Laboratorios de Blue Coat

Labs Blog

GovRAT, the BITS-talking backdoor

GovRAT, the BITS-talking backdoor

Snorre Fagerland

 

In November 2015 the security outfit InfoArmor published a report about a remote access trojan creation/signing service - GovRAT - being sold in the underground "TheRealDeal" forum. The ad was still up at time of writing, as shown below. Apologies for the color scheme - not one I would have chosen.

 

 


The report contained malware hashes, but we were unable to find any of these in any of our sources. However, it mentioned specific traffic patterns and the name of a code signing certificate used - "Open Source Developer, SINGH ADITYA".

We found a sample matching this description in our certificate database with the SHA-256 hash 358e170f91da4eed7498aae705578941e0028936ac2ca741389f4ed081251080. This sample had at the time of writing fairly low detection on VirusTotal.

This executable is built with Visual Studio 2010 and packed using UPX, but is otherwise not obfuscated. When run, the trojan installs itself into an unobstrusive location - typically to %APPDATA%\Roaming\Microsoft\Internet Explorer\reader_sl.exe. Persistence is achieved by placing a *.LNK file pointing to the executable in the user's startup folder. All key parameters are hardcoded into the malware itself, such as the installation location, file names, and command & control server address.

Based on the indicators from the initial file, we were able to find a number of other files that were related. Most of these were indeed digitally signed. Other certificates we found used with GovRAT samples were (Subject, Issuer, Serial):

Syngenta
COMODO RSA Code Signing CA ‎
00e8cc18cf100b6b27443ef26319398734

AFINA Fintek
COMODO RSA Code Signing CA
62af28a7657ba8ab10fa8e2d47250c69

Open Source Developer, Singh Aditya
Certum Level III CA
04c8eca7243208a110dea926c7ad89ce

Favorite-III
COMODO RSA Code Signing CA
157c3a4a6bcf35cf8453e6b6c0072e1d

Open Source Developer, Muhammad Lee
Certum Level III CA
04422f12037bc2032521dbb6ae02ea0e

Open Source Developer, BHARATH KUCHANGI
Certum Level III CA
65eae6c98111dc40bf4f962bf27227f2

Open Source Developer, Marc Chapon
Certum Level III CA
12d5a4b29fe6156d4195fba55ae0d9a9

AMO-K Limited Liability Company
COMODO RSA Code Signing CA
0087d60d1e2b9374eb7a735dce4bbdae56

 

 

These samples are of slightly different generations - some include encrypted strings, others do not. The earliest sample we could find has a compile date of July 1, 2014; someone submitted it to VirusTotal the same day.  The latest sample we have is timestamped Sept 29, 2015. 
As mentioned in the InfoArmor report, all samples check for the hard drive volume serial number as means of sandbox evasion. The July 2014 sample, for example, compares the volume serial number of the hard drive against a list of 10 serial numbers known to be used by publicly-available or commercial sandbox tools. The most recent sample checks for 11, which means only one new serial number was added in a little more than a year. This is not very impressive as evasion maintenances go.

If the malware detects one of the known serial numbers in use, it quits immediately. This use of a simple blacklist is fairly rudimentary, and the fact it’s hardcoded means that anyone who can modify the serial number(s) used in virtual hard drives can evade this evasion technique.

 

 

GovRAT does check its own Authenticode signature through a call to the Windows API WinverifyTrust:

The API is called with the pgActionID GUID parameter {00AAC56B-CD44-11d0-8CC2-00C04FC295EE} - also known as WINTRUST_ACTION_GENERIC_VERIFY_V2. With these inputdata this API returns the Authenticode verification status of the file object requested, in this case, the malware file itself. This status is communicated back to the bot operator as a character code in the initial C&C checkin.

 

Whatever evasion methods contained in these backdoors, they run fine in the BlueCoat Malware Analyzer application, and are behaviorally noisy enough to identify with ease.

 

 

BITS communication

 

The ad for GovRAT says that it uses “secret Windows APIs to communicate”. By that, the author refers to the Background Intelligent Transfer Service, also known as BITS. BITS is a service present on any Windows OS from Windows 2000 and upwards. It facilitates resource effective file transfers between machines, and is typically used by Windows Update. However, it also exposes a COM API which non-Windows processes can make use of.  By using BITS, one does not have to bother with the details of managing a TCP connection or creating HTTP headers, as all that is handled by the service. GovRAT uses just this for networking, and this is the reason why GovRAT traffic (as mentioned in the InfoArmor report) contains the UserAgent string “Microsoft BITS/7.5”. This may vary depending on which BITS version the malware has access to, however.

BITS is also a protocol which is normally assumed to be legitimate and allowed through firewalls, and it supports SSL out of the box – all these are features touted by the GovRAT  author.

The use of BITS for malicious purposes is however neither secret nor new. It’s been used by various malware since at least 2007. One interesting aspect of the GovRAT use of BITS is that it deliberately cancels BITS transfer jobs where the job description starts with “bpcd” which is not already in transfer. It is our assumption that these canceled jobs are related to a backup service, but maybe the you peope in the online community knows more about this?
The rationale for this action is not evident – it is something more reminiscent of ransomware activity than surveillance – but perhaps the author simply thought to remove some of the blocking jobs and competition for the bandwith.

At the initial connect to C&C, the sample posts username, Windows version, whether the user is Administrator (denoted by an “!” character), whether the executable has a valid Authenticode signature (denoted by an "~" character), and disk volume serial to the remote host.

http(s)://HOSTNAME/FOLDERNAME/session?name=%USERNAME%@%MACHINENAME%%20%WINDOWSVERSION%!~&serial=%VOLUMESERIALNUMBER%

 

The volume serial is later used as part of the encryption scheme for sending commands to the client. GovRAT also defines BITS callbacks to monitor the transfer status of its jobs.

 

Backdoor capabilities

 

Commands supported by GovRAT include:

GET : Download a file
PUT : Upload a file
DIR : List directory
DAE : Download And Execute
DEL : Delete file
SLP : Sleep
RNS : Resend initial data
RUN : Run program

 

 

Command-and-control infrastructure
 

Given that GovRAT is being sold as a kit on the Dark Web, we expected to find multiple command and control infrastructures in place. This turned out not to be the case. The C2 servers we found followed similar domain name patterns, resided on the same IP ranges and shared the same dubious history.

The following C&C domains were found in the known GovRAT samples:

phoneupdates[.]xyz
microsoftware[.]xyz
beta.microsoftwindowsupdate[.]org
upgrade.microsoftwindowsupdate[.]org
secure.microsoftwindowsupdate[.]org
download.microsoftwindowsupdate[.]org
test.hoseen454r[.]com

 

In addition, the infrastructure overlaps closely with previously known criminal activity revolving around DDOS and malicious Bitcoin mining. Several toolsets have been observed either downloaded from these machines or calling back to these machines, such as:

Linux/Tsunami, a DDOS bot
Linux/BitcoinMiner
Linux/Mayhem bots
IRC-controlled DDOS bots based on Perl2Exe
 

The main hub for this other activity is dyndn-web.com. This masquerades as a DynDNS domain, but appears not to be.

 


 


Overview of the GovRAT infrastructure and related connections

 

We do not know with certainty that the same person(s) behind GovRAT are behind the other criminal activity emanating from this infrastructure. However, it is a fair assumption that they are affiliated somehow, or at least know each other.
 

 

It’s official: You really can’t trust criminals


Blue Coat maintains a database of signed executables, which enable us to go back in time and find files signed with bad certificates. By mining for the certificates mentioned above, we were able to dig up a lot of new GovRAT samples, but that was not all we found. Many different malware campaigns showed up. Some of these were unknown to us, and some were really unexpected.

It is our assumption that these apparently unconnected clusters of malware share this connection simply because the underground certificate vendors resell the certificates over and over.  They surely turn a nice profit by doing this, but they are also obliterating the operational security of their customers. We are not complaining, though their customers might want to ask for a refund.

Here are a few examples:

Open Source Developer, Marc Chapon:

This certificate was used on at least three GovRAT samples and four Bandook trojan samples. It was also apparently sold to the customer coming up next...
 

Open Source Developer, Muhammad Lee

This certificate was used on at least two GovRAT samples and on at least ten samples of a different malware family. This other family was packed with VMprotect, and needed some manual unpacking. Imagine my surprise when my emulator showed this result:



 

That’s right. These ten samples all belong to HackingTeam’s infamous “government malware” – Remote Control System, alias RCS.

 


 

The HackingTeam aspect

 

HackingTeam were themselves hacked mid-2015, and a lot of internal company information leaked into the public domain. The GovRAT samples were signed and cryptographically timestamped as far back as July 2014 (Muhammad Lee) and Jan-Feb 2015 (Marc Chapon), so the signing keys were apparently not appropriated as part of the HackingTeam data leak.

Indeed, the leaked emails themselves reveal that HackingTeam late 2014 became aware of the Marc Chapon certificate being used on a Bandook sample. They were upset; especially since the certificate had not been used by them at all, but was a “backup”.

Most of the RCS samples do however appear to be part of the leaked HackingTeam dataset. A zip file named asset_test.zip containing many of these samples was submitted to VirusTotal only a couple of days after the breach. Also, RCS samples are usually tagged with a special “watermark” which uniquely identify customer license; and these samples all contained apparent internal HackingTeam test or development watermarks – DEVEL, HT-HISTORY and HT-MINOTAURO.

The Muhammad Lee certificate itself can be found mentioned in the leaked HackingTeam email spool, along with a number of other certificates – including the one mentioned above - Open Source Developer, Marc Chapon. Other certificates mentioned in the leaked data were:
 

Open Source Developer, Tony Yeh
Certum Level III CA
0860c8a7ed18c3f030a32722fd2b220c

Open Source Developer, William Zoltan
Certum Level III CA
2fdadd0740572270203f8138692c4a83

Open Source Developer, meicun ge
Certum Level III CA
4fc13d6220c629043a26f81b1cad72d8

 

The first two of these were applied on a few samples, and most of those seem to have been internal test/development cases.  The last certificate – meicun ge – has already been mentioned to in a blog post by CitizenLab, and has been used on a large number of executables (we have 166 RCS samples with this signature).  

 


 

Conclusion


Although marketed as an APT tool, the GovRAT malware itself is not really very advanced. Its capabilities are limited, the design is monolithic, and all important parameters are hardcoded in the binary. There are a number of programming errors, and some rookie mistakes – such as including source code filenames in the trojan executable. And, contrary to what the name would suggest, apart from information from the original InfoArmor article we have not seen any indication that GovRAT has been used by governments; but there are connections to pre-existing DDOS and Bitcoin mining infrastructure.

There are some interesting aspects to GovRAT, such as relying exclusively on the BITS protocol for communication with its C&C server. As we have seen before with other protocols like WebDAV, this illustrates that you cannot give any protocol a free pass without scrutiny. In addition, BITS implicitly supports SSL which may further complicate the detection of GovRAT C&C traffic.

More interesting is the convoluted connection between professional surveillance outfits such as the Italian HackingTeam and the criminal malware economy. There is a gray market here which is largely unexamined.

 

 

 

 

Appendix:

 

GovRAT:
0fba82405adb191f2b6d8a44fceaddf8ccc4d800dd0e46d37475527b251b5d92
14f04a651c9287e734d771ec83b6d9a6b306463c9d40735f40fe4eb57b2c1bae
2ae9040feefa5dfafbe36da35be9fdc01a286a82e42b86dd77b8b7502fcb99d7
39acff34b2dbbb7d37c279d7e4f128a74c8226d733a492ea3841fa14c26a0f11
5ebf4d732c25311868914f9e8c8bc570b1782df0d22b75550341d4716b82682c
6436cf079642b7b00da3d256a57406e7d0a3d5006fd06c7c41622fb1bc999bfb
7ddeb8736803b80ae6966fb2aa5964127b4b5fadd48583d7db9fcf95ca2b3c93
8f6bda38b52385acb7a515a75172d228861b5238b7fc600cf3fbe0e9262aae1a
91e3d08c7e86f38725842943a843d85ec2a50a785b1d1364e914cb9b8b222ffd
aaa42314a855cc70d9e3bb0ac7867aba9815a9d69db349ec4980d7c98a928c06
c3adda27ae6e08c78ec4e802019fcdea8e360562386278dc998cf7c2321a6ff6
d23c9b7d989e6af998099fcad5566ffe67750a0db678adccd6d05ff7e25cd9e3
e13803435df839186554dac03c054d035f8fca8938e2dda3fd7a2bb08ee73e2f
e2351082512f13c390db73fba093c6224b44f40a86880b199488cba346559fd8

HackingTeam Remote Control System:
15d5d6f3b244974126bfac563a1fc8642320289a03f6650c3d412a3a88fd8ada
274b4c782839f95e6400a565403f1e8eee6fe59a2751283fd250ec1f397ecd11
7dcd97b23ecf0d3b5e35f697cd42d8293132532a683f86e1c5ae39550d9d2417
a68c134d607f4b4ee2a87c540599cfc8bda7c489d7fb668cc39d80ea4be615ba
ad52791a43f485543e1e8fde74a91e74f39ea7b92293b304e3137eff535f5957
b55b6d874f71ef690ec4441c489e6b8a413fa39c587045b4fcc3562822afe9e3
c3d307157ca7ab80373c7aa3da20f4a881a520bd5b244d06af957e6af5ded962
c6c271fdcd3a20a0bccc8788e011ecdb7e75fd0387a4c09c92729ba5b30047b0
ceb817b9ea0407daebae4d197cd71d666afd72467f551da9c9a67197a51e778c
fc087d105e86c0626115abc0ff3758ced210715805af6042d4fcb79c678c9d48

Signed Bandook trojans:
43b36352110f6b7d413f55ceeb4574f10345739c157204c382ac1ba6d4fb4d5e
489b3b1fb315f0a9ab8e263f846dcad42d02e329916f907c492c144312e96f2e
e475241a32f220d6db6214eb03f0189937530db9898221e3b4dd430be1e079d2
f15011e6bdf823d16fa3311f17b3d4fe589b607c5aabcadefc04a529f86cffbb

Signed Perl2EXE IRC bots:
115e9fadd63aefd7758b5033fc6ea43f4d47d36e012a9064c5f42d0f8310ca0c
8b6b37b04021830b6678059a9ea1e578460e2a17b98b4f93f9603bdf397e2fef
a149f1c4d694a19329b36643bc9281cb1a57830c1d42b9b6542579d529ff0d59

Linux/Tsunami:
0173924f3b91579c2ab3382333f81b09fa2653588b9595243a0d85bd97f7dd11
675b578dc90752a9a0ff4434453528d1f7d1e118c3dfb7e269e4926575d6f801

Linux/BitcoinMiner:
666bf59e5385ad8742709c7ef2c6fe699a6ae9e0647e33dd888df3bfc427b5ea
42b81cddfc14ad081ce60466f77db744425c8ee11d57616d06db153936c47709