Technical Analysis of kkRAT

MITRE Techniques

• [T1566 ] Phishing – Threat actor used GitHub Pages to host phishing sites impersonating popular software installers (“phishing pages impersonating Ding Talk that ultimately delivers various RATs”).
• [T1204.002 ] User Execution: Malicious File – Installer ZIP archives contain a malicious executable that the victim extracts and runs (“installer packages are ZIP archives that contain a malicious executable file”).
• [T1497 ] Virtualization/Sandbox Evasion – Malware performs time stability checks and hardware checks, and manipulates PEB/Module lists to corrupt sandbox snapshots (“Using QueryPerformanceCounter… alter ProcessParameters->ImagePathName and ProcessParameters->CommandLine… traverse InLoadOrderModuleList… rewritten to %WINDIR%explorer.exe”).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Uses a vulnerable driver (RTCore64.sys) and RealBlindingEDR-derived code to remove registered callbacks and disable AV/EDR functions (“uses a known vulnerable driver (RTCore64.sys) to disable AV/EDR functionalities… remove registered system callbacks”).
• [T1140 ] Deobfuscate/Decode Files or Information – Malware uses single-byte XOR operations and decryption of next-stage files and shellcodes (“applies single-byte XOR operations… to extract decryption keys for the next-stage files”).
• [T1053.005 ] Scheduled Task – Creates a scheduled task running as SYSTEM to execute a batch script on every user logon to repeatedly kill AV/EDR processes (“creates a scheduled task to run with SYSTEM privileges to execute a batch script on every user logon”).
• [T1547.001 ] Registry Run Keys / Startup Folder – Achieves persistence via startup folder, autorun registry keys, and logon scripts (“create a shortcut for the legitimate executable… add this shortcut to the startup folder for persistence” and registry modifications described for 360 Total Security).
• [T1037.001 ] Boot or Logon Initialization Scripts: Logon Script (Windows) – Uses logon scripts for persistence (“Achieve persistence using logon script (HKCUEnvironmentUserInitMprLogonScript)”).
• [T1010 ] Application Window Discovery – kkRAT collects presence of applications such as Telegram and WeChat in registration info (“char TG[40]; // Is Telegram present on the system? char WC[40]; // Is WeChat present on the system?”).
• [T1057 ] Process Discovery – Commands and plugins provide process listing and termination capabilities (“DllProgress Provides process management capabilities, including listing active processes and terminating them”).
• [T1082 ] System Information Discovery – kkRAT collects OS, CPU, memory, disk size, uptime, and AV list for fingerprinting (“REGISTRATIONINFO… OsVerInfoEx… CPUClockMhz… MemSize… DriverSize… char AV[80]; // List of AV’s installed”).
• [T1083 ] File and Directory Discovery – Plugins enumerate autorun registry and installed applications (“DllQDXGL Enumerates and retrieves the list of values stored in the autorun registry key” and DllApp lists installed software).
• [T1056.001 ] Input Capture: Keylogging – kkRAT includes keyboard capture functionality borrowed from Ghost RAT commands (“kkRAT borrows several network commands from Ghost RAT, such as … COMMAND_KEYBOARD”).
• [T1113 ] Screen Capture – Main plugin exports support screen capture and remote desktop features (“DLLScreenProvides basic remote desktop screen management… used for screen capturing”).
• [T1115 ] Clipboard Data – Implements clipboard scanning and replacement to hijack cryptocurrency addresses (“Scans the clipboard for cryptocurrency wallet addresses… Identified wallet addresses are replaced with the attacker’s wallet addresses”).
• [T1219 ] Remote Access Tools – kkRAT is a RAT providing remote shell, desktop, file/process management, and plugin-based extensions (“Facilitates remote command execution via a shell interface… remote desktop screen management”).
• [T1090 ] Proxy – Provides proxy functionality and SOCKS5 support via PlugProxy.dll and fnProxy export (“PlugProxy.dllConnSocksFunctions as a proxy… implements the SOCKS5 protocol using the go-socks5 library”).
• [T1573 ] Encrypted Channel – Network communications use zlib compression followed by XOR encryption with a key embedded in the binary (“original data is first compressed using zlib and then encrypted using an XOR-based algorithm with a key embedded in the malware binary”).
• [T1041 ] Exfiltration Over C2 Channel – Data and device fingerprinting are sent to C2 and can be used for exfiltration (“registration message… sent to the C2 server” and network commands to send data via proxy).
• [T1529 ] System Shutdown/Reboot – Malware can stop or modify system processes and was observed to disable network adapters temporarily (impacting system state and AV/EDR communications) (“enumerates all active network adapters and temporarily disables them, severing AV/EDR communication”).