⚠️ New research drop: Ben uncovered a suspected state-affiliated campaign that’s flown under the radar for ~4 years with some C2 still active today.

[Khushal]

Content source

https://ctrlaltintel.com/threat%20research/KazakRAT/

His team now control one of their C2 domains and have been sinkholing + analysing traffic.

Attack on *stan: Your malware, my C2

Suspected state-affiliated actor targets Afghan and Kazakh entities

ctrlaltintel.com

 

[Parkinsond]

The KazakRAT binaries themselves were not obfuscated making it simple to analyse. C2 communications are unencrypted and follow a simple beaconing mechanism over HTTP.

However, undiscovered for years, until recently!

 

[Khushal]

However, undiscovered for years, until recently!

U will be shocked to see the VT detections when u check IOCs hashes.

 

[Parkinsond]

U will be shocked to see the VT detections when u check IOCs hashes.

I have; detected by most vendors, but it looks it's a recent detection.

 

[Khushal]

I have; detected by most vendors, but it looks it's a recent detection.

the post was out on 21st so yeah they had time. I found the post just now

 

[Parkinsond]

the post was out on 21st so yeah they had time. I found the post just now

Interesting article; have read it from top to bottom.

 

[Parkinsond]

During our tracking we identified a Windows-based RAT, delivered as a DLL, that we have coined KazakRAT.

Was the DLL delived as a side-load after executing the msi file?

Would the attack be aborted if they have SAC/WDAC on?

 

[Khushal]

Was the DLL delived as a side-load after executing the msi file?

Would the attack be aborted if they have SAC/WDAC on?

unsigned so yeah dll hijacking shouldn't be successful here. The msi i shared on other thread is a signed exe with valid cert so that could be curtains for sac/wdac but i have not tested it yet. I was interested if Andy has the answer.

 

[Parkinsond]

unsigned so yeah dll hijacking shouldn't be successful here. The msi i shared on other thread is a signed exe with valid cert so that could be curtains for sac/wdac but i have not tested it yet. I was interested if Andy has the answer.

Indeed; a suitable scenario for auditing SAC/WDAC.

 

[Divergent]

Delivery & Installation (MITRE T1566)
The malware is distributed via .msi files (e.g., Document_Online_PDF_converter_XLSX.msi, Instruction.msi).

These installers drop a decoy document (Word or PDF) and the malicious DLL payload.

Decoys identified
A fake letter from the President of Kazakhstan regarding Constitution Day and an official memo from Afghan authorities.

Persistence (MITRE T1547.001)
The malware establishes persistence by creating Registry Run keys to execute the malicious DLL via rundll32.exe.

Observed Paths

C:\Users\[user]\AppData\Roaming\SysDrive\SysDriveLib.dll (Variant A).

C:\ProgramData\NT\NT.dll (Variants B & C).

Registry Keys
The actor uses non-standard numerical names for Run keys, specifically "6", "8", and "9".

Command & Control (C2) (MITRE T1071.001)
Communication is performed via unencrypted HTTP POST requests to the specific URI path /as/include.php.

The beacon interval is set to 5 seconds using the SetTimer API.

Traffic Signature

POST /as/include.php HTTP/1.1
Host: [C2_HOST]
Content-Type: application/x-www-form-urlencoded
...
id=[VolumeSerialNumber_Hex]

Capabilities
The RAT supports commands for file exfiltration (upload, download), command execution (exec), directory creation (ctd), and drive enumeration (disks).

Detection & Remediation Strategy
Adhering to NIST SP 800-61r2 (Computer Security Incident Handling Guide) and SANS "Know Normal" methodologies.

Phase 1
Identification (SANS/NIST)
Search your environment for the following confirmed Indicators of Compromise (IOCs).

Network Indicators

Traffic Pattern
High-frequency (5s interval) HTTP POST requests to /as/include.php.

Domains
server.fsocmicrsoft[.]com
dns.freiesasien[.]com
dsn.mamurigovaf[.]site
dns.microbwt[.]team

IP Addresses
181.174.164[.]193
190.14.37[.]114
181.174.164[.]111.

Host-Based Indicators
Files: Presence of SysDriveLib.dll in AppData or NT.dll in C:\ProgramData\NT\.

Registry
Check HKCU\Software\Microsoft\Windows\CurrentVersion\Run for keys named simply "6", "8", or "9" executing rundll32.

Phase 2
Containment & Eradication
If positive hits are found.

Isolate
Immediately sever network access for the infected host to prevent data exfiltration.

Terminate
Kill any rundll32.exe processes spawning from the identified paths.

Delete
Remove the malicious DLLs and the associated Registry Run keys.

Forensics
Before wiping, capture the AppData and ProgramData folders to recover any staged data or additional payloads.

References

NIST SP 800-61r2
Computer Security Incident Handling Guide

Primary Source
Ctrl-Alt-Int3l, "Attack on stan: Your malware, my C2"

MITRE ATT&CK
T1547 (Boot or Logon Autostart Execution)
T1071 (Application Layer Protocol)