Introduction
NineRAT is a relatively recent reported Remote Access Trojan (RAT). This malware is written in the programming language DLang and is linked to the North Korean threat actor group tracked as ‘Lazarus Group[1]. NineRAT malware was first observed in March 2023 when it was observed during an intrusion targeting a South American agricultural organization[1]. It was again observed in an attack against a European manufacturing entity in September 2023[1]. In this most recent campaign, the Lazarus group performed large scale exploition of CVE-2021-44228, aka ‘Log4Shell’, to deploy NineRAT and two other malware families (‘BottomLoader’ and ‘DLRAT’ which are out of scope for this article). Use of Dlang[2] is rare in the malware creation, the Lazarus group might have chosen this programming language in the hopes its malicious characteristics would be less recognizable in a less common language.
This article demonstrates how FortiEDR detects and mitigates the deployment and operation of the NineRAT malware employed as part of these recent Lazarus Group campaigns. This post will also show what FortiEDR Threat Hunting telemetry is produced when this malware is executed, and how to leverage threat hunting queries to develop targeted detections. It should be noted that FortiEDR was set up in "Log Only" mode for the investigation described in this article in order to show that it could detect malware at every step of its operation. The attack diagram for the NineRAT execution is displayed in Figure 1 below.
Figure 1. NineRAT execution flow diagram.
Analysis
To demonstrate FortiEDR coverage we detonated a selected NineRAT sample (SHA1 - be49443603068d9913b4634126749217df6a695e) in a FortiEDR protected test environment. When executed, FortiEDR detected this sample as malicious based on AV signature. As demonstrated with previous KB articles, FortiEDR also includes ML and online sandboxing to detect files with similar characteristics to known malware, such as this NineRAT sample, which allows FortiEDR to detect unknown variants of known malware. Figure 2 below shows FortiEDR security event associated with detection of the primary file.
Figure 2. NineRAT sample executable successfully detected as malicious.
The NineRAT dropper dumps a malicious file named 'nsIookup.exe' in the path '% SYSTEMROOT percent \system32\nsIookup.exe'. Take note of how the lower case "L" has been replaced with a capital “i” making the names resemble the Windows utility executable ‘nslookup.exe’. Another malicious file called ’SecurityHealth.exe’ is also dropped by the main payload at the path "% SYSTEMROOT%\system32\Microsoft\Security\SecurityHealth.exe". The NineRAT dropper creates multiple files in the %TEMP% path and then copies these files to different file path. The files source paths, destination paths and their rating are given in the following Table 1.
|
Original Filepath |
Destination Filepath |
SHA1 |
Rating |
|
C:\Windows\Temp\TEMP |
|
9677ecca60f76d8e2a3adec939f48d14e32f91b9 |
High Risk |
|
C:\Windows\Temp\libs |
C:\Windows\System32\Microsoft\Security\libssl-1_1-x64.dll |
3ca6570dfcfb562ea7ef6d897947db2bcc2db2c2 |
Clean |
|
C:\Windows\Temp\libcu |
C:\Windows\System32\Microsoft\Security\libcurl.dll |
c6e5e8a16be2b8c1b498b4551481750d95d90e5d |
Clean |
|
C:\Windows\Temp\libc |
C:\Windows\System32\Microsoft\Security\libcrypto-1_1-x64.dll |
67f36fb4e8a7eb4d426bb9ce543b723e6b080b65 |
Clean |
|
C:\Windows\Temp\iocip |
C:\Windows\System32\Microsoft\Security\SecurityHealth.exe |
9e223444d7b6b1837c4643f34e0f561613496569 |
High Risk |
|
C:\Windows\Temp\in |
C:\Windows\System32\Microsoft\Security\info.ini |
ec904b8fc1014225ad1c81b4d2cd0a28ac206dd4 |
Clean |
Table 1. List of files dropped by the NineRAT malware.
After dropping these files, the NineRAT dropper spawns a ‘cmd.exe’ child process. This execution of ‘cmd.exe’ is detected and blocked by FortiEDR because
FortiEDR has tagged the main dropper process as malicious. The main payload executable then launches ‘cmd.exe’ which executes windows utility ‘sc.exe’. The ‘sc.exe’ file generates a Windows service to enable persistence (T1543.003 - Create or Modify System Process: Windows Service).
The following command was used to create a new Windows service for persistence:
sc.exe create Aarsvc_4f2901 binPath="c:\windows\system32\nsIookup.exe -k AarSvcGroup -p" type=own start=auto DisplayName="Agent Activation Runtime_4f2901"
This service has the malicious file ‘nsIookup.exe’ that was previously dropped as it’s service binary file, and a service name "Aarsvc_4f2901." Multiple different samples were detonated as part of this analysis, and it was observed that the string “Runtime_4f2901” is always present in the display name of the service created for persistence. Even though service name were different the service display name contained this string. In a different observation it was also seen that when same sample was executed in a different sandbox and the service name was the same in both sandboxes. This likely indicates that whilst this name is consistent between executions, it is unique per executable. This attempt to create a service is detected and blocked by FortiEDR as can be observed in Figure 3 below.
Figure 3. FortiEDR blocks malware attempt to create service using SC.exe.
After service creation the malware process run following command to add description to the created service.
sc.exe description Aarsvc_4f2901 "@C:\Windows\system32\AarSvc.dll,-101"
We have observed that even though the service name is changing in different NinteRAT executables the string "@C:\Windows\system32\AarSvc.dll,-101" is common subset of the description of created service. There is a legitimate windows service called as ‘AarSvc’ which has display name ‘Agent Activation Runtime‘. This ‘AarSvc’ service uses the file ‘%SystemRoot%\System32\AarSvc.dll’ as its file[3]. So here the threat actor is trying to masquerade its persistence attempt using name similar to legitimate Windows service ‘AarSvc’.
Once the service has been created, the main malware process attempts to run the service using following command, which is again detected and blocked by FortiEDR:
sc start Aarsvc_4f2901
Upon initiation of the service, the malicious executable file 'nsIookup.exe' proceeds to execute the additional file 'SecurityHealth.exe'. The resulting 'SecurityHealth.exe' process then initiates a network connection to the IP address 149.154.167.220. We have observed in the FortiEDR Threat Hunting data that at the same time a DNS query was made by Windows process svchost.exe for domain ‘hxxps://api[.]telegram[.]org’ which was resolved to same IP address. We did a search in FortiGuard Central Threat System (CTS) which confirms that this IP address corresponds to a Telegram server located in Amsterdam, Netherlands as shown in CTS data in Figure 4.
Figure 4. FortiGuard CTS results for the C2 IP address.
This network connection also corresponds to a web request to the ‘hxxps[:]//api.telegram[.]org/bot5176083012’ URL from the ‘SecurityHealth.exe’ process. This is a communication with a bot created in Telegram service. The FortiEDR security event can be observed in the screenshot in Figure 5 .
Figure 5. FortiEDR blocks C2 communication connection of malicious file SecurityHealth.exe.
Analysis of the network traffic associated with this network connection identified an authentication token associated with this C2 communication. When we communicated to the Telegram ‘getMe’ API using this token we received the username and Bot-ID of that Telegram bot. This can be observed in the following screenshot.
Figure 6. Information related to the Telegram authentication token retrieved from NineRAT C2 communications.
Conclusion
As demonstrated during the analysis outlined in this article, FortiEDR is able to detect and mitigate the execution of NineRAT malware. This analysis was validated through the execution of multiple NineRAT samples. Throughout this analysis, FortiEDR was configured in ‘Log Only’ mode to demonstrate detection capabilities against NineRAT execution. In ‘Prevention Mode’ all detected activity will be blocked by associated policies. Some useful threat hunting queries are provided in the next section to help with proactive threat hunting activity.
Threat Hunting
The provided Threat Hunting query returns Process Creation events involving the execution of 'sc.exe' by 'cmd.exe' that include command line arguments containing the string 'DisplayName="Agent Activation Runtime_4f2901"'. Numerous instances of the NineRAT malware exhibit a consistent pattern wherein they employ identical DisplayName values for service creation, despite altering the service name itself.
Type: ("Process Creation") AND Source.Process.Name: ("cmd.exe") AND Target.Process.File.Name: ("sc.exe") AND Target.Process.CommandLine: ("DisplayName\=\"Agent Activation Runtime_4f2901\"")
The Threat Hunting query returns Process Creation events involving the execution of 'sc.exe' by 'cmd.exe' with a command line argument containing the string "@C:\Windows\system32\AarSvc.dll,-101". During the course of our investigation, we have noted a recurring pattern among various instances of the NineRAT malware. Specifically, it has come to our attention that these samples consistently employ identical service creation descriptions, despite altering the associated service names.
Type: ("Process Creation") AND Source.Process.Name: ("cmd.exe") AND Target.Process.File.Name: ("sc.exe") AND Target.Process.CommandLine: ("\"@C\:\\Windows\\system32\\AarSvc.dll,\-101\"")
The implemented Threat Hunting query aims to identify instances where files with the specific names are created by NineRAT malware within the directory path "C:\Windows\Temp."
Type: ("File Create") AND Target.File.Name: ("TEMP" OR "iocip" OR "libcu" OR "libs" OR "libc" OR "in") AND Target.File.Path: ("Windows\\Temp")
MITRE ATT&CK
Note: The indicators in observed activity for each MITRE technique are relevant to analyzed campaigns and may change in future campaigns.
TA0002 - Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
The NineRAT malware exhibits a primary payload that effectively initiates the execution of cmd.exe, thereby facilitating the subsequent launch of sc.exe for the purpose of service creation. |
|
T1569.002 |
Service Execution |
The NineRAT malware employs the utilization of sc.exe, a legitimate Windows utility, to facilitate the creation and execution of services. |
TA0003 - Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
T1543.003 |
Windows Service |
The NineRAT malware employs the utilization of sc.exe, a legitimate Windows utility, to facilitate the creation and execution of services. |
TA0005 - Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
T1070.004 |
Indicator Removal: File Deletion |
The NineRAT malware exhibits a behavior wherein it effectively eradicates its original payload file subsequent to generating a duplicate of its own. |
|
T1036.004 |
Masquerading: Masquerade Task or Service |
When creating a service for persistnace the NineRAT malware created a service name (Aarsvc_4f2901) and displayname (Aarsvc_4f2901 "@C:\Windows\system32\AarSvc.dll,-101") similar to a legitimate Windows service ‘AarSvc’. Also added legitimate DLL file name ‘AarSvc.dll’ in display name of created service. |
|
T1036.005 |
Masquerading: Match Legitimate Name or Location |
The NineRAT malware variant has been observed deploying a malicious payload, specifically a file named "nsIookup.exe," within the system directory path "C:\Windows\System32." (Notice the Capital ‘i’ instead of ‘L’) |
TA0011 - Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
T1071 |
Application Layer Protocol |
The NineRAT malware exhibits a notable characteristic in its utilization of the Telegram application for its command and control (C2) communication. |
IOC
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Executable |
be49443603068d9913b4634126749217df6a695e |
SHA1 Hash |
Installation |
NineRAT executable |
2023-11-04 |
|
Malicious Executable |
f5a4b6409e447d3696991aaae0be08f1c5fa3695 |
SHA1 Hash |
Installation |
NineRAT executable |
2021-03-20 |
|
Malicious Executable |
4bf18f50f8496813e424c7c8dc7aab68cee86afd |
SHA1 Hash |
Installation |
NineRAT executable |
2023-11-05 |
|
Malicious Executable |
8cf133d72ba6d476e28dfc18e3ba13dc15f99071 |
SHA1 Hash |
Installation |
NineRAT executable |
2023-11-21 |
|
Malicious Executable |
9677ecca60f76d8e2a3adec939f48d14e32f91b9
|
SHA1 Hash |
Installation |
Malicious executable dropped by NineRAT |
2022-07-15 |
|
Malicious Executable |
9e223444d7b6b1837c4643f34e0f561613496569
|
SHA1 Hash |
Installation |
Malicious executable dropped by NineRAT |
2022-07-15 |
[1] https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/
