Jai Minton

Jai Minton

Information and Cyber Security Professional. All thoughts and opinions expressed here are my own, and may not be representative of my employer, or any other entity unless I am specifically quoting someone. Content is licensed under the Creative Commons Attribution 4.0 International License.

BlackNET RAT - Malware Analysis Lab

19 minute read

Technical Analysis of BlackNET RAT

Overview (AI generated from video):

Summary

BlackNET RAT is a remote access Trojan. It was freely available on GitHub in 2020 and infected systems during the COVID-19 pandemic. The malware recruited infected systems into a botnet to steal information and conduct attacks on other systems.

Timestamps

[0:00] 💻 BlackNET RAT is a remote access Trojan.
[0:43] 🔍 The malware was freely available on GitHub in 2020 and infected systems during the COVID-19 pandemic.
[1:32] 🌐 Infected systems were recruited into a botnet to steal information and execute attacks on other systems.

Key Insights

[0:00] 💡 BlackNET RAT is a deceptive malware that poses as a legitimate tool to gain unauthorized access to systems.
[0:43] 💡 The availability of BlackNET RAT on GitHub allowed researchers to analyze its code and understand its functionalities.
[1:32] 💡 The botnet created by BlackNET RAT enabled the attacker to control a network of infected systems, stealing data and launching attacks.
[2:35] 💡 The BlackNET RAT Builder is a tool used to customize and compile the malware, providing various options for its functionality, communication, and masquerading.
[3:50] 💡 The login panel of the BlackNET RAT allows attackers to manage the infected systems, monitor their activity, and send commands remotely.
[4:47] 💡 K7 security Labs have developed rules to detect and prevent BlackNET RAT infections based on specific indicators and behaviors.
[5:14] 💡 Understanding the capabilities and workings of BlackNET RAT can help in developing effective countermeasures against such malware.

Transcript (AI generated from video):

00:00:00	today we are going to look at the blacknet rat now the blacknet rat is mentioned as a remote Administration tool however it is as much a remote Administration tool as it is actually a remote access Trojan for lack of the better term rat now this particular tool was freely made available on GitHub back in 2020 and this was during the height of the co pandemic where people were being infected by this particular rat during that time with covid-19 lures now what actually happened was those systems were
00:00:37	then recruited in what's known as a botn net and we used not only to steal information from those systems but also execute attacks on other remote systems now because it was freely available on GitHub we actually get a glimpse into what the developer has created here so let's jump in so we've actually got our blacknet rat here which is downloaded from malware Bazaar I'm going to extract this and it needs the password infected from here now I have an extracted copy now something that might be [Music]
00:01:30	functioned quite nicely so inside of it there is an up.exe now if I was to open this up in PE studio and view the particular archive you can see the Manifest says that it is a WinRAR self extracting archive and the overlay has a pkzip file which is the actual archive inside of it so you could actually save this to a file let's say we are going to save it as as zip dotzip on the desktop and now that overlay has actually been saved to the desktop now the self extracting archives have a decompression method
00:02:12	that is the stub used to essentially extract that archive so whilst we can use seven zip to get it to open it directly from here and get the next stage we can actually extract the archive like we just did and go open archive and this is actually what we are seeing we are seeing update.exe here after we have dumped it from that overlay so let's go ahead and extract this file so now you'll notice that update.exe seems to be another copy of a self-extracting archive so using PE Studio once again we'll take a look at
00:02:49	it and as we can see once more it does look like this is a win raar self- extracting archive so we have once again another overlay that is an archive file this time we are just going to Simply hit it with seven zip and use extract files now you'll see that it is posing as Adobe Photoshop cs12 and it has a file size of 195 kiloby if I look at this file with detected easy we can get a bit more of an idea of what this actually is now it does look like it is a net binary which means that it is very easy for us to
00:03:29	decompile so using DN spy what I'm going to do is open up this file and take a look at what it contains so opening up this file you'll notice that it number one doesn't match the name of what we were just seeing this says that it is the host process for Windows services so SVC host is what that would be but then it also says the assembly title is the Windows update assistant which doesn't align even with the fact of a host process for Windows Services we can see that it is masquerading as SVC host as
00:04:07	the binary name here and if we actually begin to look at it it doesn't have a lot of methods but you can already begin to see that some of the names just don't add up to what they should be for example dods is a distributed denial of service and that's not something that we would expect the windows SVC host process to be performing so let's take a look at some of these methods SVC host itself is likely going to be the entry point or what is going to be run as the form is created now there is quite a lot
00:04:42	in here this actually begins to look like the configuration of this particular malware so there are particular settings such as an ID whether it's going to persist on Startup whether it does a hard install whatever that means the whether it's got a USB spreading module whether it's trying to bypass UAC anti VM checks etc etc so this looks like the main configuration of this piece of malware now if we take a look at the SVC host antis this is quite nicely named anti VM so this is performing checks to
00:05:25	determine if it is running in a particular virtual machine and there doesn't seem to be a lot of checks that are being performed but if any of these particular DLS are found so this looks like a virtual box one and this looks like a VMware based one if either of those DLS are found or even if a sandboxy dll is found then it's going to be running a command where it is attempting to delete itself from dis so it's just going to vanish thus trying to remain undetected there is also an anti-debugging check now this actually
00:06:04	has a hardcoded list of particular executable such as a Patty DNS speed gear wire shark a bunch of tools that are used in debugging and malware analysis that if it finds them on an operating system is probably once again going to kill itself hello it's G here from the future this is not actually going to kill itself it's going to kill each and every one of the processes that are running with those particular hardcoded process names so yeah silly me didn't actually read the code properly when I was making the video all right
00:06:43	back to the show now if we look there is a disable WD which is disable Windows Defender and this is modifying a number of registry keys in order to prevent the antimalware scanning engine of Windows Defender from performing scans against this binary so for example it is turning tamper protection off it is enabling the disable anti-spyware component so it's removing that scanning aspect of it disabling behavioral monitoring disabling on access protection and disabling the real time scanning so it's
00:07:22	trying to use Powershell in order to disable Windows Defender as well by using this set MP preference commandlet and so what it's trying to do is just disable any type of monitoring using Powershell and we can see it also has this run PS method now if we go down further we can begin to see SVC host dos and we can look at what this is so this says start arm and perhaps this is arming an attack that it's about to perform and you can see that it has post data host to attack and whether attack is running and it looks like it is
00:08:00	trying to attack particular websites or domains associated with whatever is sent to it to perform this attack so that's quite interesting and it looks like it's maybe doing that by sending a number of head requests to the particular server trying to overload it there is this low method which kind of just looks like maybe that was what they named a method that they had to use to do these things look I digress now if we go down further there is bandwidth flood so there looks like there are different dos methods
00:08:35	that can be used here there is get methods there is post methods to servers and there is even UDP based floods so sending UDP packets to a particular server and slow Lis which I'm not 100% sure what slow Lis is but perhaps this is a way of Performing the attack where it's going to be doing it slower to remain under the radar now we can see a few supported methods here or supporting methods so HTTP socket where it's likely encrypting traffic to and from the server then HTTP here and you'll notice something that's
00:09:24	a bit interesting is that there is this BN delimiter for the black neet malware and it's sending data delimited by this to a particular command and control interface so it does look like it's also receiving particular commands back if we go down further there is the my my application I guess this is creating the actual form when it starts which kicks off all the code and there's probably not too much more within these classes that are of Interest however you never know okay so it maybe it can take
00:10:01	particular blacklists or particular host names and actually change what the configuration of this particular bot net has so that it points somewhere else so that's a little bit interesting moving down there is this other method so it does look like it's got a browser Handler so maybe this is actually bringing up a particular web browser and opening a web page which is what it looks like it might be doing and and then there is a binder service then there is also a lime logger so that's a little bit interesting this looks like
00:10:38	it's likely a key logger and you can see the hook coolback being defined and it's looking if the left control key is pressed and if it is that gets translated to control and this is kind of a key indicator that you can look at when you're looking at Key loggers because the special keys aren't necessarily known and so how you show that someone is pressing a special key when it's logging what's been typed on a keyboard is to generally speaking add these brackets and the special key that's being pressed otherwise a key
00:11:16	logger if you type the word dog for example but then you hit backspace and you let's say you hit it twice and then you did I instead you would have typed the word dill but they would have seen that you type the word dog ill so without having some sort of idea on what the backspace key was that was pushed you're not going to know what was actually typed properly at the keyboard so that's why some of these things exist moving along we can see there is a remote desktop component to it so it does look like it's going to take a
00:11:54	screenshot of the desktop tie it back to the ID of this infected bot and then send that off to the particular command and control interface as well and so there is also persistance so it looks like it has different methods this one quite simply is using a scheduled task and creating it on the environment so that this runs at startup this one is using a registry run key for the particular user and using that as a method of starting at startup and this stealth mode here seems like it is maybe doing something a little bit more but
00:12:33	the key components here seems to be that it is creating hidden files on the end point so it's setting the attributes so that they're hidden unless you've got show hidden files enabled and there is also spreads so it does look like there is a module where it is copying to a particular Dropbox instance if it finds that on the host and then also copying to us B so this is quite interesting and all of these seem to have the hardcoded name Adobe Photoshop cs. exe so it's all trying to masquerade as Adobe Photoshop
00:13:10	by default I just want to go back and look at a few more things in this form so first off there is what looks to be a mutex being created so this is likely if you have that mutex on your system that it won't run again to infect the host so it's probably checking if that mutex is there and then if it is it's not going to run to infect the host again as a way to prevent any kind of duplicate infections on a system so this is interesting because it does seem to have an identifier and this BN part of the
00:13:45	string to say it is tied to the black net malware now moving down there is a few different components such as uninstall commands being received updating the malware there is actually in the clear this blacknet dodat so this is once again an indicator that this is the blacknet malware there is sending to say a host is online there is all of those checks so bypass gning anti-debugging USB spreading one interesting thing here is that if it is spreading to a USB it does look like it might be changing the name to Windows
00:14:25	update.exe or Windows uncore update.exe as opposed to what we saw with the Adobe Photoshop there's also mention of under the stealth mode it looks like it's using environmental paths and then adding it under a Microsoft my client in order to maybe remain hidden wherever it's establishing persistence there and you can see down here it's got mention of getting the command comparing to see if it's a standard ping or whether it gets the conditions to say start a DS attack and you can see that it is
00:15:03	sending stuff back like success UDP attack started and this actually goes on for quite a lot and then there's other commands so this basically gives us an idea of what the malware is going to be able to do so uploading files and executing them opening a web page uninstalling it executing a script that has been given to the malware closing off the connection to this particular command and control server moving it onto a new system so that's a little bit interesting blacklisting a particular client taking a screenshot and uploading
00:15:42	that to the remote server the command and control getting a list of running actually this looks to be getting a list of installed software on the system maybe stealing cookies on a particular system in order to get access to web browser sessions there is also taking the particular cryptocurrency wallets from this particular system starting a key logger maybe retrieving the logs stealing passwords from the system so this is interesting cuz it's going for the cookies once again logging off a system so kicking someone off this looks
00:16:23	to be where it's actually getting the Chrome so Google Chrome cookie on a particular system then there seems to be one for Firefox and under Powershell it's running it with a hindo window style of hidden and an execution policy of bypass to ensure that it remains undetected on an endpoint and is allowed to run so it does look like it's checking to see if it is running from a USB as well but this seems to only be checking the executable name so on a USB maybe it's called Windows _ update whereas on a end point it was pretending
00:17:04	to be Adobe Photoshop and it does look like it's getting information from your publicly facing IP address perhaps in order to determine where you are in the world there is this self- destroy which is basically trying to delete the executable after it kills it there is the update there is the uninstall so this is proper nuking of things getting the md5 hash opening a hidden web browser so maybe this would be used in order to attack a web page or maybe you just want all the botn Nets to be opening up an invisible browser to get
00:17:43	click fraud type of ads or some sort of ads revenue from particular systems in this botet checking if you are an administrator on a particular system as well stealing passwords so this now is using a particular dll that's going to be dropped onto the system based on whatever plugin is pushed down getting an idea of what antivirus products are running so this is going to use the Windows management instrumentation in order to select star from your anti-virus products installed restarting it as an administrator is a command
00:18:17	getting the programs that are run and this seems to be some sort of random array that's being used to build maybe a string that can be used elsewhere there's also getting Hardware information so that's interesting to see what drives you have on a particular system there is comparing directories and yeah that seems to be the Crux of this particular malware that can recruit you in as part of the blacknet bot net hi everyone just letting you know it is a new day so I do have a new hairstyle and I'm wearing a
00:18:52	new shirt now today I'm going to show you the blacknet rat Builder so I do have a copy of of the black net Builder here and this has a radioactive icon associated with it it does have the company name dark software Co and black. haacker which is the Alias used by the person who created this particular tool now there is a stub which is a PHP stub that's associated with this particular blacknet rat and is required to use the Builder and then there's also a watcher that's used as the comp component that's
00:19:29	used if you enable The Watcher in the Builder as well there's also icons so we can masquerade as whatever when we build this client I should say or this piece of malware from the Builder so let's actually fire off the Builder and you can see that there are a number of settings so I can set a victim ID here for my binary there is this blacknet URL check so we do actually have a copy of the PHP hosted on our local system so if we check the panel we can see the panel is enabled which is where it's going to
00:20:09	communicate back to full command and control of this bot there's also a number of settings such as whether it is going to establish persistence on a system whether it is going to be using as encryption or key logging capabilities or trying to bypass virtual machines all of those things that we exam before whether there is a binary that's going to be bound to this one whether it's going to be acting as a downloader in order to download a new executable once it runs and the icon changer as well so we could go a custom icon and if
00:20:47	we wanted to we could make this look like Google Chrome so let's just use that for this point in time we have it communicating back to our host and we're going to keep all the settings the same and if we compile the client then we get to choose where our output so let's just call this chrome.exe and save it and now we see our client has been compiled there is masquerading as Chrome if we highlight over it we can see the same stuff we saw before in our payload where it's masquerading as the Windows update assistant yet has the
00:21:22	original binary name of SVC host.exe and if we begin to look at the panel that it communicates with we do have this login panel that's been set up so on our local system we'll log in as our account this is what the attackers would see when they have control over their botn net as clients begin to check in it would give them system information how many have checked in per day as well as information on all of these things such as the country they're in the operating system the installed date it will also
00:21:55	give them map visualization using the max m database which has been bundled with it and then the command center here allows them to send commands to all of the systems in this botnet at the click of a button so whether that be uploading files whether that be seeding to do with Torrance whether it is stealing information such as Bitcoin wallets at passwords whether it's doing a Dos attack whether it is key logging on the system whether it is sending out spam emails or otherwise taking screenshots
00:22:29	lots of different functions that have been bundled into this particular piece of malware so that's it that's all I wanted to demonstrate today to show you a bit more about the blacknet malware the capabilities that it has how it would look like to an attacker so K7 security Labs have created this y rule back in 2020 that should still detect this particular payload this particular malware family based on some of the hardcoded names and functions that we saw before but that's it that's all I wanted to showcase you today so let me
00:22:59	know your thoughts comments feelings in the comment section below if you're willing give me a like and a subscribe thanks so much I will catch you next [Music] time

You may also enjoy

ClearFake - Malware Analysis Lab

26 minute read

Analysis of ClearFake malware which is planted on compromised WordPress websites to convince unsuspecting visitors to download and run malware.

LummaC2 - Malware Analysis Lab

30 minute read

Analysis of a RAR file which leads to the discovery of malicious Github repositories designed to distribute malware.