Spectre RAT’s Spectre SPC v9 campaigns have reemerged, distributed via livechat-files and using code signing certificates to evade detections in targeted attacks. The operation relies on multiple EV code-signing certificates, hardcoded C2 addresses, and a timing-based crypter to avoid VM analysis and string decoding to conceal its payloads. Hashtags: #SpectreRAT #SpectreSPCv9 #livechat-files #cdn-livechat-files #cdn-namecheap #serowakrasolaristicxyz #holosymmetryspecscollunbeatablexyz #GlobalSign
Keypoints
- Spectre RAT v9 campaigns resurfaced and are distributed via the cloud hosting domain livechat-files with code-signed payloads for targeted attacks.
- The campaigns leverage multiple EV code signing certificates from different vendors (e.g., Xi’an Jiashi Xinnuo IT, JauiInderte Agiletron IT, Mutiix QuansumKeep IT) to sign samples and evade detection; examples are listed under “Code Signing Certificate.”
- Two distinct hosting/redirect chains were observed: cdn.livechat-files[.]com (and later cdn-staging.livechat-files[.]com) with initial redirects through cdn-namecheap[.]com, placing the campaign timeline in early 2024.
- The crypter uses VM timing checks (GetTickCount and Sleep) around heap operations to distinguish virtual environments from real machines, helping to evade analysis.
- The crypter employs string encoding/decoding (base64, single-byte XOR) and rebuilds data to hinder signature and string recovery, with decoded strings revealing domain-like identifiers and C2 details.
- Hardcoded C2 addresses are decoded at runtime with a key, and the article provides a Python demonstration of the decoding process to reveal intended C2s and domains.
MITRE Techniques
- [T1116] Code Signing – The samples are signed with code signing certificates to appear legitimate and bypass detection. Quote: “Code Signing Certificate …
- [T1027] Obfuscated/Compressed Files and Information – The crypter uses base64 and XOR encoding with a rebuild step to conceal strings and payloads. Quote: “Once unpacked, the Spectre sample has a basic string encoding setup as a simple single byte XOR.”
- [T1497] Virtualization/Sandbox Evasion – Timing checks with GetTickCount and Sleep are used to detect VM/sandbox environments. Quote: “The crypter leverages timing checks mixed with GetTickCount and Sleep wrapped around a block of function calls, the idea here is that in virtual machines some functionality takes drastically shorter to accomplish than it does on a real machine.”
- [T1036] Masquerading – Signed payloads from multiple certificates to masquerade as legitimate software; multiple files were signed with the same certificate and presented as legitimate components. Quote: “The following files were also signed with the same code signing certificate:”
- [T1059] Command and Scripting Interpreter (indirectly) – The provided example shows a post-unpack behavior that includes a Windows command/ping sequence to delete artifacts, illustrating how the sample uses command-like steps during cleanup. Quote: “”C:WindowsSystem32cmd.exe” /c ping localhost -n 6 > nul & del “C:UsersuserDesktopmal.exe” & “C:UsersuserAppDataLocalTempLearncomToolkit.exe””
Indicators of Compromise
- [IOC Type] IPs – 179.43.142.145, 179.43.142.190, and many more IPs (e.g., 91.92.240[.]40, 91.92.255[.]73).
- [IOC Type] Domains – holosymmetryspecscollunbeatable[.]xyz, serowakrasolaristic[.]xyz, cdn.livechat-files[.]com, cdn-staging.livechat-files[.]com, and related domains.
- [IOC Type] File hashes – f90d1716de7244f368a81d2b9d247c2b6213447aee6da606267edceef0cc1377, 84499164a4848a100a22361f38d36ddaea66d01d2e68580271692f9a6fc2a570, and 2 more hashes.
- [IOC Type] Code Signing Certificates – names and thumbprints associated with Xi’an Jiashi Xinnuo Information Technology Co., Ltd.; JauiInderte Agiletron Information Technology Co., Ltd.; Mutiix QuansumKeep Information Technologies Co., Ltd.
Read more: https://medium.com/walmartglobaltech/spectre-spc-v9-campaigns-and-updates-546c2e65e247