Details have come to light about a new remote access Trojan called uWarrior that arrives embedded in a rigged .RTF document.
Researchers with Palo Alto Networks’ research division, Unit 42, described the malware and how it appears to have emanated from an “unknown actor of Italian origin,” in a blog post on Monday. Researchers warn that even though the RAT appears to “borrow components from several off-the-shelf tools,” the malware is “fully featured” and when it comes to exploitation, “the combination of methods and affected code is both new and complex.”
The malware includes two old remote exploit code execution bugs, CVE-2012-1856 and CVE-2015-1770. The former, which affected the Microsoft Windows Common Controls MSCOMCTL.OCX back in 2012, is apparently back and using a novel return-oriented programming (ROP) chain to bypass ASLR, Palo Alto claims.
According to the quartet of researchers who wrote an analysis of the malware, Brandon Levene, Robert Falcone, Tomer Bar and Tom Keigher, the weaponized .RTF document contains multiple OLE objects that can be used to carry out exploitation.
Following exploitation, the researchers claim a payload is downloaded to the system, executed, and then uWarrior is copied to another location on the system, logging its activities all the while to a local file. From there the malware communicates with a command and control server via a compressed, encrypted, raw TCP socket and binary message protocol.
As the researchers acknowledge in their writeup the uWarrior RAT appears to borrow bits and pieces from another RAT called ctOS, that bills itself as having “more features than any other RAT on the market.” Both RATs “contain similar configuration structures,” several functions, code and even Italian language strings, hence why researchers are deducing it may have originated in Italy.
“These Italian strings are part of PDB paths and are prevalent throughout .net manifest data. This lends additional strength to the linkage between ctOS and uWarrior, as the former’s control panel demos are also in Italian,” the researchers write.
A debugging symbol path found in the sample the researchers looked at included “UtilityWarrior.pdb,” which is why they believe the malware’s author refers to the RAT as uWarrior.
Researchers with Fortinet also spotted the RAT making the rounds and have a slightly different take, suggesting the RAT’s author may have created the malware for another hacker and that they may have loose connection to the AlienSpy RAT.
While the AlienSpy has been taken offline, many of the campaigns that previously utilized the RAT have moved onto Jsocket, another commercial subscription-based RAT.
Still, Roland Dela Paz, a researcher with the firm wrote Monday that he’s seen several AlienSpy RATs using the same IP address that uWarrior points to as a C&C server.
Paz goes full-on sleuth and traces a handful of leads, eventually arriving at the idea that uWarrior may have been coded by an Italian boy, Edoardo a.k.a. Dodosky, for an amateur Nigerian hacker they refer to as “Pawan.” Like Palo Alto, Fortinet researchers note that uWarrior was seemingly compiled in Visual Basic, likely in Italian. Paz believes that “Pawan,” who previously expressed interest in hiring a RAT developer on a forum, has used several other commercial RATs, in addition to uWarrior and AlienSpy, in the past, including some that are signed.