Magic Rat

Cisco Talos found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners.

Additionally, they’ve found that MagicRAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.

MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions.
The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none.
Talos believes that the objective was to increase the complexity of the code, thus making human analysis harder.
On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable.

The 32-bit version was compiled with GCC v3.4 using mingw/cygwin for support on the Microsoft Windows platform, the 64-bit version, however, was compiled with VisualC64, version 7.14.

The RAT uses the Qt classes throughout its entire code.
The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.

The malware configuration (containing author-defined QSettings) is stored in the file “visual.1991-06.com.microsoft_sd.kit” in the path “ProgramDataWindowsSoftwareToolkit”- names and paths obviously chosen to trick the victim into believing they were part of the operating system.

During analysis, analysts identified three sections in the configuration file:

[os] which contains the command and control (C2) URLs.
[General] which holds general information.
[company] which holds data used in the communication with the C2.

All analyzed samples had three encoded C2 URLs that are used to register infections and then receive commands to execute on the infected endpoint.
The URLs are stored in the configuration file with the keys “windows”, “linux” and “mac.” The values are prefixed with “LR02DPt22R” followed by the URL encoded in base64.

Upon execution, MagicRAT achieves persistence for itself by executing a hardcoded command that creates scheduled tasks on the victim machine.
Upon achieving persistence, the RAT contacts the C2.

During the initial stages of execution, MagicRAT will perform just enough system reconnaissance to identify the system and environment in which the attackers are operating.
This is done by executing the commands whoami, systeminfo and ipconfig /all.
The last command has its results returned via the upload of the file zero_dump.mix to the C2.

MagicRAT is rather simple — it provides the operator with a remote shell on the victim’s system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint.
The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 06, 2023

Vector Stealer Targets RDP Files For Exfiltration

Vector Stealer is an information stealer sold on underground forums since 2022. The malicious software...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

This is a new threat actor,Analysts are tracking it as Ice Breaker APT. Although research...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

ttt

Threats Icon

Feb 05, 2023

Trigona Ransomware Analysis

Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen...

Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...