FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
mrobson
Staff
Staff

Introduction

 

CetaRAT is a Remote Access Trojan (RAT) that has seen a recent spike in activity targeting Indian government agencies following its initial employment as a key part of Operation Sidecopy targeting Indian defence forces in early 2019[1]. RATs such as CetaRAT give adversaries the ability to control an infected system by enabling remote execution. Recently observed CetaRAT activity indicates it has been used to exfiltrate sensitive information from infected systems.

 

Threat reporting indicates that the primary delivery method for CetaRAT is through a phishing email using a malicious attachment. This attachment is typically in the form or a hta file (HTML Application). When executed by the victim user the hta file drops a script file and a malicious binary payload. The script file opens an online document as a decoy, establishes persistence through Windows startups and restarts the system to execute the malicious binary payload. When the infected system restarts, data such as computer name, operating system, IP address, amount of memory, type of processor, and other information is exfiltrated to the adversary’s command and control (C2) servers. 

 

Post-Execution

 

This article will demonstrate how FortiEDR detects and blocks this malware by analysing its behaviour in simulation mode. In simulation mode, FortiEDR generates events but does not block them, allowing the CetaRAT to fully execute, enabling us to demonstrate the scope of behavioural detections and blocks applied by FortiEDR and the layers of rules that protect defended endpoints.

 

Executing the HTA file

 

The CetaRAT sample analysed in this article is an HTA (HTML Application) file taken from a recent phishing email. Following the delivery of the phishing email, a user is expected to execute the HTA file by double-clicking the attachment. The HTA file is mostly comprised of a large javascript script block that is run when the HTA file is executed. The javascript contains three key sections; firstly, a set of encoded variables containing an executable and a dll, secondly, commands to write and execute a javascript file, “script56.js”, in both the “C:\ProgramData” and “C:\Users\All Users\” directories, and finally, commands to write another javascript file, “script56.js” to the executing users' startup directory (Note. this final section of the code has a syntax error and does not execute correctly).

 

The content of the script dropped in the second section of the HTA javascript is shown below in Figure 1. When executed the script opens “https://ipa.co[.]in/assets/pdfs/Bihar-Regt.pdf” in the users' default browser. After opening the pdf document, the script sleeps for 300000 milliseconds then restarts the system.

 

The content of the dropped script file is shown in Figure 1:

 

mrobson_23-1640648095409.png

Figure 1. The dropped script that opens the online pdf.

 

In this analyzed sample the content of the decoy document is an official memorandum from a government agency that matches up with the content of the phishing email. The use of a quality decoy document in this manner is likely included to decrease a victims suspicion so they don’t realise they have been effectively targeted by a phishing attack.

 

mrobson_1-1640646632166.png

Figure 2. Screenshot of the decoy document opened by the Cetarat script.

 

The third section of the HTA JavaScript aims to create the “script56.js” file in the executing user’s startup directory and write some javascript code to it. The JavaScript responsible for these operations is shown in Figure 3 below. The written javascript contains a hex-encoded URL so when executed this code will send an HTTP GET request to hxxp://newsindia[.]ddns[.]net/hit. This is likely a callback to adversary C2 indicating that a new victim has been compromised and historical web traffic to this domain is a good IOC associated with initial access being successful.

 

mrobson_2-1640646632167.png

Figure 3. JavaScript code from the sample HTA file that writes a separate .js file to the executing users start directory containing code to callback to adversary C2.

 

Analysis of this section of the code identifies a syntax error that prevents the file from being correctly written so this network connection back to the C2 domain does not occur. For this reason, these IOCs have not been included a the end of this article.

 

Loading preBotHta.dll in memory

 

The hta file loads and runs a DLL in memory as preBotHta.dll. The content of preBotHta.dll is stored in the hta file as a base64 memory stream that is serialized on execution. This can be seen in the code snippets in Figures 4 and 5 below.

 

mrobson_3-1640646632170.png

Figure 4. Partially encoded bytes from hta script containing the deserialized preBotHta.dll

 

mrobson_4-1640646632172.png

Figure 5. Code from the hta script that transforms the deserialized preBotHta.dll variables to a memory stream

 

This is an alternative way of loading the DLL into memory and obfuscating its functionality. The use of this deserialization method indicates that the threat actor that generated this hta file likely took advantage of the popular open-source project ‘DotNetToJScript’ project (https://github.com/tyranid/DotNetToJScript) to generate their payload. In this situation, an analyst would typically need to manually deserialise the dll prior to analysing its contents. Fortunately, FortiEDR automatically detects and alerts on the suspicious library load and flags the in-memory execution of an unconfirmed executable. This can be seen in Figure 6 below.

 

mrobson_5-1640646632175.png

Figure 6. An example of an event demonstrating the in-memory execution event flagged by the ‘Unconfirmed Executable’ rule in the Exfiltration Prevention policy. In Protect mode, FortiEDR would have blocked a load of this library, preventing the malware from continuing to execute.

 

Dropping winms.exe

 

Once decoded and executed, the preBotHta.dll drops winms.exe by checking for a list of AV installed in the infected system then decoding the winms.exe file from. The malware checks if "Kaspersky", "Quick", "Avast", "Avira", "Bitdefender", or "WindowsDefender" is active in the system with the ‘PinkAgain’ function (shown below in Figure 7) then drop the “winms.exe” executable in the Startup folder of the compromised host as part of the ‘CopyExeAsTxt’ function (shown below in Figure 8). In this version of CetaRAT, the detection of different AV products does not result in any difference to functionality but previously observed versions of the tool that use the same dll name and the same function names indicate slight differences in functionality when Kaspersky AV is detected. Analysis of these various other CetaRAT versions is outside the scope of this article as the detections and mitigations by FortiEDR are consistent across all observed samples.

 

mrobson_6-1640646632176.png

Figure 7. Code snippet from the preBotHta.dll that shows the dll checking if a specific AV is active

 

mrobson_7-1640646632178.png

Figure 8. Code snippet from the preBotHta.dll that shows the code that drops winms.exe in Startup folder.

 

Persistence

 

As discussed above, the preBotHta.dll drops winms.exe in the startup folder for persistency. It enables winms.exe to run whenever the system restarts. As seen in Figure9 and 10 below, the dropped executable file is signed by a, now invalid, “*.teamviewer.com” certificate.  Signing an executable with a TeamViewer certificate is a method aimed at deceiving security applications such as AVs that might block the execution of executables without certificates.

 

mrobson_24-1640648733666.png

Figure 9. File create the event for winms.exe in the startup folder. Taken from FortiEDR Threat Hunting tool.

 

mrobson_9-1640646632189.png

Figure 10. Certificate details for the winms.exe file dropped by the preBotHta.dll file

 

Malicious File Detected

 

The Execution Prevention rule in FortiEDR is triggered when the malware drops winms.exe in the Startup folder.  Winms.exe was identified as malicious by our machine-learning engine as can be observed in Figure 11 below. If FortiEDR was on Protect mode, execution of this file would have been blocked preventing further adversary activity.

 

mrobson_10-1640646632194.png

mrobson_11-1640646632196.png

Figure 11. File read attempt event triggered when the malware drops winms.exe.

 

Exfiltration

 

On initial execution, CetaRat gathers information about the infected system. Information including computer name, operating system, IP address, amount of memory, type of processor, and other information is collected and stored to later be uploaded to the adversaries C2 server once it successfully connects out. The code snippet in Figure 12 below highlights the responsible code extracted from the winms.exe file.

 

mrobson_12-1640646632197.png

Figure 12. Data for exfiltration is being collated prior to connecting to C2.

 

Remote Commands

 

CetaRat uses the commands shown in the below dictionary taken from inside winms.exe to perform various actions within a compromised host. Some commands demonstrate functionality within the RAT that enables the adversary to exfiltrate data, download updated executable files, and manipulate existing files and processes on the compromised host.

 

mrobson_13-1640646632198.png

Figure 13. Commands are taken from the CetaRAT code (winms.exe) show the functionality available to the adversary using the RAT.

 

Command and Control

 

The malware tries to connect to its C2 domain with IP address: 164[.]68[.]108[.]22; as of this writing, the malware can’t establish a connection to the site. If a connection is successful, the malware will exfiltrate information from the infected system as part of subsequent web requests. The malicious actor will also communicate with the CetaRAT to send instructions to be performed by the malware.

 

mrobson_14-1640646632199.png

Figure 14. Hardcoded C2 IP found within the malware code.

 

mrobson_15-1640646632200.png

Figure 15. TCP stream capture when the malware tries to connect to the C2 domain. In this instance, the connection failed as the adversary C2 is no longer active.

 

FortiEDR detects and blocks the attempted network connection to the malware’s C2 domain IP (164[.]68[.]108[.]22) as shown below in Figure 15. The advanced data section of the main FortiEDr event console can be used to quickly provide context and visually identify anomalous network connections through the ‘Geo Location feature. As shown in the figure below, this hardcoded CetaRAT IP maps to an endpoint located in Germany, likely anomalous for an end-user in India.

 

mrobson_16-1640646632206.png

mrobson_17-1640646632210.png

Figure 16. Network detection events related to attempted C2 communications from the CetaRAT sample

 

mrobson_18-1640646632213.png

Figure 17. Connection is blocked by FortiEDR when the malware tries to connect to the known C2 IP.

 

The Fortinet CTS (Central Threat System), which contains FortiGuard Labs Threat Intelligence feeds, shows that the IP 164[.]68[.]108[.]22 that is accessed by the CetaRAT malware is flagged as a malicious website. Information in this IOC observable through CTS can be seen in the figure below.

 

mrobson_19-1640646632216.png

Figure 18. Fortinet CTS information about the hardcoded CetaRAT C2 address

 

File Service Access Event

 

When winms.exe runs, it tries to run using a specific version of the .NET framework (ver 3.5). If the required .NET framework is not installed, the malware downloads and installs the required .NET framework, triggering the use of Fondue.exe (Windows Features on Demand UX) and OptionalFeatures.exe (Windows Features), both are legitimate Windows executable files.

 

The malware tries to access the Volume Shadow Copy Service (VSSVC.exe) via svchost.exe and terminates the service to prevent backups for modified files. FortiEDR blocks and detects the malware when it tries to access the Volume Shadow Copy Service.

 

 

mrobson_20-1640646632217.png

Figure 19. The malware tries to download .NET Framework ver 3.5 if it is not currently available on the endpoint.

 

mrobson_21-1640646632224.png

mrobson_22-1640646632227.png

Figure 20. File Service Access event triggered when the malware tries to use VSSVC.exe.

 

Threat Hunting

 

To search for dropped script files:

 

 

 

 

Type: ("File Create") AND Source.Process.Name: ("mshta.exe") AND Target.File.Path: ("\\ProgramData\\" OR "\\Users\\All Users\\") AND Target.File.Name: ("script56.js")

 

 

 

 

To search for network connection related to accessing the online decoy document:

 

 

 

 

Type: ("Socket Connect") AND Source.Process.Parent.Path: ("wscript.exe") AND Source.Process.CommandLine: ("\-\-single\-argument https\:\/\/ipa.co.in\/assets\/pdfs\/Bihar\-Regt.pdf")

 

 

 

 

To search for the commandline that triggers the computer restarts:

 

 

 

 

Type: ("Process Termination") AND Source.Process.Parent.Path: ("wscript.exe") AND Source.Process.Name: ("cmd.exe") AND Target.Process.CommandLine: ("\/k shutdown \/r \/t 0")

 

 

 

 

To search for winms.exe in the startup folder(simplified):

 

 

 

 

Type: ("File Create") AND Source.Process.Name: ("mshta.exe") AND Target.File.Name: ("winms.exe") AND Target.File.Path: ("AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")

 

 

 

 

To search for winms.exe in the startup folder(with MITRE):

 

 

 

 

MITRE.Tactic: ("Persistence") AND MITRE.Techniques.Technique: ("Boot or Logon Autostart Execution\: Registry Run Keys \/ Startup Folder") AND Type: ("File Create") AND Source.Process.Name: ("mshta.exe") AND Target.File.Name: ("winms.exe") AND Target.File.Path: ("AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup")

 

 

 

 

 

MITRE ATT&CK

 

TA0002 - Execution

 

Technique ID

Technique Description

Observed Activity

T1059.005

Command and Scripting Interpreter: Visual Basic

CetaRAT malware contains visual basic code within the hta file.

 

Technique ID

Technique Description

Observed Activity

T1059.007

Command and Scripting Interpreter: JavaScript

CetaRAT malware drops a javascript file to open an online document and to restart the system.

 

TA0005 - Defense Evasion

 

Technique ID

Technique Description

Observed Activity

T1218.005

Signed Binary Proxy Execution: Mshta

CetaRAT malware uses a malicious hta file as the initial stage to infect the system.

 

Technique ID

Technique Description

Observed Activity

T1553.002

Subvert Trust Controls: Code Signing

CetaRAT malware drops winms.exe which is signed with the “*.teamviewer.com” certificate.

 

Technique ID

Technique Description

Observed Activity

T1036.001

Masquerading: Invalid Code Signature

CetaRAT malware drops winms.exe which is signed with the “*.teamviewer.com” certificate.

 

Technique ID

Technique Description

Observed Activity

T1140

Deobfuscate/Decode Files or Information

CetaRAT malware uses base64 encoding to hide the content of preBotHta.dll.

 

Technique ID

Technique Description

Observed Activity

T1564.003

Hide Artifacts: Hidden Window

CetaRAT malware hides the window when it executes the original hta file.

 

TA0010 - Exfiltration

 

Technique ID

Technique Description

Observed Activity

T1041

Exfiltration Over C2 Channel

CetaRAT malware may steal data such as computer name, operating system, IP address, amount of memory, type of processor, and other information.

 

TA0003 - Persistence

 

Technique ID

Technique Description

Observed Activity

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

CetaRAT malware drops winms.exe to %Appdata%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder.

 

TA0040 - Impact

 

Technique ID

Technique Description

Observed Activity

T1490

Inhibit System Recovery

CetaRAT malware terminates the VSSVC.exe to disable the creation of volume shadow copies.

 

TA0011 – Command and Control

 

Technique ID

Technique Description

Observed Activity

T1071.001

Application Layer Protocol: Web Protocols

Malware author controlling CetaRat uses Command and Control server to send commands to CetaRat malware.

 

IOCs

 

Indicator Description

Indicator

Indicator Type

Associated Tactic

Notes

Hta file

54b25d5e1841d538d0cebc046a858b699abe432b

SHA1 Hash

Initial Access

Malicious hta file analyzed in this article.

 

tlsh:T12094F1B0B4E33D7717EACD5321B8D6346DB46C8B934EBA14C131BBD04AC1A644FE991A

css27.hta

ef97dd8cbccf104ea73bfc28a0768f7c9bcef168

SHA1 Hash

Initial Access

Similar hta file identified by pivoting from initial sample tlsh

tlsh:T12094F1B0B4E33D7717EACD5321B8D6346DB46C8B934EBA14C131BBD04AC1A644FE991A

file.hta

a4258b2882e2bde4b14f121d84504eb527edf05d

SHA1 Hash

Initial Access

Similar hta file identified by pivoting from initial sample tlshtlsh:T12094F1B0B4E33D7717EACD5321B8D6346DB46C8B934EBA14C131BBD04AC1A644FE991A

winms.exe

f458a468595911d6a3a270096ee5c096a95c8fd2

SHA1 Hash

Execution

Dropped executable file

 

vhash:21403655151130051890021

Update.exe

0897a4c258f8b0260487e50a7793ec938da578a2

SHA1 Hash

Execution

Similar executable file identified by pivoting from initial sample

vhash:21403655151130051890021

C2 IP

173.249.41[.]175

IP Address

Command and Control

From CTS

C2 IP

109.236.85[.]152

IP Address

Command and Control

From CTS

C2 IP

164.68.108[.]22

IP Address

Command and Control

CetaRat C2

C2 IP

167.86.75[.]119

IP Address

Command and Control

From CTS

C2 IP

207.180.230[.]63

IP Address

Command and Control

From CTS

C2 IP

161.97.142[.]96

IP Address

Command and Control

From CTS

C2 IP

164.68.104[.]126

IP Address

Command and Control

From CTS

C2 domain

hxxp://newsindia[.]ddns[.]net/hit

domain

Command and Control

From analyzed hta file. Note that the code had errors so this domain was never reached so this is not a strong IOC for the analyzed sample but has been included for completeness.

 

 

[1] Operation SideCopy – https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf

Contributors