Magic Rat

Cisco Talos found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners.

Additionally, they’ve found that MagicRAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.

MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions.
The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none.
Talos believes that the objective was to increase the complexity of the code, thus making human analysis harder.
On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable.

The 32-bit version was compiled with GCC v3.4 using mingw/cygwin for support on the Microsoft Windows platform, the 64-bit version, however, was compiled with VisualC64, version 7.14.

The RAT uses the Qt classes throughout its entire code.
The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.

The malware configuration (containing author-defined QSettings) is stored in the file “visual.1991-06.com.microsoft_sd.kit” in the path “ProgramDataWindowsSoftwareToolkit”- names and paths obviously chosen to trick the victim into believing they were part of the operating system.

During analysis, analysts identified three sections in the configuration file:

[os] which contains the command and control (C2) URLs.
[General] which holds general information.
[company] which holds data used in the communication with the C2.

All analyzed samples had three encoded C2 URLs that are used to register infections and then receive commands to execute on the infected endpoint.
The URLs are stored in the configuration file with the keys “windows”, “linux” and “mac.” The values are prefixed with “LR02DPt22R” followed by the URL encoded in base64.

Upon execution, MagicRAT achieves persistence for itself by executing a hardcoded command that creates scheduled tasks on the victim machine.
Upon achieving persistence, the RAT contacts the C2.

During the initial stages of execution, MagicRAT will perform just enough system reconnaissance to identify the system and environment in which the attackers are operating.
This is done by executing the commands whoami, systeminfo and ipconfig /all.
The last command has its results returned via the upload of the file zero_dump.mix to the C2.

MagicRAT is rather simple — it provides the operator with a remote shell on the victim’s system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint.
The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.