Saturday, December 2, 2023

Hackers Selling HTTP Remote Access Trojan via Weaponized Word Documents in Underground Market

Cyber Criminals selling Parasite HTTP RAT (Remote Access Trojan) on the underground marketplace that distributed via Email to the victims using Weaponized Microsoft office documents.

A dubbed Parasite HTTP  is a professionally coded modular remote administration tool for windows Which is written by malware authors using “C” programming language.

It uses a technique called an extensive array for sandbox detection, anti-debugging, anti-emulation, and other protections.

So Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems.

This Remote access Trojan module capable of adding new add-ons which is available on the C&C server that can be downloaded at any time for post infection process.

The researcher believes that Parasite HTTP continues to propagate across other malware variants.

RAT Propagation using Parasite HTTP RAT

An initial stage of this RAT champaign observed from the Underground forum and it propagates using Email messages that posed to be resumes or CV submissions and it uses subjects that mimic advertised position and other related contents.

Email ID domain contains some individual recipients at a range of organizations that make to believe that, it comes from a particular organization.

Also distributed Emails with contained Microsoft Word attachments with names such as  my_cv.doc, resume_.doc, cvnew.doc.

Also, the document contains macro and it force to enable it by users, once it enabled then it download Parasite HTTP from a remote site.

Attackers using this Parasite HTTP ad for evading detection and analysis that contains lots of following sophisticated futures.

  • No dependencies (Coded in C)
  • Small stub size (~49kb uncompressed, ~23kb compressed)
  • Dynamic API calls (No IAT)
  • Encrypted strings
  • Bypass Ring3 hooks
  • Secure C&C panel written in PHP
  • Firewall bypass
  • Supports both x86 and x64 Windows OS (from XP to 10)
  • Full unicode support
  • Online builder tied to your domain/s (Build bot bin anytime with any settings you wish)
  • Encrypted communication with C&C panel (Optional – SSL using self signed certificate)
  • Plugin system
  • Multiple backup domains
  • System wide persistence (x86 processes only) (Optional)
  • Injection to whitelisted system process (Optional)
  • Install & Melt (Optional)
  • Hidden startup (Optional)
  • Anti-Emulation (Optional)
  • Anti-Debug
  • Extended statistics and informations in the panel
  • Advanced task management system
  • On Connect task (New clients will execute task/s)
  • Low resource usage
  • Special login page security code
  • Captcha on login page to prevent brute force attacks
  • Download & Execute (Supports both HTTP and HTTPS links)
  • Update
  • Uninstall

Also, Parasite HTTP contain well framed obfusticated futures such as string obfuscation and evasion & anti-sandbox techniques.

According to Proofpoint, Parasite HTTP uses a sleep routine to delay execution and check for sandboxes or emulation.

Also, there are some important Plugins that Supported by Parasite HTTP RAT.

  • User management
  • Browser password recovery
  • FTP password recovery
  • IM password recovery
  • Email password recovery
  • Windows license keys recovery
  • Hidden VNC
  • Reverse Socks5 proxy

When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead of making it difficult for researchers to determine why the malware did not run properly and crashed.

Cybercriminals and malware authors continuously innovate in their efforts to evade defenses and improve infection rates.

Also Read

Beware !! Hackers Deliver FlawedAmmyy RAT via Weaponized Microsoft Word and PDF Documents
US-CERT Alerts Powerful Emotet Banking Malware Attack on Government, Private and Public Sectors
Dangerous macOS Backdoor That Steals User Login Credentials Remained Undetected for Years

Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles