Tuesday, October 15, 2024
HomeMalwareHackers Attacked Public Sector using Remote Access Trojan that was Entirely Written...

Hackers Attacked Public Sector using Remote Access Trojan that was Entirely Written in Python

Published on

Malware protection

A newly emerging Remote access Trojan called CannibalRAT that completely written in Python language targeting and impacting the Brazilian public sector management school.

Python is a powerful programming language that is being deployed for everything from data science to machine learning and writing web applications.

It spreading with 2 different versions (3.0 and 4.0) both have completely written in Python and distributed as a packed executable that was called py2exe.

- Advertisement - SIEM as a Service

Python language targeting and impacting the Brazilian public sector management school Python is a powerful programming language that is being deployed for everything from data science to machine learning and writing web applications.

Learn more about the Intellipaat Python training course to take the first step towards upskilling and excelling in your career. Intellipaat courses are available in over 150 tools and technologies to help professionals create a niche for themselves in today’s hypercompetitive world.

This RAT campaigns mainly targeting the users from  Brazilian based public sector management schoolINESAP – Instituto Nacional Escola Superior da Administração Pública.

Attackers using  Fast Flux(ing) techniques to change the command and control name servers use 120 seconds for TTL that makes changes the several time a day.

In this case, the oldest version of CannibalRAT was an initial peak on Jan. 8, 2018, later second version was discovered Feb. 5, 2018, which was actively increasing its spreading capability.

Also Read: Fancy Bear Hackers Back to Form & Launched Cyber Attack Again on various Government’s Computer Networks

How does CannibalRAT Remote Access Trojan Works

The RAT distributed via zipped overlay executable contains py2exe format and both versions of this RAT shared a lot of code.

Malware author tried to add a lot of obfustication functionality in version 4 to evade the detection and it used the standard version of UPX, a well known executable packer.

while analyzing the version 4 RAT’s source code reveals that it will generate random strings in memory, thus attempting to make memory string analysis harder.

In this case, an Image was abused and added it will create a PDF file with HTML code embedded that will load a single image hosted at imgur.com.

Both version of the RAT Contacting the same command and control to exfiltrate the stolen information from the user system.

 
According to Cisco Talos, The credential-stealer modules are a copy of the Radium-Keylogger, which has the source code published on Github. The VM detection function can also be seen on Github in a different repository, the copy of code from other software is a constant in most components of this RAT. Most of these capabilities are provided by Python scripts, which can be executed standalone in the command line, which is coherent with code reuse that was described above.

CannibalRAT Version 4 doesn’t contain some the version 3 RAT functionality such as distributed denial of service, miner, Python, and update.

Version 4.0 of the RAT was clearly configured to be part of a campaign targeting the INESAP, a Brazilian school for public administration, as stated before.According to artifacts found in pastebin.com by Talos, seems that the campaign and RAT customization might have started as early as Jan. 9, 2018. Cisco said.

IOC

URL’S

hxxp://zxmbernx.camdvr.org:8843
hxxp://zxmbernx.camdvr.org:8080
hxxp://xmm.camdvr.org:8043
hxxp://vit24ad.kozow.com:8843
hxxp://683gvk34h.theworkpc.com:8843
hxxp://inesapconcurso.webredirect.org/download.php
hxxps://i.imgur.com/puSQDHe.png
hxxp://amfotoalbum.com.br/images/banner/inscricao=157541254.pdf.exe

SHA-256 HASH’S

83d49f14ebb6641f1b813614a40e7df2d200096b8aae198e6298125f47b55b59
98bcb29912a8802d1a863d129d35876f7b2922146d2f05c17cd51ba907e617ba
cbf255ecd5c113b6124549227c44054e8e976c4770a2eb323a60479eb260727b
c7ef8f53dc170c6c2c3e5e57c57c6d2148e95e965c3356a868744a777bf4548b

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

OilRig Hackers Exploiting Microsoft Exchange Server To Steal Login Details

Earth Simnavaz, an Iranian state-sponsored cyber espionage group, has recently intensified its attacks on...

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

pac4j Java Framework Vulnerable to RCE Attacks

A critical security vulnerability has been discovered in the popular Java framework pac4j. The...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

CoreWarrior Malware Attacking Windows Machines From Dozens Of IP Address

Researchers recently analyzed a CoreWarrior malware sample, which spreads aggressively by creating numerous copies...

TrickMo Malware Targets Android Devices to Steal Unlock Patterns and PINs

The recent discovery of the TrickMo Banking Trojan variant by Cleafy has prompted further...

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...