CyberGate is a Delphi-based Remote Access Trojan (RAT) that gives attackers remote control over infected machines, enabling data theft, installation of additional malware, and stealth techniques to avoid detection. The report details UPX packing, mutex-based persistence, process injection, registry modifications, and active command-and-control (C2) communication used by CyberGate. #CyberGate #Delphi #UPX #Mutex #ProcessInjection #RegistryRunKeys #ActiveSetup #WindowsFirewallUpdate
Keypoints
- CyberGate is a Remote Access Trojan (RAT) designed to remotely access and control compromised systems.
- Primary capabilities include stealing sensitive information (e.g., passwords and files) and installing additional malware on victims.
- The sample is packed with UPX, indicating obfuscation and size reduction of the payload.
- CyberGate creates multiple mutexes to enforce single-instance operation and complicate analysis.
- It employs process injection to run its payload inside legitimate Windows processes.
- Registry modifications are used for persistence and evading detection, including firewall-related changes.
MITRE Techniques
- [T1027] Obfuscated/Compressed Files or Information – UPX packing used to obfuscate and compress code. “We have some indicators that this sample is packed using UPX Packer”
- [T1547.001] Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder – The malware uses registry keys to achieve startup execution. “Registry Run Keys / Startup Folder”
- [T1547.014] Boot or Logon Autostart Execution – Active Setup – The malware uses Active Setup for persistence. “Active Setup”
- [T1112] Defense Evasion – Modify Registry – The malware modifies registry keys to achieve persistence and evade detection. “Writes the concatenated string … to the registry above, using System__AnsiString as the value name” (Firewall-related registry modification)
- [T1082] Discovery – System Information Discovery – The malware checks Windows version by examining dwMinorVersion. “The malware checks for Windows version by checking dwMinorVersion”
- [T1055] Process Injection – The malware opens handles to target processes and injects code via memory allocation and remote thread execution. “In process injection technique, the malware attempts to open a handle of a process” and “CreateRemoteThread”
- [T1071.001] Command and Control – Web Protocols – CyberGate communicates with C2 servers observed in sandboxed environments. “CyberGate tried to communicate these C2 servers in WIN10 Sandbox”
Indicators of Compromise
- [Hash] File Hashes – fc50cb7d6cb4f18992363fcba1473464f526d5c574f4bfbdbed9e025a2072bbe, 1fd16ca095f1557cc8848b36633d4c570b10a2be26ec89d8a339c63c150d3b44
- [Domain] C2 Domains – j230uy.no-ip.org, j230uy.no-ip.info
- [IP] C2 IP – 224.0.0.252
- [File] Dropped files – XX–XX–XX.txt, logs.dat
- [Mutex] Mutex Names – xX_PROXY_SERVER_Xx, _x_X_PASSWORDLIST_X_x_
- [Registry Key] Registry Keys for Persistence – REGISTRYMACHINESOFTWAREWOW6432NodeMicrosoftWindowsCurrentVersionRunHKLM = “c:dirinstallspynetserver.exe”; REGISTRYMACHINESOFTWAREWOW6432NodeMicrosoftActive SetupInstalled Components{H1EWWBPB-334P-45N1-UT28-6F0PHX81A73C}StubPath = “c:dirinstallspynetserver.exe Restart”
Read more: https://blog.cyber5w.com/cybergate-malware-analysis