Moker Rat Advanced Persistent Threat

AutoCascade · Oct 7, 2015

http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network

There is also a technical analysis here - http://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/

Recently, enSilo found an Advanced Persistent Threat (APT) residing in a sensitive network of a customer. This APT appears to be a Remote Access Trojan (RAT) that is capable of taking complete control of the victim’s computer.

To date, this APT is unknown and does not appear in VirusTotal.

Moker was the file description that the malware author gave to the malware’s executable file.

enSilo’s customers are all safeguarded from Moker.

What makes Moker unique?

Bypasses and disables security measures. This includes everything from security-dedicated measures such as Anti-Virus (AV), sandboxing and virtual machines, to Windows’ built-in security enhancements such as User Access Control (UAC).

Achieves system privileges. As opposed to more common malwares such as bankers, ransomwares and PoS scrapers, this APT hooked into the Operating System (OS) in order to appear as a legitimate OS process and to access system-wide settings.

Can be controlled without requiring Internet-connectivity. Moker does not need an external communication point (such as a Command and Control – C&C server) to operate. It can also receive its commands locally, through a hidden control panel. This means that a threat actor can also login say, via VPN using legitimate user credentials, and operate the malware on the infected device.

Takes great measures in order to bypass posthumous research once detected. For example, Moker applied sophisticated anti-debugging techniques to avoid malware dissection and deceive researchers.

What are Moker's capabilities?
Moker targets Windows machines and:

Takes complete control of the victim’s machine by creating a new user account and opening a RDP channel to gain remote control of the victim’s device

Tampers with sensitive system files and modify system-security settings

Takes screenshots, records web traffic, monitors key strokes and exiltrates files

Injects itself into different system processes in order to replace legitimate code with malicious code during run-time

We’re continuing to investigate this malware in our labs and will update accordingly.

Who's Behind Moker?
A test in our labs revealed that under certain circumstances Moker communicated with a server registered in Montenegro. The Montengro-based server was referred by several other domains registered in African countries. It’s important to note however that these registered domains cannot give an indication of the threat actor’s identity or physical location as it certainly makes sense to think that the threat actor either used compromised servers or purchased dedicated-only servers in other locations to confuse researchers and law enforcement agencies.
Interestingly, Moker did not necessarily need to be controlled from remote. A feature of the RAT includes a control panel that enables the attacker to control the malware locally. Consider a Local Access Trojan (LAT). We think this feature was added either for a threat actor to mimic a legitimate user (say, VPN’ing into the enterprise and then commanding Moker locally), or was inserted by the malware’s author for testing purposes yet remained also in the production version.

Moker’s sophistication wasn’t only in terms of its capabilities, but also in the measures it took to defend itself, including after it was caught. Its detection-evasion measures included encrypting itself and a 2-step installation (see below). Measures to protect itself from posthumous dissection included evading debugging techniques that are used by researchers, the addition of complex code and purposefully adding instructions to lead researchers in the wrong direction.
Obviously, this is a threat actor that invested a lot of resources in order to keep this malware stealthy.
How did the victim become infected?
Specifically for this campaign, we do not yet know how the malware infected the victim. The bottom line, however, is that this malware infiltrated the organization.
In general, malware can infect a machine in a variety of ways, such as sending a sophisticated phishing email, enticing the victim to click on a link or even plugging in a thumb drive.

How does Moker install itself?
Installation occurs in two stages. The two-stage installation is performed to defeat security measures such as sandboxing that rely on time-sensitive techniques:

Planting a Dropper. Moker first plants its “infrastructure”, preparing the groundwork for full installation at a later stage. The Dropper itself does not appear malicious as it doesn’t actually do any harm and so defeats the sandbox measures. Once planted in the machine, it can then easily receive the malicious payload at call of duty.

Installing the Payload. Once the Dropper is in place, it installs its second component – the malicious payload. The payload is either downloaded via an Internet connection, or loaded locally. It comes encrypted to defeat security measures that monitor the network and file systems. Once the it arrives in the victim’s machine, the Dropper decrypts the payload and injects it into system processes.

How does Moker defeat security solutions and Windows’ measures?

The APT performs the following in order to defeat detection:

Code Packing. This enables the malware to evade signature-based solutions such as Anti-Virus (AV) and network monitoring solutions that inspect traffic packets.

Two-step installation. This allows it to evade security solutions such as sandboxing and virtual machines (as stated in the above question “How does Moker install itself?”)

Vulnerability Exploitation. In order to achieve system privileges both the Dropper and the payload had to bypass Windows’ User Access Control (UAC). They did this by exploiting a known Windows design flaw. It’s important to mention that this flaw is not a vulnerability in the sense of a buggy code, but rather a Windows’ feature that is abused by threat actors.

Can we predict this malware to appear more in the wild?
This case might have been a dedicated attack. However, we do see that malware authors adopt techniques used by other authors. We won’t be surprised if we see future APTs using similar measures that were used by Moker (such as bypassing security mechanisms and dissection techniques).

How can an organization protect itself against Moker?
As shown, well-established security measures and Windows’ security mechanisms cannot stop the infiltration of Moker.

What we recommend is to recognize that infection is inevitable, and so to secure all data under the assumption that the environment is infected. Measures for securing the data include:

Blocking in real-time all malicious outbound communications

Preventing in real-time the malicious tampering of files

Following up on actual malicious communicating/tampering attempts in order to perform attack forensics

Click to expand...

Baserk · Oct 7, 2015

In English 'Moker' means 'big' or 'large', in Dutch it's a synonym for sledge hammer or maul.
Anyone here who knows the term 'Moker' from another language?

Rasheed187 · Oct 7, 2015

Looks interesting, hopefully itman will come up with an analysis.

J_L · Oct 7, 2015

Two-step installation. This allows it to evade security solutions such as sandboxing and virtual machines (as stated in the above question “How does Moker install itself?”)

Click to expand...

Sounds like the usual "evasion" techniques against virtualization BS to me.

Although what damage it can do with Remote Desktop would be interesting...

Specifically for this campaign, we do not yet know how the malware infected the victim. The bottom line, however, is that this malware infiltrated the organization.
In general, malware can infect a machine in a variety of ways, such as sending a sophisticated phishing email, enticing the victim to click on a link or even plugging in a thumb drive.
Click to expand...

And double-clicking the damn thing of course... Unless proven otherwise, another dumbed down FUD.

itman · Oct 10, 2015

Rasheed187 said: ↑

Looks interesting, hopefully itman will come up with an analysis.
Click to expand...

It's network based malware. So anyone running on a stand alone PC or home network doesn't have to worry. RDP disabled by default on those systems.

Has all the usual elements discussed previously in other Wilder's threads. I am sure Eset's IDS would catch it. Also main process it injects is explorer.exe which I have already protected against memory injection.

Der Alte · Oct 10, 2015

@Baserk
In danish - Mukkert - (from Dutch: fat girl) a big and heavy squered hammer.
-En mukkert ((Hollandsk/Nederlandsk): mokke, tyk pige) er en stor og tung firkantet hammer-

itman · Oct 10, 2015

Der Alte said: ↑

In danish - Mukkert - (from Dutch: fat girl) a big and heavy squered hammer.
Click to expand...

In other words, something never to call your girlfriend.

Der Alte · Oct 10, 2015

Only if your have snappy feet

Rasheed187 · Oct 11, 2015

itman said: ↑

It's network based malware. So anyone running on a stand alone PC or home network doesn't have to worry. RDP disabled by default on those systems.

Has all the usual elements discussed previously in other Wilder's threads. I am sure Eset's IDS would catch it. Also main process it injects is explorer.exe which I have already protected against memory injection.
Click to expand...

Yes I've done some reading. Interesting was that it used "process hollowing" and also "Elevation of privileges". The first would be stopped by HIPS (process modification), the second could be stopped by HIPS watching for file creation inside the C:\Windows\system32\ folder.

itman · Oct 11, 2015

Rasheed187 said: ↑

Yes I've done some reading. Interesting was that it used "process hollowing" and also "Elevation of privileges". The first would be stopped by HIPS (process modification), the second could be stopped by HIPS watching for file creation inside the C:\Windows\system32\ folder.
Click to expand...

Notice that it did not use an exploit to elevate privileges. It actually used a Windows process, sysprep, to do it!

There is a Windows design vulnerability which enables loading unauthorized DLLs by authorized applications. This vulnerability is found in the way Windows loads DLLs upon request. When an application loads a DLL by its name, Windows first looks through the application’s current folder, and then proceeds to search at system directories (and other paths). In order to avoid a predicted chaos using this technique, some DLLs are always loaded from the system directory regardless of any other same named DLLs found in its own path. Monitoring sysprep shows it loading one DLL which does not follow this restriction: ActionQueue.dll.

Also, my testing of Eset's HIPS monitoring rule has shown that it will detect any startup of a process regardless of the file extension or lack of it in this instance i.e. a xxxx. file located in %AppData% directory or sub-directory.

Log in or Sign up

Moker Rat Advanced Persistent Threat

AutoCascade Registered Member

Baserk Registered Member

Rasheed187 Registered Member

J_L Registered Member

itman Registered Member

Der Alte Registered Member

itman Registered Member

Der Alte Registered Member

Rasheed187 Registered Member

itman Registered Member

Log in or Sign up

Moker Rat Advanced Persistent Threat

AutoCascade Registered Member

Baserk Registered Member

Rasheed187 Registered Member

J_L Registered Member

itman Registered Member

Der Alte Registered Member

itman Registered Member

Der Alte Registered Member

Rasheed187 Registered Member

itman Registered Member

Useful Searches