Malware in the Town Today: RAT, Bots and LummaC2

Cybersecurity researchers from VMware Carbon Black have identified a concerning rise in using the NetSupport Remote Access Trojan (RAT), with a particular focus on the education, government, and business services sectors. 

What Does It Do?

The NetSupport RAT is being delivered through various means, including the following:

• Fraudulent updates 
• Drive-by downloads 
• Malware loaders like GhostPulse 
• Phishing campaigns 

In the past weeks alone, at least fifteen new infections related to NetSupport RAT have been detected. 

Infection Mechanisms and Tactics

1. NetSupport RAT typically infiltrates a victim’s computer through deceptive websites and fake browser updates. 

A previous campaign revealed compromised WordPress sites displaying fake Cloudflare DDoS protection pages, leading to the distribution of NetSupport RAT. 

Deceptive web browser updates align with the deployment of SocGholish, a JavaScript-based downloader malware. 

2. It uses PowerShell to connect to a remote server, retrieving a ZIP archive containing NetSupport RAT. 
3. And once it is installed, the RAT allows threat actors to monitor behavior, transfer files, manipulate settings, and extend its reach to other devices within the network. 

Phishing Tactics and Trojan Successors

The security firm Cofense, has reported a resurgence in phishing campaigns employing the DarkGate and PikaBot malware families, finding strategies of the now-defunct QakBot trojan. 

These campaigns leverage hijacked email threads for initial infections, utilize URLs with unique patterns restricting user access, and follow an infection chain closely resembling QakBot’s delivery method. 

The choice of DarkGate and PikaBot is strategic, as both can serve to deliver additional payloads to compromised hosts, making them appealing tools for cybercriminals.

Here is our analysis of #DarkGate, which comes with numerous techniques, the defenses evasion ones were particularly interesting to analysed: Union-API and APC injection.

Feedback is welcome 🙏 https://t.co/uAcf31XC3b

— 0x4b52414b5a (@plebourhis) November 20, 2023

DarkGate and PikaBot: Evading Detection and Payload Delivery

DarkGate, with its advanced evasion techniques against antivirus systems, is capable of keystroke logging, PowerShell execution, and establishing a bidirectional connection for real-time control over infected hosts. 

Cofense’s analysis reveals a high-volume phishing campaign targeting diverse sectors, employing booby-trapped URLs in hijacked email threads. 

Evolution of LummaC2: Trigonometry-Based Anti-Sandbox Technique

The LummaC2 stealer malware has evolved with a new anti-sandbox technique, employing trigonometry to delay sample detonation until human mouse activity is detected. 

Sold in underground forums since December 2022, LummaC2, written in the C programming language, has undergone updates for enhanced complexity, incorporating control flow flattening and the ability to deliver additional payloads.

Trigonometric Evasion: How LummaC2 Detects Human Mouse Behavior

The trigonometry-based technique captures the cursor position five times at 50 millisecond intervals, checking for differences between consecutive positions.

LummaC2 treats these positions as vectors, calculating angles formed between them. If all calculated angles are below 45º, indicating human mouse behaviour, the malware proceeds with execution. 

If any angle exceeds 45º, LummaC2 restarts the process, ensuring mouse movement within 300 milliseconds. 

Have Your Packs Ready!

Advanced phishing campaigns, evasion tactics, and a better performance from the previous malware is the alarm for us to get ready for a proactive defense. 

Did you read about the LummaC2 trigonometry tactics? 

This shocked us. This sophistication employed to improve the payloads keeps you motivated that cyber security is not a one-time job. 

To fight with malware of amazing strengths, we only need resilience.