Thursday, March 28, 2024

Hackers Selling HTTP Remote Access Trojan via Weaponized Word Documents in Underground Market

Cyber Criminals selling Parasite HTTP RAT (Remote Access Trojan) on the underground marketplace that distributed via Email to the victims using Weaponized Microsoft office documents.

A dubbed Parasite HTTP  is a professionally coded modular remote administration tool for windows Which is written by malware authors using “C” programming language.

It uses a technique called an extensive array for sandbox detection, anti-debugging, anti-emulation, and other protections.

So Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems.

This Remote access Trojan module capable of adding new add-ons which is available on the C&C server that can be downloaded at any time for post infection process.

The researcher believes that Parasite HTTP continues to propagate across other malware variants.

RAT Propagation using Parasite HTTP RAT

An initial stage of this RAT champaign observed from the Underground forum and it propagates using Email messages that posed to be resumes or CV submissions and it uses subjects that mimic advertised position and other related contents.

Email ID domain contains some individual recipients at a range of organizations that make to believe that, it comes from a particular organization.

Also distributed Emails with contained Microsoft Word attachments with names such as  my_cv.doc, resume_.doc, cvnew.doc.

Also, the document contains macro and it force to enable it by users, once it enabled then it download Parasite HTTP from a remote site.

Attackers using this Parasite HTTP ad for evading detection and analysis that contains lots of following sophisticated futures.

  • No dependencies (Coded in C)
  • Small stub size (~49kb uncompressed, ~23kb compressed)
  • Dynamic API calls (No IAT)
  • Encrypted strings
  • Bypass Ring3 hooks
  • Secure C&C panel written in PHP
  • Firewall bypass
  • Supports both x86 and x64 Windows OS (from XP to 10)
  • Full unicode support
  • Online builder tied to your domain/s (Build bot bin anytime with any settings you wish)
  • Encrypted communication with C&C panel (Optional – SSL using self signed certificate)
  • Plugin system
  • Multiple backup domains
  • System wide persistence (x86 processes only) (Optional)
  • Injection to whitelisted system process (Optional)
  • Install & Melt (Optional)
  • Hidden startup (Optional)
  • Anti-Emulation (Optional)
  • Anti-Debug
  • Extended statistics and informations in the panel
  • Advanced task management system
  • On Connect task (New clients will execute task/s)
  • Low resource usage
  • Special login page security code
  • Captcha on login page to prevent brute force attacks
  • Download & Execute (Supports both HTTP and HTTPS links)
  • Update
  • Uninstall

Also, Parasite HTTP contain well framed obfusticated futures such as string obfuscation and evasion & anti-sandbox techniques.

According to Proofpoint, Parasite HTTP uses a sleep routine to delay execution and check for sandboxes or emulation.

Also, there are some important Plugins that Supported by Parasite HTTP RAT.

  • User management
  • Browser password recovery
  • FTP password recovery
  • IM password recovery
  • Email password recovery
  • Windows license keys recovery
  • Hidden VNC
  • Reverse Socks5 proxy

When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead of making it difficult for researchers to determine why the malware did not run properly and crashed.

Cybercriminals and malware authors continuously innovate in their efforts to evade defenses and improve infection rates.

Also Read

Beware !! Hackers Deliver FlawedAmmyy RAT via Weaponized Microsoft Word and PDF Documents
US-CERT Alerts Powerful Emotet Banking Malware Attack on Government, Private and Public Sectors
Dangerous macOS Backdoor That Steals User Login Credentials Remained Undetected for Years
Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles