Wednesday, April 3, 2019

Malware Analysis: RDP Backdoor (Gh0st variant)

A little while ago I caught this RDP backdoor in my honeypot that I thought was kinda interesting, so I figured I would do a write-up on it. The author of this malware took minimal measures to hide its functionality.

I searched for the md5 hash on virustotal and someone had already uploaded it here.

CFF Explorer output:


Aside from some function calls being stored as character arrays, there was hardly any obfuscation in this malware. It was packed with UPX, so unpacking was trivial.

I searched the source IP in Shodan and got this:

The first thing I noticed was "220 RMNetwork FTP". This is indicative of being part of the Ramnit botnet. RDP is also enabled. Before I took this screenshot of the Shodan results, I was able to connect to it via RDP. Its a Windows 2003 server in China. I'm under the impression that this server has been infected multiple times by different malware. I found a few things that didn't match up with being related to the Ramnit botnet.

From Thor APT Scanner:

Signature Match - THOR APT Scanner

Detection
============================
Rule: IronTiger_Gh0stRAT_variant
Ruleset: Chinese Threat Groups
Description: This is a detection for a s.exe variant seen in Op. Iron Tiger
Reference: http://goo.gl/T5fSJC
Author: Cyber Safety Solutions, Trend Micro
Score: 70

Detection Snapshot
============================
Detection Timestamp: 2018-12-17 18:19
AV detection ratio: 50 / 70

Within the binary I found a reference to a script called "jingtisanmenxiachuanxiao.vbs", which is referenced in this whitepaper about Operation PZCHAO written by Bitdefender.


After some static analysis I discovered that this creates a new user and enables RDP. 

**POST IN PROGRESS**