Proofpoint researchers have discovered a new remote access Trojan (RAT) as well as an updated version of an already identified banking Trojan and claim that both the RATs are involved in recently detected phishing campaigns targeting the retail, healthcare and IT industries. Emails containing MS Word attachments are being sent, which contain hidden malicious macros that can remotely download the RAT.
The new banking trojan is a modular program dubbed as Parasite HTTP, and it is currently on sale at the Dark Web marketplaces. Parasite HTTP offers a wide array of new features such as anti-emulation, sandbox identification, and anti-debugging, to name a few.
Conversely, the upgraded RAT is an advanced version of the previously detected Kronos banking Trojan, which according to federal prosecutors was developed by the WannaCry hero called Marcus Hutchins. It is also claimed that after successfully compromising a device, Parasite HTTP’s modular structure can be further improved with the addition of newer modules. (Read our latest post on the new variant of Kronos banking trojan spotted using Tor network).
According to Proofpoint’s blog post, Parasite HTTP is written in C language and has a small size of only 49kb while the malware is being marketed on underground forums as a program that has no dependencies. It supports dynamic API calls, contains encrypted strings and communicates with a dedicated and secure C&C panel, which is written in PHP. The malware communicates in an encrypted format and has the ability to bypass firewalls.
Moreover, the malware works with a series of plugins including user management, FTP password recovery, browser password recovery, IM password recovery, Email password recovery, Reverse Socks5 proxy, Hidden VNC, and Windows License Keys recovery.
Along with string obfuscation, Parasite HTTP has a sleep routine that can delay its execution after checking whether an exception handler is executed and how much time has elapsed in response to the routine’s 1-second sleep split, while it can also detect sandboxes and emulation. When detecting a sandbox, Parasite HTTP uses public repository code and can determine the reason why it crashed apart from throwing an error.
Proofpoint researchers noted:
Parasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in the clearing code not executing.
The malware can create its registry values on Win 7 and above versions by resolving critical APIs and uses process injection method, which normally isn’t utilized by a majority of malware families. It also includes an obscured check for debugger breakpoints in its own code’s range and can remove hooks on various DLLs.
However, it only restores the first 5 bytes of the original that may result in a crash in case a sandbox uses an indirect jump to 6 bytes for its hooks. This clearly proves that malware designers are continually trying to innovate so as to prevent malware from getting detected in sandboxes through automated anti-malware programs.