Introduction
CetaRAT is a Remote Access Trojan (RAT) that has seen a recent spike in activity targeting Indian government agencies following its initial employment as a key part of Operation Sidecopy targeting Indian defence forces in early 2019[1]. RATs such as CetaRAT give adversaries the ability to control an infected system by enabling remote execution. Recently observed CetaRAT activity indicates it has been used to exfiltrate sensitive information from infected systems.
Threat reporting indicates that the primary delivery method for CetaRAT is through a phishing email using a malicious attachment. This attachment is typically in the form or a hta file (HTML Application). When executed by the victim user the hta file drops a script file and a malicious binary payload. The script file opens an online document as a decoy, establishes persistence through Windows startups and restarts the system to execute the malicious binary payload. When the infected system restarts, data such as computer name, operating system, IP address, amount of memory, type of processor, and other information is exfiltrated to the adversary’s command and control (C2) servers.
Post-Execution
This article will demonstrate how FortiEDR detects and blocks this malware by analysing its behaviour in simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the CetaRAT to fully execute, enabling us to demonstrate the scope of behavioural detections and blocks applied by FortiEDR and the layers of rules that protect defended endpoints.
Executing the HTA file
The CetaRAT sample analysed in this article is an HTA (HTML Application) file taken from a recent phishing email. Following the delivery of the phishing email, a user is expected to execute the HTA file by double-clicking the attachment. The HTA file is mostly comprised of a large javascript script block that is run when the HTA file is executed. The javascript contains three key sections; firstly, a set of encoded variables containing an executable and a dll, secondly, commands to write and execute a javascript file, “script56.js”, in both the “C:\ProgramData” and “C:\Users\All Users\” directories, and finally, commands to write another javascript file, “script56.js” to the executing users' startup directory (Note. this final section of the code has a syntax error and does not execute correctly).
The content of the script dropped in the second section of the HTA javascript is shown below in Figure 1. When executed the script opens “https://ipa.co[.]in/assets/pdfs/Bihar-Regt.pdf” in the users' default browser. After opening the pdf document, the script sleeps for 300000 milliseconds then restarts the system.
The content of the dropped script file is shown in Figure 1:
Figure 1. The dropped script that opens the online pdf.
In this analyzed sample the content of the decoy document is an official memorandum from a government agency that matches up with the content of the phishing email. The use of a quality decoy document in this manner is likely included to decrease a victims suspicion so they don’t realise they have been effectively targeted by a phishing attack.
Figure 2. Screenshot of the decoy document opened by the Cetarat script.
The third section of the HTA JavaScript aims to create the “script56.js” file in the executing user’s startup directory and write some javascript code to it. The JavaScript responsible for these operations is shown in Figure 3 below. The written javascript contains a hex-encoded URL so when executed this code will send an HTTP GET request to hxxp://newsindia[.]ddns[.]net/hit. This is likely a callback to adversary C2 indicating that a new victim has been compromised and historical web traffic to this domain is a good IOC associated with initial access being successful.
Figure 3. JavaScript code from the sample HTA file that writes a separate .js file to the executing users start directory containing code to callback to adversary C2.
Analysis of this section of the code identifies a syntax error that prevents the file from being correctly written so this network connection back to the C2 domain does not occur. For this reason, these IOCs have not been included a the end of this article.
Loading preBotHta.dll in memory
The hta file loads and runs a DLL in memory as preBotHta.dll. The content of preBotHta.dll is stored in the hta file as a base64 memory stream that is serialized on execution. This can be seen in the code snippets in Figures 4 and 5 below.
Figure 4. Partially encoded bytes from hta script containing the deserialized preBotHta.dll
Figure 5. Code from the hta script that transforms the deserialized preBotHta.dll variables to a memory stream
This is an alternative way of loading the DLL into memory and obfuscating its functionality. The use of this deserialization method indicates that the threat actor that generated this hta file likely took advantage of the popular open-source project ‘DotNetToJScript’ project (https://github.com/tyranid/DotNetToJScript) to generate their payload. In this situation, an analyst would typically need to manually deserialise the dll prior to analysing its contents. Fortunately, FortiEDR automatically detects and alerts on the suspicious library load and flags the in-memory execution of an unconfirmed executable. This can be seen in Figure 6 below.
Figure 6. An example of an event demonstrating the in-memory execution event flagged by the ‘Unconfirmed Executable’ rule in the Exfiltration Prevention policy. In Protect mode, FortiEDR would have blocked a load of this library, preventing the malware from continuing to execute.
Dropping winms.exe
Once decoded and executed, the preBotHta.dll drops winms.exe by checking for a list of AV installed in the infected system then decoding the winms.exe file from. The malware checks if "Kaspersky", "Quick", "Avast", "Avira", "Bitdefender", or "WindowsDefender" is active in the system with the ‘PinkAgain’ function (shown below in Figure 7) then drop the “winms.exe” executable in the Startup folder of the compromised host as part of the ‘CopyExeAsTxt’ function (shown below in Figure 8). In this version of CetaRAT, the detection of different AV products does not result in any difference to functionality but previously observed versions of the tool that use the same dll name and the same function names indicate slight differences in functionality when Kaspersky AV is detected. Analysis of these various other CetaRAT versions is outside the scope of this article as the detections and mitigations by FortiEDR are consistent across all observed samples.
Figure 7. Code snippet from the preBotHta.dll that shows the dll checking if a specific AV is active
Figure 8. Code snippet from the preBotHta.dll that shows the code that drops winms.exe in Startup folder.
Persistence
As discussed above, the preBotHta.dll drops winms.exe in the startup folder for persistency. It enables winms.exe to run whenever the system restarts. As seen in Figure9 and 10 below, the dropped executable file is signed by a, now invalid, “*.teamviewer.com” certificate. Signing an executable with a TeamViewer certificate is a method aimed at deceiving security applications such as AVs that might block the execution of executables without certificates.
Figure 9. File create the event for winms.exe in the startup folder. Taken from FortiEDR Threat Hunting tool.
Figure 10. Certificate details for the winms.exe file dropped by the preBotHta.dll file
Malicious File Detected
The Execution Prevention rule in FortiEDR is triggered when the malware drops winms.exe in the Startup folder. Winms.exe was identified as malicious by our machine-learning engine as can be observed in Figure 11 below. If FortiEDR was on Protect mode, execution of this file would have been blocked preventing further adversary activity.
Figure 11. File read attempt event triggered when the malware drops winms.exe.
Exfiltration
On initial execution, CetaRat gathers information about the infected system. Information including computer name, operating system, IP address, amount of memory, type of processor, and other information is collected and stored to later be uploaded to the adversaries C2 server once it successfully connects out. The code snippet in Figure 12 below highlights the responsible code extracted from the winms.exe file.
Figure 12. Data for exfiltration is being collated prior to connecting to C2.
Remote Commands
CetaRat uses the commands shown in the below dictionary taken from inside winms.exe to perform various actions within a compromised host. Some commands demonstrate functionality within the RAT that enables the adversary to exfiltrate data, download updated executable files, and manipulate existing files and processes on the compromised host.
Figure 13. Commands are taken from the CetaRAT code (winms.exe) show the functionality available to the adversary using the RAT.
Command and Control
The malware tries to connect to its C2 domain with IP address: 164[.]68[.]108[.]22; as of this writing, the malware can’t establish a connection to the site. If a connection is successful, the malware will exfiltrate information from the infected system as part of subsequent web requests. The malicious actor will also communicate with the CetaRAT to send instructions to be performed by the malware.
Figure 14. Hardcoded C2 IP found within the malware code.
Figure 15. TCP stream capture when the malware tries to connect to the C2 domain. In this instance, the connection failed as the adversary C2 is no longer active.
FortiEDR detects and blocks the attempted network connection to the malware’s C2 domain IP (164[.]68[.]108[.]22) as shown below in Figure 15. The advanced data section of the main FortiEDr event console can be used to quickly provide context and visually identify anomalous network connections through the ‘Geo Location feature. As shown in the figure below, this hardcoded CetaRAT IP maps to an endpoint located in Germany, likely anomalous for an end-user in India.
Figure 16. Network detection events related to attempted C2 communications from the CetaRAT sample
Figure 17. Connection is blocked by FortiEDR when the malware tries to connect to the known C2 IP.
The Fortinet CTS (Central Threat System), which contains FortiGuard Labs Threat Intelligence feeds, shows that the IP 164[.]68[.]108[.]22 that is accessed by the CetaRAT malware is flagged as a malicious website. Information in this IOC observable through CTS can be seen in the figure below.
Figure 18. Fortinet CTS information about the hardcoded CetaRAT C2 address
File Service Access Event
When winms.exe runs, it tries to run using a specific version of the .NET framework (ver 3.5). If the required .NET framework is not installed, the malware downloads and installs the required .NET framework, triggering the use of Fondue.exe (Windows Features on Demand UX) and OptionalFeatures.exe (Windows Features), both are legitimate Windows executable files.
The malware tries to access the Volume Shadow Copy Service (VSSVC.exe) via svchost.exe and terminates the service to prevent backups for modified files. FortiEDR blocks and detects the malware when it tries to access the Volume Shadow Copy Service.
Figure 19. The malware tries to download .NET Framework ver 3.5 if it is not currently available on the endpoint.
Figure 20. File Service Access event triggered when the malware tries to use VSSVC.exe.
Threat Hunting
To search for dropped script files:
Type: ("File Create") AND Source.Process.Name: ("mshta.exe") AND Target.File.Path: ("\\ProgramData\\" OR "\\Users\\All Users\\") AND Target.File.Name: ("script56.js")
To search for network connection related to accessing the online decoy document:
Type: ("Socket Connect") AND Source.Process.Parent.Path: ("wscript.exe") AND Source.Process.CommandLine: ("\-\-single\-argument https\:\/\/ipa.co.in\/assets\/pdfs\/Bihar\-Regt.pdf")
To search for the commandline that triggers the computer restarts:
Type: ("Process Termination") AND Source.Process.Parent.Path: ("wscript.exe") AND Source.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/k shutdown \/r \/t 0")
To search for winms.exe in the startup folder(simplified):
Type: ("File Create") AND Source.Process.Name: ("mshta.exe") AND Target.File.Name: ("winms.exe") AND Target.File.Path: ("AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")
To search for winms.exe in the startup folder(with MITRE):
MITRE.Tactic: ("Persistence") AND MITRE.Techniques.Technique: ("Boot or Logon Autostart Execution\: Registry Run Keys \/ Startup Folder") AND Type: ("File Create") AND Source.Process.Name: ("mshta.exe") AND Target.File.Name: ("winms.exe") AND Target.File.Path: ("AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")
MITRE ATT&CK
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.005 |
Command and Scripting Interpreter: Visual Basic |
CetaRAT malware contains visual basic code within the hta file. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.007 |
Command and Scripting Interpreter: JavaScript |
CetaRAT malware drops a javascript file to open an online document and to restart the system. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1218.005 |
Signed Binary Proxy Execution: Mshta |
CetaRAT malware uses a malicious hta file as the initial stage to infect the system. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1553.002 |
Subvert Trust Controls: Code Signing |
CetaRAT malware drops winms.exe which is signed with the “*.teamviewer.com” certificate. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1036.001 |
Masquerading: Invalid Code Signature |
CetaRAT malware drops winms.exe which is signed with the “*.teamviewer.com” certificate. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1140 |
Deobfuscate/Decode Files or Information |
CetaRAT malware uses base64 encoding to hide the content of preBotHta.dll. |
|
Technique ID |
Technique Description |
Observed Activity |
|
T1564.003 |
Hide Artifacts: Hidden Window |
CetaRAT malware hides the window when it executes the original hta file. |
TA0010 - Exfiltration
|
Technique ID |
Technique Description |
Observed Activity |
|
T1041 |
Exfiltration Over C2 Channel |
CetaRAT malware may steal data such as computer name, operating system, IP address, amount of memory, type of processor, and other information. |
TA0003 - Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
CetaRAT malware drops winms.exe to %Appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder. |
TA0040 - Impact
|
Technique ID |
Technique Description |
Observed Activity |
|
T1490 |
Inhibit System Recovery |
CetaRAT malware terminates the VSSVC.exe to disable the creation of volume shadow copies. |
TA0011 – Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071.001 |
Application Layer Protocol: Web Protocols |
Malware author controlling CetaRat uses Command and Control server to send commands to CetaRat malware. |
IOCs
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
|
Hta file |
54b25d5e1841d538d0cebc046a858b699abe432b |
SHA1 Hash |
Initial Access |
Malicious hta file analyzed in this article.
tlsh:T12094F1B0B4E33D7717EACD5321B8D6346DB46C8B934EBA14C131BBD04AC1A644FE991A |
|
css27.hta |
ef97dd8cbccf104ea73bfc28a0768f7c9bcef168 |
SHA1 Hash |
Initial Access |
Similar hta file identified by pivoting from initial sample tlsh tlsh:T12094F1B0B4E33D7717EACD5321B8D6346DB46C8B934EBA14C131BBD04AC1A644FE991A |
|
file.hta |
a4258b2882e2bde4b14f121d84504eb527edf05d |
SHA1 Hash |
Initial Access |
Similar hta file identified by pivoting from initial sample tlshtlsh:T12094F1B0B4E33D7717EACD5321B8D6346DB46C8B934EBA14C131BBD04AC1A644FE991A |
|
winms.exe |
f458a468595911d6a3a270096ee5c096a95c8fd2 |
SHA1 Hash |
Execution |
Dropped executable file
vhash:21403655151130051890021 |
|
Update.exe |
0897a4c258f8b0260487e50a7793ec938da578a2 |
SHA1 Hash |
Execution |
Similar executable file identified by pivoting from initial sample vhash:21403655151130051890021 |
|
C2 IP |
173.249.41[.]175 |
IP Address |
Command and Control |
From CTS |
|
C2 IP |
109.236.85[.]152 |
IP Address |
Command and Control |
From CTS |
|
C2 IP |
164.68.108[.]22 |
IP Address |
Command and Control |
CetaRat C2 |
|
C2 IP |
167.86.75[.]119 |
IP Address |
Command and Control |
From CTS |
|
C2 IP |
207.180.230[.]63 |
IP Address |
Command and Control |
From CTS |
|
C2 IP |
161.97.142[.]96 |
IP Address |
Command and Control |
From CTS |
|
C2 IP |
164.68.104[.]126 |
IP Address |
Command and Control |
From CTS |
|
C2 domain |
hxxp://newsindia[.]ddns[.]net/hit |
domain |
Command and Control |
From analyzed hta file. Note that the code had errors so this domain was never reached so this is not a strong IOC for the analyzed sample but has been included for completeness. |
[1] Operation SideCopy – https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf
