BitRAT Disguised as Windows Product Key Verification Tool Being Distributed – ASEC BLOG

MITRE Techniques

• [T1105] Ingress Tool Transfer – Downloader connects to C&C servers to fetch the payload. Quote: “…it connects to following C&C servers it harbors internally, exchanging encrypted strings. Afterward, it decrypts the strings to ultimately acquire a download URL for the additional payload.”
• [T1036] Masquerading – Disguised as Windows license verification tool. Quote: “The attacker disguised the malware as Windows 10 license verification tool from the development stage.”
• [T1027] Obfuscated/Compressed Files and Information – The Program.zip is password-protected (1234) and contains a downloader and the actual tool. Quote: “a compressed file named ‘Program.zip’ is downloaded, and it is compressed and locked with a password ‘1234’.”
• [T1547] Boot or Logon Autostart Execution – The downloader installs the malware into the Windows startup program folder. Quote: “The downloader installs the malware into the Windows startup program folder and deletes itself.”
• [T1562] Impair Defenses – Defender exclusion: adds startup folder and the BitRAT process to Windows Defender exclusions. Quote: “…add the Windows startup program folder—where the downloader will be installed—as an exclusion path for Windows Defender, and adding the BitRAT process name ‘Software_Reporter_Tool.exe’ as an exclusion process for Windows Defender.”
• [T1021] Remote Services – Remote Desktop / hVNC (Hidden Desktop). Quote: “– Remote desktop – hVNC (Hidden Desktop)”
• [T1056] Input Capture – Keylogging. Quote: “Keylogging” (along with clipboard, webcam, and audio logging listed under Information Theft).
• [T1115] Clipboard Data – Clipboard logging as part of Information Theft. Quote: “Clipboard logging”
• [T1125] Video Capture – Webcam logging. Quote: “Webcam logging”
• [T1123] Audio Capture – Audio logging. Quote: “Audio logging”
• [T1555] Credentials from Web Browsers – Browser credential theft. Quote: “Application (e.g. Web browsers) account credential theft”
• [T1496] Resource Hijacking – Coin mining (XMRig). Quote: “XMRig CoinMiner”
• [T1499] Service Denial of Service / DoS – DDoS capability. Quote: “DDoS attack”
• [T1548] Abuse Elevation Control Mechanism – UAC Bypass. Quote: “UAC Bypass”
• [T1562.001] Impair Defenses – Defender deactivation. Quote: “Windows Defender deactivation”
• [T1041] Exfiltration Over C2 / Encrypted Channel – C2 traffic encrypted via TLS and Tor. Quote: “Encrypted communication using TLS 1.2” and “Communication using Tor”
• [T1105] Ingress Tool Transfer (Second instance) – Additional payload URLs retrieved after initial downlink (repeat of T1105 for downloader/BitRAT payloads). Quote: “Additional Payload Download URL – Downloader” and “Additional Payload Download URL – BitRAT”