Brian Stadnicki's reverse engineering & malware analysis blog
Phishing emails rely on many methods, such as sending exploit documents or executables. Thankfully, companies have figured out that this is common and implemented file attachment extension blockers, such as preventing external .pdf files and all .exe files.
Above is an example from the ACSC.
Bypass So how do you bypass this? Commonly you add a link or some javascript, but what if you just put your file inside of a container, such as zip or rar?
Remcos RAT is known for being very feature rich, with a lite version to test. They even provide an option to disable the TLS, making it very easy to reverse engineer the protocol. I’m not aware if the paid version has a different protocol.
The binary protocol is very simple:
packets start with $\x04\xff\x00 then is the packet type then 7 usually miscellaneous bytes then often string arguments separated by |\x1e\x1e\x1f| I’ve mapped out a significant amount of the protocol available in the lite version.
AsyncRAT is an open source RAT (Remote Access Tool). While it isn’t typically used for advanced attacks, it’s very common in gaming scenes, thanks to how easy to use and surprisingly polished it is. Thankfully, there exists a RCE flaw.
Attack surface The AsyncRAT server listens by default on 6606, 7707 and 8808. No authentication is required to connect to a server, with commands being sent over a tcp ssl socket connection, with a custom msgpack implementation and gzip stream compression.
This cheap camera is quite terrible, so that’s why it’s been abandoned, ready for me to tinker with.
To aid the tinkering, it would help to have the firmware, which thankfully is very easy to extract.
Firmware extraction When I plug the camera in, it prompts asking for usb mode.
brian@parrot:~$ adb devices List of devices attached 20080411 device As it’s connecting via adb, let’s see if there’s shell access.
The chaos ransomware is fairly new, first appearing in June 2021 as a builder, offered on multiple darknet forums and marketplaces. It doesn’t appear to have been involved in any significant incidents yet, a few minecraft players don’t count. Unsurprisingly therefore, the sample has not had a single transaction to the wallet.
It isn’t very complicated, as likely a simple proof-of-concept ransomware. Simply a 32bit .NET executable, with the ransom wallpaper base64 encoded in and completely unobfuscated with names.
6 years ago, kaspersky reported a piece of ransomware which displayed a fake windows update screen during encryption.
I don’t know the distribution, but I know it starts at Fantom.exe. This appears to be an odd custom loader, but all the main functionality is implemented in the .NET executables.
There are 2 parts to the ransomware: the encryptor and the fake windows update screen.
Assemblies Encryptor This .NET assembly needs to first be dumped from the running ransomware process using ExtremeDumper, and then the criticalupdate01.