Researchers Uncover New Italian RAT uWarrior

Details were disclosed about a new remote access Trojan, uWarrior, that comes embedded in a rigged .RTF document.

Details have come to light about a new remote access Trojan called uWarrior that arrives embedded in a rigged .RTF document.

Researchers with Palo Alto Networks’ research division, Unit 42, described the malware and how it appears to have emanated from an “unknown actor of Italian origin,” in a blog post on Monday. Researchers warn that even though the RAT appears to “borrow components from several off-the-shelf tools,” the malware is “fully featured” and when it comes to exploitation, “the combination of methods and affected code is both new and complex.”

The malware includes two old remote exploit code execution bugs, CVE-2012-1856 and CVE-2015-1770. The former, which affected the Microsoft Windows Common Controls MSCOMCTL.OCX back in 2012, is apparently back and using a novel return-oriented programming (ROP) chain to bypass ASLR, Palo Alto claims.

According to the quartet of researchers who wrote an analysis of the malware, Brandon Levene, Robert Falcone, Tomer Bar and Tom Keigher, the weaponized .RTF document contains multiple OLE objects that can be used to carry out exploitation.

Following exploitation, the researchers claim a payload is downloaded to the system, executed, and then uWarrior is copied to another location on the system, logging its activities all the while to a local file. From there the malware communicates with a command and control server via a compressed, encrypted, raw TCP socket and binary message protocol.

As the researchers acknowledge in their writeup the uWarrior RAT appears to borrow bits and pieces from another RAT called ctOS, that bills itself as having “more features than any other RAT on the market.” Both RATs “contain similar configuration structures,” several functions, code and even Italian language strings, hence why researchers are deducing it may have originated in Italy.

“These Italian strings are part of PDB paths and are prevalent throughout .net manifest data. This lends additional strength to the linkage between ctOS and uWarrior, as the former’s control panel demos are also in Italian,” the researchers write.

A debugging symbol path found in the sample the researchers looked at included “UtilityWarrior.pdb,” which is why they believe the malware’s author refers to the RAT as uWarrior.

Researchers with Fortinet also spotted the RAT making the rounds and have a slightly different take, suggesting the RAT’s author may have created the malware for another hacker and that they may have loose connection to the AlienSpy RAT.

While the AlienSpy has been taken offline, many of the campaigns that previously utilized the RAT have moved onto Jsocket, another commercial subscription-based RAT.

Still, Roland Dela Paz, a researcher with the firm wrote Monday that he’s seen several AlienSpy RATs using the same IP address that uWarrior points to as a C&C server.

Paz goes full-on sleuth and traces a handful of leads, eventually arriving at the idea that uWarrior may have been coded by an Italian boy, Edoardo a.k.a. Dodosky, for an amateur Nigerian hacker they refer to as “Pawan.” Like Palo Alto, Fortinet researchers note that uWarrior was seemingly compiled in Visual Basic, likely in Italian. Paz believes that “Pawan,” who previously expressed interest in hiring a RAT developer on a forum, has used several other commercial RATs, in addition to uWarrior and AlienSpy, in the past, including some that are signed.

Suggested articles

DUHK Attack Exposes Gaps in FIPS Certification

The DUHK Attack leverages a 20-year-old random number generator flaw to recover private keys. More pertinent, researchers said, is that the flaw exposes gaps in the FIPS certification process.

Discussion

  • Anonymous on

    ctOS is a new trend RAT that has been for sale on the black market. ctOS is an aggressive process that will hook NtSystemQueryInformation then modify WinAPI requests to completely hide the process, then it will filter itself from the eprocess list. It uses image file execution, an infamous method to bypass over 20 antiviruses. It communicates via TCP sockets and receives commands and retrieves data to complete the command (eg. steal passwords etc) It also has a cryptolocker which will encrypt the file in RC4 with a specified key and require the user to visit a link to retrieve the file. It also has a Anti Malware or Botkiller system that will violently annihiliate suspicious processes and traces of them in startup, registry, process list, and delete anything by normal signature scans. It uses a normal silent session of MSI uninstaller to even uninstall software, and uses HTTP connection to initiate a silent proxy session (limited to this RAT only) Only bugs I've seen is in stability, which it will start lagging at 1000~ bots. ALl functions work fine though.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.