New Moker RAT Bypasses Detection

Status
Not open for further replies.
L

LabZero

Thread author
Researchers warned Tuesday the latest APT to make the rounds features a remote access Trojan that can effectively mitigate security measures on machines and grant the attacker full access to the system.

Experts with the Israeli cyber security start-up enSilo discovered the RAT – which they refer to as Moker – lurking inside one of their customers’ networks but admit they aren’t sure how it got there.

In fact Yotam Gottesman, a senior security researcher with the firm, believes little was known about the malware until they stumbled upon it, pointing out that Moker hasn’t appeared on VirusTotal yet.

Perhaps that’s because the RAT, which targets Windows machines, is especially skilled when it comes to not getting caught.

According to researchers, Moker can bypass antivirus, sandboxing, virtual machines, and by exploiting a design flaw, User Account Control, the Windows feature that’s supposed to give users a heads up when a program makes a change that requires administrator-level permission. The malware apparently even applies anti-debugging techniques after its been detected to help avoid malware dissection and to further deceive researchers.

“[Moker’s] detection-evasion measures included encrypting itself and a two-step installation,” Gottesman wrote on Tuesday.

“Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction.”

Once embedded on a system, the RAT could cause a real headache for users. An attacker could more or less take full control of the device to take screenshots, record web traffic, sniff keystrokes, and exfiltrate files. They could also leverage the malware to create new user accounts, modify system security settings, and inject malicious code during runtime on the machine.

It’s unclear exactly who’s behind the malware – enSilo points out that the malware communicated with a server in Montenegro, a small Balkan nation that borders Serbia and Kosovo – but admits that this was probably done to throw off researchers and law enforcement.

In addition to the measures it takes to avoid detection, another interesting thing about the malware is that it doesn’t necessarily need to communicate with an external command and control server to do its bidding. The malware instead can receive commands locally via a hidden control panel.

The researchers assume the functionality was built into the RAT so an attacker could VPN into the system they’re targeting and pull strings from there, but acknowledge the feature also could’ve been inserted by the author for testing purposes.

While enSilo claims that Moker could have been a one time thing, the firm wouldn’t rule out the possibility that other RATs might borrow similar techniques later down the line.

“This case might have been a dedicated attack,” Gottesman wrote, “However, we do see that malware authors adopt techniques used by other authors. We won’t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).“
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
These APTs are terrible!
It would have been great if EnSilo also shared the md5, sha to be able to check the AV detection on VT.

The good news is that apparently the downloader is somehow detected by at least one AV as ArchSMS ( "however, is obviously not the malware in hand" as stated by enSilo).
.... and can be seen in process explorer.o_O
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top