• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • April 19th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security
Malware

Parasite HTTP RAT loaded with advanced detection evasion capability

July 29th, 2018 Waqas Security, Malware 0 comments
Parasite HTTP RAT loaded with advanced detection evasion capability
Share on FacebookShare on Twitter

Proofpoint researchers have discovered a new remote access Trojan (RAT) as well as an updated version of an already identified banking Trojan and claim that both the RATs are involved in recently detected phishing campaigns targeting the retail, healthcare and IT industries. Emails containing MS Word attachments are being sent, which contain hidden malicious macros that can remotely download the RAT.

The new banking trojan is a modular program dubbed as Parasite HTTP, and it is currently on sale at the Dark Web marketplaces. Parasite HTTP offers a wide array of new features such as anti-emulation, sandbox identification, and anti-debugging, to name a few.

See: Facebook password stealer; hacking the attacker rather than the victim

Conversely, the upgraded RAT is an advanced version of the previously detected Kronos banking Trojan, which according to federal prosecutors was developed by the WannaCry hero called Marcus Hutchins. It is also claimed that after successfully compromising a device, Parasite HTTP’s modular structure can be further improved with the addition of newer modules. (Read our latest post on the new variant of Kronos banking trojan spotted using Tor network).

According to Proofpoint’s blog post, Parasite HTTP is written in C language and has a small size of only 49kb while the malware is being marketed on underground forums as a program that has no dependencies. It supports dynamic API calls, contains encrypted strings and communicates with a dedicated and secure C&C panel, which is written in PHP. The malware communicates in an encrypted format and has the ability to bypass firewalls.

Moreover, the malware works with a series of plugins including user management, FTP password recovery, browser password recovery, IM password recovery, Email password recovery, Reverse Socks5 proxy, Hidden VNC, and Windows License Keys recovery.

Along with string obfuscation, Parasite HTTP has a sleep routine that can delay its execution after checking whether an exception handler is executed and how much time has elapsed in response to the routine’s 1-second sleep split, while it can also detect sandboxes and emulation. When detecting a sandbox, Parasite HTTP uses public repository code and can determine the reason why it crashed apart from throwing an error.

Proofpoint researchers noted:

Parasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in the clearing code not executing.

The malware can create its registry values on Win 7 and above versions by resolving critical APIs and uses process injection method, which normally isn’t utilized by a majority of malware families. It also includes an obscured check for debugger breakpoints in its own code’s range and can remove hooks on various DLLs.

See: SpyNote Trojan (RAT); Yet Another Bad News for Android Users

However, it only restores the first 5 bytes of the original that may result in a crash in case a sandbox uses an indirect jump to 6 bytes for its hooks. This clearly proves that malware designers are continually trying to innovate so as to prevent malware from getting detected in sandboxes through automated anti-malware programs.

  • Tags
  • Banking
  • hacking
  • internet
  • Kronos
  • Malware
  • RAT
  • security
  • TROJAN
Facebook Twitter LinkedIn Pinterest
Previous article Flaw in Swann smart security cameras allows access to user's live stream
Next article The Pirate Bay alternatives (2018) in wake of Cryptomining scandal
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
WhatsApp Pink is malware spreading through group chats

WhatsApp Pink is malware spreading through group chats

2021 and Emerging Cybersecurity Threats

2021 and Emerging Cybersecurity Threats

Unpatched MS Exchange servers hit by cryptojacking malware

Unpatched MS Exchange servers hit by cryptojacking malware

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
WhatsApp Pink is malware spreading through group chats
Security

WhatsApp Pink is malware spreading through group chats

A hacker claims to be selling sensitive data from OTP generating firm
Hacking News

A hacker claims to be selling sensitive data from OTP generating firm

1-click code execution vulnerabilities in popular software apps
News

1-click code execution vulnerabilities in popular software apps

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us