Magic Rat

Cisco Talos found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners.

Additionally, they’ve found that MagicRAT’s C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT.

MagicRAT is programmed in C++ programming language and uses the Qt Framework by statically linking it to the RAT on 32- and 64-bit versions.
The Qt Framework is a programming library for developing graphical user interfaces, of which this RAT has none.
Talos believes that the objective was to increase the complexity of the code, thus making human analysis harder.
On the other hand, since there are very few examples (if any) of malware programmed with Qt Framework, this also makes machine learning and heuristic analysis detection less reliable.

The 32-bit version was compiled with GCC v3.4 using mingw/cygwin for support on the Microsoft Windows platform, the 64-bit version, however, was compiled with VisualC64, version 7.14.

The RAT uses the Qt classes throughout its entire code.
The configuration is dynamically stored in a QSettings class eventually being saved to disk, a typical functionality provided by that class.

The malware configuration (containing author-defined QSettings) is stored in the file “visual.1991-06.com.microsoft_sd.kit” in the path “ProgramDataWindowsSoftwareToolkit”- names and paths obviously chosen to trick the victim into believing they were part of the operating system.

During analysis, analysts identified three sections in the configuration file:

[os] which contains the command and control (C2) URLs.
[General] which holds general information.
[company] which holds data used in the communication with the C2.

All analyzed samples had three encoded C2 URLs that are used to register infections and then receive commands to execute on the infected endpoint.
The URLs are stored in the configuration file with the keys “windows”, “linux” and “mac.” The values are prefixed with “LR02DPt22R” followed by the URL encoded in base64.

Upon execution, MagicRAT achieves persistence for itself by executing a hardcoded command that creates scheduled tasks on the victim machine.
Upon achieving persistence, the RAT contacts the C2.

During the initial stages of execution, MagicRAT will perform just enough system reconnaissance to identify the system and environment in which the attackers are operating.
This is done by executing the commands whoami, systeminfo and ipconfig /all.
The last command has its results returned via the upload of the file zero_dump.mix to the C2.

MagicRAT is rather simple — it provides the operator with a remote shell on the victim’s system for arbitrary command execution, along with the ability to rename, move and delete files on the endpoint.
The operator can determine the timing for the implant to sleep, change the C2 URLs and delete the implant from the infected system.

Sign Up For Threat Alerts

Loading...
Threats Icon

Sep 21, 2022

Malicious Word Document with a Frameset

Xavier Mertens spotted a malicious Word OOXML document (with the new ".docx" format) that is...

Threats Icon

Sep 18, 2022

US Cert Alert – Iranian Islamic Revolutionary...

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple...

Threats Icon

Sep 15, 2022

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

In this incident, COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). It is...

Threats Icon

Sep 14, 2022

Dead or Alive – An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 13, 2022

Dead or Alive? An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 12, 2022

Shikitega – New stealthy malware targeting Linux

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are...

Threats Icon

Sep 08, 2022

APT42: Crooked Charms, Cons and Compromises

Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked...

Threats Icon

Sep 07, 2022

US Cert Alert – Vice Society

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the...

Threats Icon

Sep 07, 2022

Worok – The big picture

ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and...

Threats Icon

Sep 07, 2022

MuddyWater Targets Israel With Log4j Vulnerabilities In...

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team...

Threats Icon

Sep 05, 2022

No Honor Among Thieves – Prynt Stealer’s...

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile...

Threats Icon

Sep 05, 2022

Grandoreiro Banking Trojan with New TTPs Targeting...

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico...

Threats Icon

Sep 01, 2022

A Tale of PivNoxy and Chinoxy Puppeteer

An attack against a telecommunications agency in South Asia began with a simple email that...

Threats Icon

Aug 31, 2022

New Golang Ransomware Agenda Customizes Attacks

Investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based...

Threats Icon

Aug 31, 2022

ModernLoader delivers multiple stealers cryptominers and RATs

Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering...