New Moker RAT Bypasses Detection

Discussion in 'News Archive' started by LabZero, Oct 8, 2015.

Tags:
Thread Status:
Not open for further replies.
  1. LabZero

    LabZero Guest

    Researchers warned Tuesday the latest APT to make the rounds features a remote access Trojan that can effectively mitigate security measures on machines and grant the attacker full access to the system.

    Experts with the Israeli cyber security start-up enSilo discovered the RAT – which they refer to as Moker – lurking inside one of their customers’ networks but admit they aren’t sure how it got there.

    In fact Yotam Gottesman, a senior security researcher with the firm, believes little was known about the malware until they stumbled upon it, pointing out that Moker hasn’t appeared on VirusTotal yet.

    Perhaps that’s because the RAT, which targets Windows machines, is especially skilled when it comes to not getting caught.

    According to researchers, Moker can bypass antivirus, sandboxing, virtual machines, and by exploiting a design flaw, User Account Control, the Windows feature that’s supposed to give users a heads up when a program makes a change that requires administrator-level permission. The malware apparently even applies anti-debugging techniques after its been detected to help avoid malware dissection and to further deceive researchers.

    “[Moker’s] detection-evasion measures included encrypting itself and a two-step installation,” Gottesman wrote on Tuesday.

    “Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction.”

    Once embedded on a system, the RAT could cause a real headache for users. An attacker could more or less take full control of the device to take screenshots, record web traffic, sniff keystrokes, and exfiltrate files. They could also leverage the malware to create new user accounts, modify system security settings, and inject malicious code during runtime on the machine.

    It’s unclear exactly who’s behind the malware – enSilo points out that the malware communicated with a server in Montenegro, a small Balkan nation that borders Serbia and Kosovo – but admits that this was probably done to throw off researchers and law enforcement.

    In addition to the measures it takes to avoid detection, another interesting thing about the malware is that it doesn’t necessarily need to communicate with an external command and control server to do its bidding. The malware instead can receive commands locally via a hidden control panel.

    The researchers assume the functionality was built into the RAT so an attacker could VPN into the system they’re targeting and pull strings from there, but acknowledge the feature also could’ve been inserted by the author for testing purposes.

    While enSilo claims that Moker could have been a one time thing, the firm wouldn’t rule out the possibility that other RATs might borrow similar techniques later down the line.

    “This case might have been a dedicated attack,” Gottesman wrote, “However, we do see that malware authors adopt techniques used by other authors. We won’t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).“
     
  2. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,195
    64,074
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
    This one sure does look nasty and very tricky. :(
     
    tallorder, Moose, XhenEd and 2 others like this.
  3. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    1,756
    13,947
    These APTs are terrible!
    It would have been great if EnSilo also shared the md5, sha to be able to check the AV detection on VT.

    The good news is that apparently the downloader is somehow detected by at least one AV as ArchSMS ( "however, is obviously not the malware in hand" as stated by enSilo).
    .... and can be seen in process explorer.o_O
     
    Moose, frogboy and LabZero like this.
  4. Moose

    Moose Level 22

    Jun 14, 2011
    2,275
    1,185
    And which AV detect as ArchSMS?

    Kind regards,
     
    LabZero likes this.
Loading...
Similar Threads Forum Date
Security Alert New "Illusion Gap" Attack Bypasses Windows Defender Scans Security News Sep 28, 2017
Security Alert New GhostHook Attack Bypasses Windows PatchGuard Protections Security News Jun 23, 2017
Hacking Alert Intel management tools bypasses Windows firewall Security News Jun 10, 2017