Researchers are tracking a remote access trojan (RAT) on underground markets that, so far, has only been attributed to one small malicious email campaign. However, the RAT, dubbed Parasite HTTP by the Proofpoint researchers that discovered it, has an impressive list of sophisticated features – raising concerns over future attacks.
The ad for the malware on the Dark Web reads, “Parasite HTTP is a professionally coded modular remote administration tool for windows written in C that has no dependencies except the OS itself. With the stub size of ~49KB and plugin support it presents perfect solution for controlling large amount of computers from a remote location.”
Like most RATs, Parasite HTTP offers extensive information-stealing capabilities, VNC for unobtrusively observing or controlling a PC and user management for bypassing permissions. It also advertises capabilities such as firewall bypass, optional system-wide persistence and injection to white-listed system processes. And, like legitimate software, Parasite HTTP includes administrator perks, like backups, analysis views and activity statistics, a secure log-in page with CAPTCHA, an advanced task management system and password recovery. It also features encryption for its C2 communications.
Where it really shines though is with an array of sandbox detection, anti-debugging, anti-emulation and other protections for evading detection and analysis.
“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates,” Proofpoint researchers said in a posting on Wednesday. “Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems.”
The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post-infection.
Sherrod DeGrippo, director of emerging threats for Proofpoint, told Threatpost that having so many techniques aggregated in a single piece of commodity malware marks a new chapter in bad code.
“We frequently see one or more of these techniques appear in a variety of malware, but for all of them to appear in a single piece of malware, readily available for sale on underground forums, is unusual,” he explained.
The spam campaign that served as the RAT’s coming-out party was fairly straightforward, according to Proofpoint. It targeted the IT, healthcare and retail industries, using HR distribution lists and Word document attachments purporting to be resumes and CVs. Once opened, the documents used weaponized macros to fetch Parasite HTTP from a remote site.
While the attack vector is familiar, Parasite HTTP should put the security community on notice, researchers said.
“For consumers, organizations and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware like Parasite,” they wrote. “While we have currently only observed Parasite HTTP in a small campaign, we expect to see features like those used in Parasite continue to propagate across other malware variants.”
DeGrippo told us, “A fairly robust RAT that is difficult to detect, utilizes sophisticated anti-analysis features, and is also readily available for purchase means that both defenders and organizations need to implement dynamic detection capabilities that incorporate deep threat intelligence to stay ahead of the curve.”
State-of-the-Art Evasion Techniques
The researchers detailed several of Parasite HTTP’s most interesting evasion attributes, including obfuscated strings, sandbox evasion via sleep manipulation, the use of researcher code from Github for sandbox detection and others.
When it comes to obfuscated strings of code, Parasite HTTP contains four routines, preceded by a 6-byte header.
“For each type of string, ASCII or Unicode, one variant leaves the obfuscated string in place and returns a dynamically-allocated, deobfuscated version of the string,” researchers said. “The other variant uses VirtualProtect to deobfuscate the string in place, setting the XOR key to 0 after the deobfuscation has been performed, which effectively skips deobfuscation during future access to the string.”
Parasite HTTP also uses a sleep routine to delay execution and check for sandboxes or emulation. It sleeps in 10-millisecond intervals, while detecting sandbox environments by checking for the passage of time and non-interference with its own handling of breakpoint instructions
“The sandbox-checking routine…checks whether between 900 milliseconds and two seconds elapsed in response to the routine’s one-second sleep, split into 10ms increments,” researchers explained. “Sandboxes using code like that available in [Github] for example, would have run afoul of this particular sandbox check.”
Parasite HTTP adapts code from Github for its own sandbox detection purposes. The code is copied verbatim, with the API resolution replaced with its own internal code, the prints removed, and the file and environment variable names generated randomly, the analysts said. Meanwhile, when Parasite HTTP actually does detect a sandbox, it doesn’t make any sudden moves that might tip off researchers.
“It does not simply exit or throw an error, instead making it difficult for researchers to determine why the malware did not run properly and crashed,” researchers said. “Parasite HTTP uses its sandbox detection in a clever way to result in a later crash, on attempting to use a buffer whose allocation was skipped.”
Meanwhile, Parasite HTTP resolves certain critical APIs by using a DLL remapping technique to hide behaviors like process injection.
“While previously documented, [the technique] has not, to our knowledge, been used recently in other major malware families,” according to Proofpoint.
In its initial process, Parasite HTTP removes hooks on the aforementioned DLLs by reading them in from disk and comparing the first five bytes of each exported function to that present in the currently mapped version in memory. This allows its activities to be quiet.
“Though this technique is naive in its implementation, not making use of any instruction decoder and limiting itself to five hardcoded bytes, it is effective in practice,” the researchers noted. “Mapping the new copy of NTDLL effectively provides it with a copy free of any hooks placed on the initial NTDLL mapping, rendering its thread injection and registry modifications invisible to most users and hooking implementations. Further, since this mapping is accomplished with NtOpenSection and NtMapViewOfSection, it will not involve the typical calls to filesystem APIs used by other variants of the technique to achieve the same goal.”
And finally, it features obfuscated checking for breakpoints within critical functions, using additional code from GitHub.
“This functionality is only used in one location to check a single function in the malware that calls out to the sandbox detection,” researchers said. They added that on this front, the RAT isn’t fully baked.
“It is worth noting that this technique is naive and unreliable long-term over arbitrary code, as unintentional 0xcc bytes can be found in a simple byte-by-byte scan of code through certain instruction encodings, local stack frame offsets, relative references, indirect addresses or immediate constants,” they said.