Prolific cybercrime organization linked to the Vietnamese government had a potent trojan that can allow hackers to modify web pages and is capable of SSL hijacking but went undetected for two years.
The new trojan, known as Ratsnif, is used by OceanLotus, a known cybercriminal ring linked to Vietnam’s espionage efforts. Also known as APT32, CobaltKitty, SeaLotus, and APT-C-00 in the infosec community, the hackers typically combine unique malware with commercially-available tools, like Cobalt Strike.
Researchers at Blackberry Cylance analyzed four variants of the Ratsnif RAT family. The study revealed that Ratsnif evolved from a debugging build to a release version with features like packet sniffing, ARP poisoning, DNS and MAC spoofing, HTTP redirection and injection, SSL hijacking, and setting up remote shell access. The first three of the analyzed variants were compiled in 2016, while the last one, as reported by Macnica Networks, has a compilation date of August 2018.
On August 5, 2018, according to researchers, domain for Ratsnif’s command and control (C2) server was activated, and a day after that, a new version with modified debug was again activated by the organization.
The third, with a compilation date of September 13, 2016, was also activated bearing uncanny similarities with the first two versions. Researchers believe that it is “one of the earlier Ratsnifs to be deployed by OceanLotus in-the-wild.” It did not have all the features of the latest strain, but it could set up a remote shell and serve for ARP poisoning (to route traffic through the Ratsnif), DNS spoofing, and HTTP redirection.
The initial step was to collect system information such as username, computer name, workstation configuration, Windows system directory, and network adapter information, and deliver them to the C2. Analysts from Cylance seen two hardcoded addresses for the C2, but it seems like only one of them is active.
“Although this sample contains a Base64 encoded C2 URL hardcoded in the .rdata section (the same address as in the 2016 versions), the malware never seems to use it; instead, it logs the captured information into text files for further exfiltration by another module,” the researchers added.
Unlike the first three strains of Ratnifs, the fourth one no longer comes with a list of C2 servers instead delegated the communication to a separate malware that was maliciously installed in the victim’s computer systems.
Furthermore, unique elements were found, making it the first strain to include a configuration file and has extended capabilities like HTTP injection, protocol parsing, and SSL hijacking with separately supplied SSL certificates. Decrypting the traffic is possible by using version 3.11 of the wolfSSL library, formerly known as CyaSSL.
Additionally, researchers noticed that Ratsnif had a bug that caused a memory read violation when parsing a specific parameter (“dwn_ip’); instead of the value passed a pointer to a string, it is passed as a string.
“Unlike the 2016 variants of Ratsnif that stored all packets to a PCAP file, the 2018 variant employs multiple sniffer classes for harvesting sensitive information from packets. This will minimize the amount of data the attacker has to collect, exfiltrate and process, and also reveals what information the attacker is interested in,” reads the analysis.
Researchers remained intrigued by why Ratsnif remained undetected for a considerable amount of time. They postulate that it could be because of its limited deployment.
“Ratsnif is an intriguing discovery considering the length of time it has remained undetected, likely due to limited deployment,” the researchers said as a conclusion to their analysis,” they added.
“It offers a rare glimpse of over two years of feature development, allowing us to observe how threat actors tailor tooling to their nefarious purposes. While all samples borrow heavily from open-source code/snippets, overall development quality is deemed to be poor. Simply put, Ratsnif does not meet the usual high standards observed in OceanLotus malware.”