The Secret Life of RATs: connecting the dots by dissecting multiple backdoors
Show in Graph
Image Description
Common Information
Type Value
UUID 8b6cd98f-8fe3-442c-bcad-a47db6d6818f
Fingerprint cda06bd0bd68af7a8fff7a4fec32ab7efd112ae055243c97d7c195a31f043f7a
Analysis status DONE
Considered CTI value 2
Text language
Published Jan. 26, 2024, 4:28 p.m.
Added to db March 12, 2024, 8:13 p.m.
Last updated Aug. 31, 2024, 5:39 a.m.
Headline The Secret Life of RATs: connecting the dots by dissecting multiple backdoors
Title The Secret Life of RATs: connecting the dots by dissecting multiple backdoors
Detected Hints/Tags/Attributes 28/1/52
Source URLs
Redirection Url
Details Source https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_7_hara_nakajima_kawakami_jp.pdf
URL Provider
Details Provider Source level domain
Details jpcert.or.jp jsac.jpcert.or.jp
Attributes
Details Type #Events CTI Value
Details Domain 26 
www.lac.co.jp
Details Domain 604 
www.trendmicro.com
Details Domain 3 
onedrivo.com
Details Domain 2 
onedrive.zip
Details Domain 2 
netlabs.zip
Details File 3 
20230914_003513.html
Details File 2 
estries-targets-government-tech-for-cyberespionage.html
Details File 4 
mic.exe
Details File 89 
version.dll
Details File 3 
mic.doc
Details File 2 
taskhask.exe
Details File 6 
k7avwscn.dll
Details File 4 
taskhask.doc
Details File 4 
taskhask.dat
Details File 1 
暗号化されたtaskhask.doc
Details File 2 
msbtc.exe
Details File 2 
msbtc.dat
Details File 2 
msbtc.cfg
Details File 1 
notifu.exe
Details File 2 
mdmerge.exe
Details File 6 
midlrtmd.dll
Details File 2 
midlrtmt.dll
Details File 2 
midlrtme.dll
Details File 2 
mdmerge.png
Details File 2 
mdmerge.dat
Details File 15 
explore.exe
Details File 4 
k7avmscn.exe
Details File 2 
notiu.exe
Details File 69 
client.exe
Details File 9 
versions.dll
Details File 2 
onedrive.zip
Details File 2 
netlabs.zip
Details File 54 
install.exe
Details File 3 
1.cab
Details File 4 
2.cab
Details File 23 
libvlc.dll
Details File 3 
usost.ppt
Details sha1 2 
5f9c5655e779467fb353c74901cf66ede29647f1
Details sha1 2 
84b8c462107ab54cf660ef33f969d937efad38f1
Details sha1 2 
bc92d96b409e7bda6d46caf4843dc9507c45b00f
Details sha1 2 
f9b1ca8b5386bc93bbc49d63d4e18fd8f14f25a9
Details sha1 2 
3b7426be3bc95c860083516057a76f5605d59402
Details sha1 2 
86c60bb1513b98f8023b0f5e27b598125c3f75e0
Details sha1 2 
5bde79892a7944e415c9332fbf1a6768dff447b5
Details sha1 2 
213df95ee891a2235f04f7748dd2f955b2b3cb58
Details sha256 2 
3aa9ab1c50b6f1d8878c7f6fa9e21407579534f1c213db5433003c14a29373e7
Details IPv4 2 
139.84.166.104
Details Url 2 
https://www.lac.co.jp/lacwatch/report/20230914_003513.html
Details Url 2 
https://www.trendmicro.com/ja_jp/research/23/j/earth-
Details Yara rule 2 
rule MofuLoader {
	meta:
		description = "detect MofuLoader in memory"
	strings:
		$ror = { C1 C? 0C }
		$api_hashing = { 81 F? A1 A3 A0 1D 74 ?? 81 F? D0 A7 17 47 74 ?? 81 F? A3 2C 59 8F 74 ?? 81 F? A0 F0 1F B0 74 ?? 81 F? 4F 6A 65 D7 }
	condition:
		all of them
}
Details Yara rule 2 
rule Hemigate {
	meta:
		description = "detect Hemigate in memory"
	strings:
		$cmd1 = ".?AVCATcpSocket@@"
		$cmd2 = ".?AVCBaseSocket@@"
		$cmd3 = ".?AVCFile@@"
		$cmd4 = ".?AVCmd@"
		$cmd5 = ".?AVCPro@@"
		$cmd6 = ".?AVCRdp@@"
		$cmd7 = ".?AVCShell@@"
		$cmd8 = ".?AVCSocket5@@"
		$cmd9 = ".?AVCSTlsSocket@@"
		$cmd10 = ".?AVCTransf@@"
		$cmd11 = ".?AVCFileMoniter@@"
		$cmd12 = ".?AVCKeylogPlug@@"
		$cmd13 = ".?AVCPipe@@"
	condition:
		8 of them
}
Details Yara rule 1 
rule SlyMongo {
	meta:
		desctiption = "Detect SlyMongo in memory"
		hash = "3AA9AB1C50B6F1D8878C7F6FA9E21407579534F1C213DB5433003C14A29373E7"
	strings:
		$cmp_cmd = { 3B CF 0F 87 ?? ?? ?? ?? 0F 84 ?? ?? ?? ?? 83 E9 0A 0F 84 ?? ?? ?? ?? 83 E9 03 0F 84 ?? ?? ?? ?? 83 E9 01 0F 84 ?? ?? ?? ?? 83 E9 01 0F 84 ?? ?? ?? ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 E9 01 74 ?? 83 F9 01 0F 85 ?? ?? ?? ?? }
		$str1 = "DNS server URL is NULL. Call mg_mgr_init()"
		$str2 = "error connecting to %s"
	condition:
		all of them
}