OceanLoutus’ Ratsnif, an especially undetected remote access
Trojan which mainly is used for cyber-espionage purposes has become better and
is now capable of SSL hijacking and modifying web pages.
The very prominent malicious actor OceanLotus is quite
fairly known for its espionage campaigns in the Vietnam. APT32, CobaltKitty,
SeaLotus and APT-C-oo are few of its aliases in the infosec community.
The hackers behind this malicious threat actor usually
combine “commercially available tools” such as Cobalt Strike with unique malware.
Four separate variants of the Ratsnif RAT family were analysed
by prominent researchers only to find out that it evolved from a debug build to
a release version.
It now comes filled with fresh features like DNS and MAC
spoofing, SSL Hijacking, packet sniffing, HTTP redirection and injection,
setting up remote shell access and ARP poisoning.
Per sources, the three early versions were found out to have
a compilation date from 2016 whereas the most recent one was from August 2018.
The oldest variant of the Ratsnif, per the researchers,
apparently was a debug build compiled in August 2016. The domain for its
command and control (C2) server was activated the very day.
A newer version with no so gigantic changes was compiled the
very next day. Both the samples were tested for detection against the anti-virus
engines present on VirusTotal service at the same time.
A third version with September 2016 as its compilation date
appeared with almost similar functioning and is believed by the researchers to
be one of the earlier builds.
It wasn’t loaded with all the features but surely was
capable of setting up a remote shell and serve for ARP poisoning, DNS spoofing
and HTTP redirection.
In its early stages it collects information such as
usernames, computer names, Windows system directory, and network adapter info and
workstation configuration and sends it to C2.
The fourth Ratsnif sample was no longer accompanied by a
list of C2 servers and delegated communication to a different malware used on
the host victim.
It also, originally happened to introduce a configuration
file and to extend the set of features to make it more effectual.
If one wishes to decrypt the traffic it could be done by
using version 3.11 of the wolfSSL
library which was earlier known as CyaSSL.
The configuration file happens to be unsecured and is simply
a “text file encoded in Base64 with a parameter on its own line”.
Ratsnif could also cause a memory red violation owing it to
a bug, when parsing a specific parameter (“dwn_ip’). Due to this the value’s passed
as a string when it should be a pointer to a string.
According to the analyzers, the 2016 versions of Ratsnif contained
all packets to a PCAP file but the 2018 version employs multiple sniffer
classes for wresting sensitive information from packets.
This lowers the amount of data the attacker requires to
collect, exfiltrate and process and also shows what information the attacker is
after.
Ratsnif has done an essentially tremendous job at staying
out of the limelight. Nonetheless it is not up to the standards of OceanLotus’
other malware endeavors.