control server (also known as a C&C server), which will enable the hacker to carry out a variety of commands and steal sensitive data from the compromised computer.

It also uses the well-known persistence technique via scheduled tasks T1053.

MagicRat malware has the ability to create, move, and delete files and can also download and execute additional malware on the system, which has the ability to steal user credentials, keystrokes, and screenshots.

It is not difficult to detect MagicRat malware as it does not use sophisticated techniques to evade detection by security software like function call obfuscation, encryption, WinAPI call hashing, etc.

Also discovered ability to self destroying after finish on the target machine.

It is important to keep your computer and software up to date in order to protect yourself from this malware. Additionally, you should exercise caution whenever opening emails and attachments that come from unknown sources, and you should make use of a reputable piece of anti-virus software on your computer.

It is also important to have backups of your important files and to practice good security hygiene, such as using strong and unique passwords, enabling two-factor authentication, and monitoring your financial accounts for any suspicious activity.

If you suspect that your system may be infected with MagicRat malware, it is recommended to run a full scan with a reputable anti-virus software and if necessary, seek professional help to remove the malware and secure your system.

Threat Actor

"MagicRAT" was used in the course of malicious activity by the North Korean hacker group LAZARUS between February and July 2022. In this campaign, Lazarus primarily targeted energy companies in Canada, the United States, and Japan. The main purpose of these attacks was likely to establish long-term access to the victims' networks in order to conduct spying operations in support of the goals of the North Korean government. This activity aligns with Lazarus' historic incursions targeting critical infrastructure and energy companies to ensure long-term access to patented intellectual property.

There are overlaps in C2 servers serving MagicRAT and previously disclosed Lazarus campaigns utilizing the Dtrack RAT family. Furthermore, There are C2 servers hosting and serving TigerRAT to existing MagicRAT infections. TigerRAT is a malware family attributed to the Lazarus APT groups by the Korean Internet & Security Agency (KISA). Also TigerRAT is a piece of malware that has been previously traced back to the Andariel adversary during Operation ByteTiger in September 2021.

Lazarus Group is a North Korean state-sponsored cyberthreat group that has been attributed to the Reconnaissance General Bureau. The group has been active since at least 2009. Malware used by Lazarus Group correlates to most reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.

Cyber KILL Chain

This campaign involved exploiting vulnerabilities such as Log4j in VMware Horizon to initially gain a foothold in targeted organizations. After successful exploitation, once the AV on the system has been bypassed using the reverse shell, the attackers then deploy the actual malware implant MagicRAT. The attackers then started to perform Active Directory (AD) related explorations (via impacket and VSingle) to identify potential endpoints to laterally move into.

This attack graph begins with the deployment of MagicRAT immediately following the exploitation of vulnerabilities that are present in VMWare Horizon platforms.

Prior to checking in and registering with the actor's infrastructure, MagicRAT will make an attempt, during this initial stage, to gain persistence by utilizing a scheduled process or the Startup folder.

ckc

This attack graph is an attempt to imitate the part of activity that was reported by Cisco Talos in September 2022 as having been carried out by the Lazarus Group.

Researchers detected the penetration of victims with a novel Remote Access Trojan that they termed MagicRAT. This Trojan was transmitted to victims by targeting publically available VMWare Horizon platforms.

During this activity, Lazarus Group made use of TigerRAT, a piece of malware that has been previously traced back to the Andariel adversary during Operation ByteTiger in September 2021.

Identification

File size: 19347968 bytes
MD5 sum: b4c9b903dfd18bd67a3824b0109f955b
SHA-1 sum: a3555a77826df6c8b2886cc0f40e7d7a2bd99610
SHA-256 sum: f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

The large size of the sample is due to the fact that it imports many functions and libraries for working with the GUI.

First of all, check our sample via VirusTotal:

https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

vt

So, 47 of 69 AV engines detect our sample as malicious.

More of them detect file as Win.Backdoor.MagicRat-9964243-1 or Win64.Trojan.MagicRAT.

Static analysis

The specified sample is a PE file:

hexdump -C <sample.exe>

1

Then, use exiftool for looking metadata:

exiftool <sample.exe>

And we see that file modification timestamp is 2022-04-22 21:24:52+03.00:

6.1

6.1

Executable file is not packed by UPX:

upx -l <sample.exe>

upx

What about Shannon entropy?

shannon

C++ is the programming language used in the development of MagicRAT, and the Qt Framework is utilized.

1.1

MagicRAT achieves persistence by executing a hard-coded command that establishes scheduled tasks on the victim's computer upon execution:

2

There are couple a of strings that give us some important information about the functioning of this malware:

strings -n 8 <sample.exe>

2.1

# Scheduled task starting at a specific time [T1053/005]
schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/TEMP/[MagicRAT_SAMPLE].exe" /sc daily /st 10:30:30 /ru SYSTEM

# Scheduled task starting at a different time an path [T1053/005]
schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/TEMP/[MagicRAT_SAMPLE].exe /sc onstart /ru SYSTEM

# Link created on startup folder [T1547/001]
%HOME%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/OneNote.lnk

The configuration file is where we'll find the C2 URLs stored. The prefix LR02DPt22R is followed by a URL that has been encoded in base64 after each value:

3

echo "aHR0cDovLzY0LjE4OC4yNy43My9hZG1fYm9yZC9sb2dpbl9uZXdfY2hlY2sucGhwIA==" | base64 -d

4

vt

https://www.virustotal.com/gui/url/ee33b70a9a816ddcc213e21060506438c56b7457faab41fd18081fc02e797541

echo "aHR0cDovLzE3Mi4xNi4zLjgxL3Byb3h5LnBocA==" | base64 -d

5

and

echo "aHR0cDovL2dlbmRvcmFkdXJhZ29ua2dwMTI2LmNvbS9ib2FyZC9pbmRleC5waHA=" | base64 -d

6

vt

https://www.virustotal.com/gui/url/0f15945d917f8979dd42cac14a68d77273f3ee81f44dbd77dfb845dada0bbc55

https://www.virustotal.com/gui/domain/gendoraduragonkgp126.com

d

Imports

There are calls made to RegCreateKey, RegOpenKey, and RegSetValueExW, which are used, respectively, for creating keys in the Windows registry, opening those keys, and modifying their values. In addition, there is a call made to DuplicateToken, which is the typical Windows API for access token manipulation.

imp

A certificate context can be created using the CertCreateCertificateContext function, which takes an encoded certificate as its input.

imp2

There are Windows API calls as well like WSAConnect and WSACleanup which are used for connecting reverse shells or C2:

imp3

Also a lot of functions for user interaction since this RAT has a GUI:

imp4

imports

The operation of MagicRAT is quite straightforward: it gives the operator access to a remote shell on the victim's system, which can be used for the execution of arbitrary commands, and it also grants the operator the ability to rename, move, and delete files on the endpoint.

The operator has the ability to modify the C2 URLs, set the time at which the implant will go to sleep, and remove the implant from the system that has been infected.

Dynamic analysis

Reconnaissance

During the first stages of execution, MagicRAT will undertake only enough system reconnaissance to identify the system and environment in which the attackers are working. This will be done by identifying the system and environment in which the attackers are operating. To accomplish this, it runs whoami, systeminfo, and ipconfig /all at the command prompt. The results of the most recent command are delivered to the user by means of an upload of the file zero_dump.mix to the C2:

zero_dump

Persistence

MagicRAT achieves persistence by executing a hard-coded command that establishes scheduled tasks on the victim's host upon execution:

# Scheduled task starting at a specific time [T1053/005]
schtasks /create /tn "OneDrive AutoRemove" /tr "C:\Windows\System32\cmd.exe /c del /f /q C:/TEMP/[MagicRAT_SAMPLE].exe" /sc daily /st 10:30:30 /ru SYSTEM

pers

# Scheduled task starting at a different time an path [T1053/005]
schtasks /create /tn "Microsoft\Windows\light Service Manager" /tr C:/TEMP/[MagicRAT_SAMPLE].exe /sc onstart /ru SYSTEM

pers

# Link created on startup folder [T1547/001]
%HOME%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/OneNote.lnk

pers

pers

pers

Contact with the C2 infrastructure

After the RAT has established persistence, it makes contact with the C2:

4

4.1

4.2

ip1

The operator can determine the timing for the implant to sleep, change the C2 URLs:

sleep

sleep2

1

2

2

3

Filesystem

The operator has the power to rename, move, and delete files on the target machine:

create

create

move

move2

delete

Boot configuration

Threat actors have often been observed altering boot loader configurations using the built-in Windows tool bcdedit.exe (Boot Configuration Data Edit) in order to:

  • Modify Boot Status Policies
  • Disable Recovery Mode
  • Enable Safe Mode

With a high degree of probability, it can be argued that MagicRAT has the functionality of interacting with the bootloader, probably for persistence mechanism:

bcdedit

Registry Modifications

reg1

reg2

reg3

Run Regshot for compare Registry modifications:

regs

We find only scheduled tasks modification:

scregs

Also discovered ability to self destroying after finish on the target machine:

taskkill

taskkill3

taskkill2

selfdel

Yara rules

We create a yara file with the following rule that matches the current sample:

rule lazarus_magic_rat
{
    meta:
        description = "Magic RAT"

    strings:
        $ = "LR02DPt22R"
        $ = "aHR0cDovLzY0LjE4OC4yNy43My9hZG1fYm9yZC9sb2dpbl9uZXdfY2hlY2sucGhwIA=="
        $ = "aHR0cDovLzE3Mi4xNi4zLjgxL3Byb3h5LnBocA=="
        $ = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Avalon.Graphics\\DISPLAY1"
        $ = "PADDINGXX"

    condition:
        uint16(0) == 0x5a4d and any of them
}

yara

For purity of analysis, yara rule was checked on another magicRAT samples also:

yara2

IOCs

f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332

Conclusion

In conclusion, this malware analysis report analyzed the malware's behavior and interaction processes with OS and C2, and it will provide support for the enhancement of your security control posture against Lazarus Group, one of the most serious threat actors in the world as of right now.

MagicRAT is a rather straightforward piece of malware. It gives the operator access to a remote shell on the system of the victim, which may be used for the execution of arbitrary commands. Additionally, the operator has the power to rename, move, and delete files on the endpoint. The operator has the ability to modify the C2 URLs, set the time at which the implant will go to sleep, and remove the implant from the machine that has been infected.

You can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate the effectiveness of your total security program against a known and dangerous threat called magicRAT if you have the data generated from continuous testing and use of these yara rules and IOCs.

The fact that Lazarus was motivated to rapidly construct new, customised malware in addition to its already well-known malware such as TigerRAT is demonstrated by the finding of MagicRAT in the wild.

Of course, the Lazarus APT group's MagicRAT + TigerRAT company has not been fully considered here, but the proposed YARA rule will help detect new campaigns using this tool in case of cybercrime incidents.

References

Qt Framework
T1053
CreateFIleW
DelteFile
MoveFileW
https://www.virustotal.com/gui/file/f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332/details
https://malshare.com/sample.php?action=detail&hash=f6827dc5af661fbb4bf64bc625c78283ef836c6985bb2bfb836bd0c8d5397332
https://www.virustotal.com/gui/url/ee33b70a9a816ddcc213e21060506438c56b7457faab41fd18081fc02e797541

Authored By
Zhassulan Zhussupov

Cybersecurity enthusiast | Author | Speaker | CTF player | R&D Engineer | Jiu-Jitsu Practicioner

Deel met de wereld!

Beveiligingsbehoeften?

Bent u er echt zeker van dat uw organisatie veilig is?

Bij WebSec helpen we u deze vraag te beantwoorden door geavanceerde beveiligingsbeoordelingen uit te voeren.

Wil je meer weten? Plan een gesprek in met een van onze experts.

Afspraak Inplannen
Authored By
Zhassulan Zhussupov

Cybersecurity enthusiast | Author | Speaker | CTF player | R&D Engineer | Jiu-Jitsu Practicioner