Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS)

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

While looking at commodity RATs currently offered on underground forums, we came across “WebMonitor”, on the market since mid-2017. We noticed that while detection was high for most anti-virus vendors, all tagged it with only generic detection. At this point we realized that although this malware had been around for almost a year, we were looking at a hitherto-undocumented commodity RAT.

 

For Sale

Commodity RATs are typically peddled on underground forums and come and go with new offerings springing up to replace those taken down by law enforcement actions.

Say Cheese_1

Figure 1 – WebMonitor RAT Forum sales thread

 

We first observed apparent tests of this RAT in late February 2017. In May 2017, “Revcode” advertises his RAT “WebMonitor” at hackforums[.]net (Figure 1) for €14.99 – €29.99 (Figure 2):

“[#1 Web RAT, CONTROL FROM WEB BROWSER, No PORTFORWARD, KEYLOGGER, + VPN]”.

 

Say Cheese_2

Figure 2 – Editions of WebMonitor RAT sold at three different pricepoints.

In addition to forum sales thread, Revcode’s main sales and support site is at revcode[.] eu (Figure 3).

Say Cheese_3

Figure 3 – Screenshot of revcode[.]eu advertising WebMonitor

Features

On the server-side, WebMonitor offers an included VPN and C2 service (discussed in detail later in this report), with a web-based interface (Figure 4).

Say Cheese_4

Figure 4 – Web-based C2 interface

WebMonitor offers two interface options: the original “Lite” version, and a slicker interface in the “Enterprise” version.

A list of features is provided at the site, some of which stretch the guise of a legitimate administration tool:

 

  • Applications
    • App crash log
    • Injected DLLs list
    • Installed codes list
    • Loaded DLLs list
    • Overview
  • Bluetooth
    • Bluetooth log view
    • Bluetooth view
  • Browser
    • Addons list
    • History
    • Image cache
  • Credentials
    • Browser
      • Passwords
    • Mail
      • All clients
    • Messenger live
      • All clients
    • Network
      • Net pass
      • Wifi key view
    • System
      • Keys
    • Filesystem
      • Disk smart view
      • File browser
      • Recent files list
    • Forensics
      • Harddrive operations
      • Physical RAM dump
    • Keyboard
      • Harddrive operations
      • Physical RAM dump
    • Messengers
      • Harddrive operations
      • Physical RAM dump
    • Monitor
      • Harddrive operations
      • Physical RAM dump
    • Networking
      • Net route view
      • TCP analyze
      • URL protocol view
      • User profiles view
      • WiFi info
      • WiFi channel monitor
      • WiFi history
      • Wireless networks
      • Wireless watcher
    • Runtime
      • Blue screen log
      • Turned on times
    • System
      • Battery info
      • Connections
      • Device manager
      • Drivers
      • Firmtables
      • Hardware manager
      • Information
      • Internal activity
      • MUI cache
      • Process manager
      • Remote registry
      • Remote shell
      • Security software list
      • Services
      • Startup view
      • Win logon activity
      • Windows list
      • Windows update list
    • Webcam
      • Snapshot
      • Stream Webcam

A recent development, in January Revcode partner “Softpatch” offers an Android RAT client, posting the source code at Github.

 

WebMonitor Client

The WebMonitor client (ie: the RAT) is written in Visual Basic 6 (VB6) and packed with UPX.

It installs to users%USERNAME%AppDataRoamingREVCODE-***.EXE,

where **** is a random 4-digit hex value.

For persistence it creates a registry key under

x86: HKCUSoftwareMicrosoftWindowsCurrentVersionRun 

x64: HKCUUSoftwareWow6432NodeMicrosoftWindowsCurrentVersionRun) (Figure 5), similarly appending using the same 4-digit value.

 

Say Cheese_5

Figure 5 – Persistence registry key

Along with the C2-as-a-Service, the client builder is designed for ease of use, with a focus on simplicity. Along with deciding whether a pop-up is displayed – or not – the customer can decide whether the client should run at startup, and if the process should restart if terminated (Figure 6).

Say Cheese_6

Figure 6 – Client Builder Interface

Revcode partner (or alternative forum account) attempts to claim legitimacy “We have to follow the laws and therefore have to display installation dialogs. However, we can’t help if people bypass that by cracking or patching the executable.” But then contradicts himself in fact, with the builder option to NOT create an installation pop-up, and “The reason why me made it possible in a way to bypass the dialog is when customers want to update their clients. We don’t find it necessary to reproduce the installation dialogs.”.

 

C2aaS

As previously seen in Quaverse RAT / QRAT, WebMonitor offers Command-and-Control (C2)-as-a-Service (C2aas). Customers don’t have to (in fact, can’t) run their own C2 system, it’s provided for them. WebMonitor C2s to virtual-hostnames, apparently unique to each customer, at one of two root C2 domains. Although C2 communication is over HTTPS, an obvious downside to such a C2 domain architecture is that the C2 traffic is easily detected and blocked based upon the domains.

WebMonitor customers access their C2 web interface via user-specific virtual hostnames at the host C2s (Figure 7).

 

Say Cheese_7

Figure 7 – C2 Virtual Hosts

The original C2 domain was the same as the sales website, revcode[.]eu. In late July 2017, a second root-C2 was brought online, wm01[.]to (“WebMonitor”).

 

DNS & Coin Mining

Starting in samples first observed late-November 2017, in addition to DNS lookups for the C2 as described above, the RAT clients also performed multiple lookups for non-existent domains (Figure 8).

Say Cheese_8

Figure 8 – NXD and Monero Mining Pool DNS lookups

These take the form <username>.<8_char_hex_value>.to. No domains in any observed samples using this technique actually exist, and as such the DNS “NXD” (non-existent domain) response has no obvious C2 function.

It is possible that this is may be a yet-to-be-implemented Domain Generation Algorithm (DGA) implementation, otherwise possibly a clumsy and ineffectual effort to attempt to camouflage the genuine C2 DNS lookup among invalid ones.

One of the very first samples observed using this new technique also contacted a Monero Mining Pool server pool1.minexmr[.]com, as seen in Figure 8 above. This may have been the author testing rather than a feature released to his customers, as we only observed this once in the wild. Monero mining is hardly representative of a feature of a “legitimate remote administration utility”.

 

RAT Customers and Targets

Revcode[.]eu is observed being used less often in recent months, in favor of wm01[.]eu, with some samples contacting both. At time of writing, we understand those to be the only two domains used by WebMonitor’s C2-as-a-Service. Based upon analysis of passive DNS records, we observed just under 100 virtual hosts under the two domains, giving an indication of the relatively small number of customers. To date Palo Alto Networks has collected just over 500 distinct samples of WebMonitor.

Say Cheese_9

Figure 9 – Verticals

 

The apparently-small number of customers and the “commodity” nature of this malware, with a modest price tag, might suggest an innocuous threat. However, using AutoFocus, we have observed over 2000 WebMonitor infection attempts against Palo Alto Networks customers across multiple verticals (Figure 9), worldwide (Figure 10).

Say Cheese_10

Figure 10 – Global distribution of targets

Author

The domain revcode[.]eu has an in-the-clear, non-anonymized WHOIS (Figure 11). Several current and historical domains are registered with identical information, some back to 2013. Research into the information in the WHOIS found corroborating information, identifying a 25-year-old from the state of Bavaria in southern Germany.

Say Cheese_11

Figure 11 – en-clar revcoce[.]eu WHOIS registration

Interestingly, while WebMonitor has been marketed since May 2017, there has been no other formal analysis and write-up in the year that it has been sold. The tongue-in-cheek, Florida-based blogger “Krabs on Security” offers an analysis, but this hasn’t been picked up by mainstream malware researchers. She opines “a very very legal malware backed by a .eu domain and a very very long Term of Service that was used in CEO Fraud, as seen below. Who would’ve thought such legal software being advertised on the benign forums dubbed “HackForums” would be used for such notorious cybercriminal purposes?”. “Revcode” partner “SoftPatch” seemed slighted and was quick to attack this analysis, pointing out in a forum post (Figure 12) multiple apparent inaccuracies.

 

Say Cheese_12

Figure 12 – SoftPatch fires back at krabsonsecurity

And Revcode himself, despite the usual attempts at pretense-of-legitimacy seen in Commodity RAT sales, markets features that have no utility for legitimate use: “perfectly compatible with all crypters and protectors”, “Privacy is our priority, so no logs are saved on our servers.”. Revcode partner (or alternative forum account” posts an exhaustive list of credentials that this RAT can recover “Here is a list of what kind of credentials RevCode is capable of recovering”:

Web Browsers:

* Internet Explorer 4.0 – 11.0

* Mozilla Firefox – All versions

* Google Chrome

* Safari

* Opera

 

IM Clients:

* MSN Messenger

* Windows Messenger (In Windows XP)

* Windows Live Messenger (In Windows XP/Vista/7)

* Yahoo Messenger (Versions 5.x and 6.x)

* Google Talk

* ICQ Lite 4.x/5.x/2003

* AOL Instant Messenger v4.6 or below, AIM 6.x, and AIM Pro

* Trillian

* Trillian Astra

* Miranda

* GAIM/Pidgin

* MySpace IM

* PaltalkScene

* Digsby

 

Email Clients:

* Outlook Express

* Microsoft Outlook 2002/2003/2007/2010/2013/2016

* Windows Mail

* Windows Live Mail

* IncrediMail

* Eudora

* Netscape 6.x/7.x (If the password is not encrypted with master password)

* Mozilla Thunderbird (If the password is not encrypted with master password)

* Group Mail Free

* Yahoo! Mail – If the password is saved in Yahoo! Messenger application

* Hotmail/MSN mail – If the password is saved in MSN/Windows/Live Messenger application

* Gmail – If the password is saved by Gmail Notifier application, Google Desktop, or by Google Talk

 

Windows Network Credentials:

* Login passwords of remote computers on your LAN

* Passwords of mail accounts on exchange server (stored by Microsoft Outlook)

* Password of MSN Messenger / Windows Messenger accounts

* Internet Explorer 7.x and 8.x

* The passwords stored by Remote Desktop 6

 

Protected Storage:

* Outlook 97

* Outlook 2000

* Outlook XP, 2003, 2007, 2010, 2013, 2016

 

Product Keys:

* Microsoft Windows XP, Vista, Server, 7, 8, 10

* Microsoft Office 2000, 2003, 2007, 2010

* Microsoft SQL Server 2000, 2005

* Microsoft Exchange Server 2000, 2003

* Visual Studio

* Some of the Adobe and Autodesk products

 

Network Credentials:

* WiFi stored WEP and WPA keys

* Remote Desktop credentials

 

Summary

The feature set of this RAT would afford an attacker significant access to and control of a victim. Fortunately, owing to the “C2aaS” model employed, detection of and prevention against WebMonitor C2 traffic is trivial. Webmonitor’s addition to the list of currently-marketed commodity RATs demonstrates their continued popularity, enabling successful attacks even in the hands of the unsophisticated attacker.

We predict that WebMonitor won’t last much longer, at least not with this model as the C2s are too easily identified/blocked. Indeed, another aspect of this centralized model, having the hosted service create each client for customers, might put the author’s hands on every one of the malware samples in the eyes of the law.

 

Coverage

Palo Alto Networks customers are protected from this threat in the following ways:

  1. WildFire accurately identifies WebMonitor RAT samples as malicious.
  2. Traps prevents this threat on endpoints, based upon WildFire prevention.
  3. WebMonitor root C2 domains are flagged as malicious in Threat Prevention.

AutoFocus users can view WebMonitor RAT samples using the “WebMonitorRAT” tag.

IOCs can be found in the appendices of this report.

 

Appendices – IOCs

 

Appendix I – C2 domains

revcode[.]eu

wm01[.]to

 

Appendix II – Sample hashes

Hashes of WebMonitor samples can be found here.

The post Say “Cheese”: WebMonitor RAT Comes with C2-as-a-Service (C2aaS) appeared first on Palo Alto Networks Blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
41 Followers
About Palo Alto Networks
Palo Alto Networks is the next-generation security company maintaining trust in the digital age by helping tens of thousands of organizations worldwide prevent cyber breaches. With our deep cybersecurity expertise, commitment to innovation, and game-changing Next-Generation Security Platform, customers can confidently pursue a digital-first strategy and embark on new technology initiatives, such as cloud and mobility. This kind of thinking and know-how helps customer organizations grow their business and empower employees all while maintaining complete visibility and the control needed to protect their critical control systems and most valued data assets. Our platform was built from the ground up for breach prevention, with threat information shared across security functions system-wide, and designed to operate in increasingly mobile, modern networks. By combining network, cloud and endpoint security with advanced threat intelligence in a natively integrated security platform, we safely enable all applications and deliver highly automated, preventive protection against cyberthreats at all stages in the attack lifecycle without compromising performance. Customers benefit from superior security to what legacy or point products provide and realize a better total cost of ownership.
Promoted Content
Unit 42 Report - Ransomware: Unlocking the Lucrative Criminal Business Model
Ransomware, specifically cryptographic ransomware, has quickly become one of the greatest cyber threats facing organizations around the world. This criminal business model has proven to be highly effective in generating revenue for cyber criminals in addition to causing significant operational impact to affected organizations. It is largely victim agnostic, spanning across the globe and affecting all major industry verticals. Small organizations, large enterprises, individual home users – everyone is a potential target. Ransomware has existed in various forms for decades, but in the last several years criminals have perfected the key components of these attacks. This has led to an explosion of new malware families and has drawn new actors into participating in these lucrative schemes.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel