We recently came across a .NET malware sample known as SamoRAT whose main purpose is to receive and execute different commands on the infected device. Also, it can download and execute other malicious programs. In this blog, we will take you through the analysis of SamoRAT Sample.
The Program once executed checks for some Anti-Analysis features on the host machine. It then checks if only single instance of the program is running on the machine and if an instance is already running, new instance will exit automatically.
Finally, after passing the malicious program starts and registers itself to the C&C server and starts receiving remote commands.
Anti-Analysis and Anti-VM Check:
SamoRAT employs the use of anti-analysis check for detecting when it is being analyzed by AV systems, allowing it to change its behavior so that no alarms are triggered by the antivirus software’s.
It checks for following things,
- Detects the Manufacturer Name for VMware and VirtualBox.
- Checks if the program is not attached with debugger.
- Checks OS of the Host System whether it is Windows XP.
- Checks for SbieDll.dll to detect if the program is executed with sandboxie.
- Checks the disk size of the host machine whether it is small.
If any of the condition is detected the program will exit itself to avoid the detection. This code snippet is reused from the open source Async RAT.
After passing the anti-analysis check, the program checks if only single instance is running on the machine by checking mutex named SamoRAT
If the mutex is not found, the program generates a mutex indicating that a instance is created.
Bypass AV Systems:
SamoRAT has the functionality to stop Windows Defender process and disable it’s features by editing registries to avoid detection in run-time.
It also runs some PowerShell commands to disable additional features of windows defender.
SamoRAT copies the main executable to the Microsoft Network folder and renames itself to WinServices.exe.
To achieve persistence, it creates scheduled tasks or modifies windows registries depending on administrator privileges for running at start-up.
Once the program is installed it registers itself to the C&C server by sending a POST request to api.samorat.com.
A request with method=registerClient is made to inform attacker that the program is successfully installed. Also, if the program crashes in the process of execution a crash report is uploaded in an image format as CrashReport.png
Once the program is registered again a POST request is made to the same address to indicate that it is online and ready to receive commands
SamoRAT can receive 4 types of command which are as followed,
- DOEX: This command is used for downloading and installing other malicious programs on the infected host.
- UNINSTALL: This command instructs the program to uninstall itself and retrieve the changes made to the system.
- DISABLEUAC: This command is used for bypassing the windows defender features.
- STARTCAPTURE: This command captures the screenshots of infected host.
When the program recieves DOEX commands it downloads the program from link received and executes it as GoogleCrashHandler.exe
On receiving the UNINSTALL command, program deletes registries and schedules tasks it had created during the stage of persistence.
It also creates and executes a .bat file with random name to delete all the files associated with the program.
SamoRAT enumerates basic information related to the host machine configuration and sends it to C&C Server.
Here is the snapshot of the pcap file generated while monitoring the network traffic,
The system enemuration code is shown below,
Xunison has detections in place to protect against this attack or vulnerabilities exploited, so customers with updated Xbrain intrusion prevention signatures are protected against this attack. Users should also ensure that they update their Xbrain regularly to prevent attackers from exploiting known vulnerabilities.
INFECTED: SAMORAT REGISTRATION REQUEST DETECTED AND BLOCKED
INFECTED: SAMORAT CNC CONNECTION DETECTED AND BLOCKED
We are always looking to hear from the technical community and customers, so if you have any suggestions, comments, questions or want to enquire about any cybersecurity solution or topics then please feel free to email us at firstname.lastname@example.org