The OPM Hack: I Smell a RAT

Paul Shomo

In the wake of the OPM hack, where reports suggest that millions of security clearance records headed directly to Chinese intelligence units, let’s talk about remote administrator tools (RATs). These tools are commonly used in this type of attack, so we'll walk through a common methodology for identifying unknown RATs.

In the broadest sense, RATs are used to remotely access and control computers. System administrators often use these tools for good, but black hats develop specialized RATs that infect, hide, and act as back doors.

Malicious RATs like PlugX, Gh0st, Korplug, Gulpix, Sogu, Thoper, and Destory can be built as zero day attacks that avoid signature detection. The Gh0st RAT user interface (UI), shown below, gives some insight into how easily hackers can build zero day variants to infect sensitive machines. Once infected, command-and-control can be established from anywhere on the internet, with traffic re-routed through servers to avoid identification of the true perpetrator.

Click for close-up

Probably the highest-profile RAT variant, PlugX, was featured in a Black Hat 2014 presentation, and was found by Trend Micro as early as 2008. Guidance Software security professionals working in the federal space have reported seeing PlugX variants routinely. It's a good example of how a malware framework deployed in 2008 can still build variants that bypass signature-based detection.

To find zero day attacks, you have to do routine investigations for unknown threats. It's wise to make use of the one natural advantage that incident responders possess: detailed knowledge of their environments. Sun Tzu once said, “Know the weather, know the terrain, your victories will be limitless.” In this modern cyberwar, the ancient sage of war might have said, “Know your network and endpoints. Your discovery-to-response time will be formidable.”

RATs may sound intimidating, but they can be easily detected by a human using EnCase® Endpoint Security. Its Snapshot technology, shown in the report below, can examine your endpoint processes and allow incident responder, tiered security analysts, or threat detection staff to quickly spot anomalies.

Click for close-up

PlugX uses a variety of injection methods to hijack common processes, but generally we aim to identify variations of familiar processes that have been injected with malware. A good way to start is to group the often attacked svchost.exe, then look for strange start times, or reassigned process identifiers (PIDs) where no reboot occurred. In the cases of PlugX svchost.exe and misexec.exe, both suffer injections. Another method of identifying injection is by spotting seemingly legitimate binary files whose names are slightly misspelled, that are stored in non-standard paths, or that are running and injected into non-standard processes.

Many forms of malware need autorun registry keys to restart themselves after reboots. This is known as persistence or a persistence mechanism. Using a network-wide registry scan, EnCase Endpoint Security can rapidly locate machines infected with PlugX by searching for unfamiliar binaries set to run on reboot, such as the autorun keys shown below.

Click for close-up

Now that you have some endpoints showing cause for suspicion, a live preview with EnCase Endpoint Security lets you narrow down suspicious files. A simple right-click search can initiate static and/or dynamic file analysis with leading threat intelligence providers such as ThreatGrid, or with freely available alternatives such as Google hash searches and VirusTotal to confirm maliciousness. We would always recommend that files be collected for preservation and reporting.

Click for close-up

Now that an instance of PlugX is known, searches based on indicators of compromise (IOCs) can be formed to find other related binaries. Simple indicators like hash, file size, filename, and path can be used, or more advanced users can grab binary file search keywords from the hex editor and form even richer searches, as shown below. This allows us to determine the scope of an incident throughout the organization.

Click for close-up

Now that you have an indicator condition, the collection wizard in EnCase Endpoint Security (shown below) designates the machines against which to run the search, and even allows other conditions to be imported and exported for sharing across agencies. If you want to cast an even broader net, our Entropy Near Match Analyzer can locate additional polymorphic variants without the need for indicators. This patented algorithm was designed specifically to identify malware created to evade signature-based detection. The last step is remediation with EnCase Endpoint Security.

Click for close-up

As you can see, these investigation tools allow a human investigator to quickly see zero day attacks that bypass automated detection methods. With some zero day attacks there are no shortcuts, so try to make these active investigations part of your ongoing security strategy.

Comments? Questions? I welcome responses in the section below.

Paul Shomo is the Senior Technical Manager, Strategic Partnerships at Guidance Software.