eSentire’s TRU team analyzes Parallax RAT operations, including initial drive-by delivery, lateral movement via PsExec, and persistence through Startup/Run keys, with obfuscation techniques like RC4 encryption and anti-disassembly. The report notes that Parallax RAT has been cracked and is now freely available in the wild, and provides defender recommendations. #ParallaxRAT #NetSupportRAT #PsExec #FortinetVPN #StartupFolder #RC4 #AntiDisassembly #DriveByDownload
Keypoints
- In October 2023, a suspicious VBS script (gatheringNetworkInfo.vbs) using NetSupport RAT ran on a Domain Controller from %windir%system32 via a scheduled task.
- The VBS script is invoked by a scheduled task imported from an XML file; the XML contains the command to run the VBS from the Windows System32 folder.
- NetSupport RAT is launched from c:programdataVMwareVMware Tools and is involved in remote access capabilities.
- Parallax RAT was delivered to the infected machine through a drive-by download when a user searched for a Fortinet VPN client via Bing.
- Parallax RAT used PsExec to lateral-move to the Domain Controller within about two hours, and attempted to run NetSupport RAT on the Domain Controller.
- Persistence is achieved via the Startup folder (and Run Key) and the RAT is renamed to webdav.exe.exe; RC4 encryption and anti-disassembly are used to hide configuration and code.
MITRE Techniques
- [T1189] Drive-by Compromise – Parallax RAT was delivered to the infected machine through a drive-by download when the user was searching for a Fortinet VPN client via Bing search. ‘Parallax RAT was delivered to the infected machine through a drive-by download when the user was searching for a Fortinet VPN client via Bing search.’
- [T1059.005] Command and Scripting Interpreter: VBScript – The VBS script was running from the scheduled task that was imported from an XML file with the command shown below. ‘The VBS script was running from the scheduled task that was imported from an XML file with the command shown below.’
- [T1053.005] Scheduled Task – The XML file contains the command to run the VBS script from the Windowssystem32 folder. ‘The XML file contains the command to run the VBS script from the Windowssystem32 folder.’
- [T1021] Remote Services – PsExec was used to perform lateral movement to the Domain Controller within a two-hour window. ‘PsExec allowed for lateral movement to the Domain Controller within a two-hour window of the execution of the RAT.’
- [T1547.001] Boot or Logon Autostart: Registry Run Keys/Startup Folder – Persistence achieved via Startup folder; Run Key in HKUSoftwareMicrosoftWindowsCurrentVersionRun. ‘Startup folder and Run Key’.
- [T1056.001] Keylogging – Parallax RAT capabilities include keylogging as part of remote control and data exfiltration features. ‘keylogging’
- [T1113] Screen Capture – Parallax RAT capabilities include screenshot capture. ‘screenshot capture’
- [T1555.003] Credentials from Web Browsers – Password theft from browsers (Firefox, Chrome) and applications. ‘password theft (Firefox x64 x86, Chrome, Thunderbird, Outlook)’
- [T1041] Exfiltration Over C2 – Exfiltration of files from File Manager as part of data theft. ‘exfiltration of files from File Manager’
- [T1027] Obfuscated/Compressed Files and Information – RC4 encryption to obscure DLL names and configuration; anti-disassembly via unconditional jump. ‘RC4 encryption to obscure the names of loaded DLL libraries and its configuration… unconditional jump instructions as an anti-disassembly technique.’
Indicators of Compromise
- [Hash] Parallax RAT – 9a82d1499ef3649d2603780fe30db0b5
- [Hash] NetSupportRAT – 06a27959b25a8ea9196ffb72200e94aa
- [URL] Parallax RAT Download URL – hxxps://fortionlinevpn[.]com/
- [Domain] NetSupportRAT C2 – startus1[.]com, startus2[.]com
- [IP] Parallax RAT C2 – 104.194.222[.]123
- [Domain] Parallax RAT C2 – apipkg[.]click, websyncapi[.]click, and websyncapi[.]eu
Read more: https://www.esentire.com/blog/unveiling-parallax-rat-a-journey-from-infection-to-lateral-movement