Highly Sophisticated Parasite RAT Emerges on the Dark Web

Cardinal RAT

This brand-new RAT represents the latest escalation in an ongoing malware arms race that extends even to commodity malware.

Researchers are tracking a remote access trojan (RAT) on underground markets that, so far, has only been attributed to one small malicious email campaign. However, the RAT, dubbed Parasite HTTP by the Proofpoint researchers that discovered it, has an impressive list of sophisticated features – raising concerns over future attacks.

The ad for the malware on the Dark Web reads, “Parasite HTTP is a professionally coded modular remote administration tool for windows written in C that has no dependencies except the OS itself. With the stub size of ~49KB and plugin support it presents perfect solution for controlling large amount of computers from a remote location.”

Like most RATs, Parasite HTTP offers extensive information-stealing capabilities, VNC for unobtrusively observing or controlling a PC and user management for bypassing permissions. It also advertises capabilities such as firewall bypass, optional system-wide persistence and injection to white-listed system processes. And, like legitimate software, Parasite HTTP includes administrator perks, like backups, analysis views and activity statistics, a secure log-in page with CAPTCHA, an advanced task management system and password recovery. It also features encryption for its C2 communications.

Where it really shines though is with an array of sandbox detection, anti-debugging, anti-emulation and other protections for evading detection and analysis.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates,” Proofpoint researchers said in a posting on Wednesday. “Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems.”

The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post-infection.

Sherrod DeGrippo, director of emerging threats for Proofpoint, told Threatpost that having so many techniques aggregated in a single piece of commodity malware marks a new chapter in bad code.

“We frequently see one or more of these techniques appear in a variety of malware, but for all of them to appear in a single piece of malware, readily available for sale on underground forums, is unusual,” he explained.

The spam campaign that served as the RAT’s coming-out party was fairly straightforward, according to Proofpoint. It targeted the IT, healthcare and retail industries, using HR distribution lists and Word document attachments purporting to be resumes and CVs. Once opened, the documents used weaponized macros to fetch Parasite HTTP from a remote site.

While the attack vector is familiar, Parasite HTTP should put the security community on notice, researchers said.

“For consumers, organizations and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware like Parasite,” they wrote. “While we have currently only observed Parasite HTTP in a small campaign, we expect to see features like those used in Parasite continue to propagate across other malware variants.”

DeGrippo told us, “A fairly robust RAT that is difficult to detect, utilizes sophisticated anti-analysis features, and is also readily available for purchase means that both defenders and organizations need to implement dynamic detection capabilities that incorporate deep threat intelligence to stay ahead of the curve.”

The researchers detailed several of Parasite HTTP’s most interesting evasion attributes, including obfuscated strings, sandbox evasion via sleep manipulation, the use of researcher code from Github for sandbox detection and others.

When it comes to obfuscated strings of code, Parasite HTTP contains four routines, preceded by a 6-byte header.

“For each type of string, ASCII or Unicode, one variant leaves the obfuscated string in place and returns a dynamically-allocated, deobfuscated version of the string,” researchers said. “The other variant uses VirtualProtect to deobfuscate the string in place, setting the XOR key to 0 after the deobfuscation has been performed, which effectively skips deobfuscation during future access to the string.”

Parasite HTTP also uses a sleep routine to delay execution and check for sandboxes or emulation. It sleeps in 10-millisecond intervals, while detecting sandbox environments by checking for the passage of time and non-interference with its own handling of breakpoint instructions

“The sandbox-checking routine…checks whether between 900 milliseconds and two seconds elapsed in response to the routine’s one-second sleep, split into 10ms increments,” researchers explained. “Sandboxes using code like that available in [Github] for example, would have run afoul of this particular sandbox check.”

Parasite HTTP adapts code from Github for its own sandbox detection purposes. The code is copied verbatim, with the API resolution replaced with its own internal code, the prints removed, and the file and environment variable names generated randomly, the analysts said. Meanwhile, when Parasite HTTP actually does detect a sandbox, it doesn’t make any sudden moves that might tip off researchers.

“It does not simply exit or throw an error, instead making it difficult for researchers to determine why the malware did not run properly and crashed,” researchers said. “Parasite HTTP uses its sandbox detection in a clever way to result in a later crash, on attempting to use a buffer whose allocation was skipped.”

Meanwhile, Parasite HTTP resolves certain critical APIs by using a DLL remapping technique to hide behaviors like process injection.

“While previously documented, [the technique] has not, to our knowledge, been used recently in other major malware families,” according to Proofpoint.

In its initial process, Parasite HTTP removes hooks on the aforementioned DLLs by reading them in from disk and comparing the first five bytes of each exported function to that present in the currently mapped version in memory. This allows its activities to be quiet.

“Though this technique is naive in its implementation, not making use of any instruction decoder and limiting itself to five hardcoded bytes, it is effective in practice,” the researchers noted. “Mapping the new copy of NTDLL effectively provides it with a copy free of any hooks placed on the initial NTDLL mapping, rendering its thread injection and registry modifications invisible to most users and hooking implementations. Further, since this mapping is accomplished with NtOpenSection and NtMapViewOfSection, it will not involve the typical calls to filesystem APIs used by other variants of the technique to achieve the same goal.”

And finally, it features obfuscated checking for breakpoints within critical functions, using additional code from GitHub.

“This functionality is only used in one location to check a single function in the malware that calls out to the sandbox detection,” researchers said. They added that on this front, the RAT isn’t fully baked.

“It is worth noting that this technique is naive and unreliable long-term over arbitrary code, as unintentional 0xcc bytes can be found in a simple byte-by-byte scan of code through certain instruction encodings, local stack frame offsets, relative references, indirect addresses or immediate constants,” they said.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.


  • Aga Radon on

    Does this Parasite Http have anything to do with Google Chrome marking sites without httpS as insecure?
    • Tara Seals on

      No, it's a separate issue. The name is simply what the malware is advertised as in the Dark Web.
  • MSF contributor on

    The PE unhooking technique has been in the wild for a while... Even meterpreter has had it in a pull request for a year or so. Antidebugging in the wild has also been much more sophisticated for a few years now, time checks are for kids and 2013 evasions. The rise in sophistication is not an arms race in the sense that one power advances the state of art in leaps and bounds, but the sharing of code/function in the Open Source world of red team. Defensive vendors on the other hand hoard technology and bicker while red team low crawls circles around the blue folks. Its not an arms race when you compare red/blue capabilities in real world production environments. Its a beat-down on a good day for defenders. The military version of this practice is called "combined arms" - every asset has every other asset on tap.
  • Deltron on

    Hello, I have a question. What is a stub size? In the article it said "With the stub size of ~49kb." Also a quick follow up question, is this kilobits? Typically I see Kb for kilobits but with a lower case k I was unsure, not to mention most programs I thought were measured in Bytes not bits so should that be a capital B? Sorry for my ignorance, just trying to learn!
    • Tara Seals on

      Hi there! So, a stub is a simple program responsible for decrypting the payload and executing it. And it's kilobytes -- you're correct about the capitalization!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.