{"id":4601,"date":"2023-03-28T01:27:00","date_gmt":"2023-03-28T01:27:00","guid":{"rendered":"\/cybersecurity-blog\/?p=4601"},"modified":"2023-04-17T12:05:06","modified_gmt":"2023-04-17T12:05:06","slug":"limerat-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/limerat-malware-analysis\/","title":{"rendered":"LimeRAT Malware Analysis: Extracting the Config\u00a0"},"content":{"rendered":"\n

In today\u2019s article, we\u2019re going to look under the hood of a modular RAT \u2014 LimeRAT. Let\u2019s get right into it! <\/p>\n\n\n\n

What is LimeRat <\/h2>\n\n\n\n

LimeRAT is a Remote Access Trojan (RAT) that’s been around for a few years now. It’s a versatile piece of malware designed to give attackers control over an infected system. With its relatively small file size, it tries to fly under the radar of traditional antivirus solutions. <\/p>\n\n\n\n

\"LimeRAT<\/figure>\n\n\n\n

What makes LimeRAT particularly interesting is its ability to perform a wide range of malicious activities. Some of these include keylogging, stealing passwords, and capturing screenshots. Additionally, LimeRAT can execute arbitrary commands, download and upload files, and even use the infected machine for crypto-mining or DDoS attacks.  <\/p>\n\n\n\n

LimeRAT malware analysis <\/h2>\n\n\n\n

To start, let’s open a sample in Detect It Easy: <\/p>\n\n\n\n

<\/p>\n\n\n\n

\"LimeRAT
Figure 1: sample overview in DiE <\/figcaption><\/figure>\n\n\n\n

Upon inspection, we observe that the code has been obfuscated (MITRE T1027<\/strong>) and unreadable: the names of classes, methods, and variables are made out of random glyphs. <\/p>\n\n\n\n

Since the sample is written in a .NET language, let\u2019s open it in DnSpy.  <\/p>\n\n\n\n

\"LimeRAT
Figure 2: sample overview in DnSpy; note that use of obfuscation techniques <\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Finding the configuration <\/h2>\n\n\n\n

After examining the malware\u2019s classes, we find something resembling a class with its configuration: <\/p>\n\n\n\n

\"Possibly,
Figure 3: possibly, malware configuration class<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

We notice that this class contains a field that appears to be a string encoded using the Base64 algorithm (MITRE T1132.001<\/strong>): <\/p>\n\n\n\n

\"Strange
Figure 4: strange class field that looks like Base64 encoded string <\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

We attempted to decode this string using CyberChef, but were unsuccessful. It is likely that the string is not only encoded but also encrypted. <\/p>\n\n\n\n

\"Unsuccessful
 Figure 5: even though it seems that this string is Base64 encoded, we can\u2019t obtain data by just decoding it <\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Looks like the string is encoded and <\/em>encrypted. Therefore, we will attempt to analyze this string and identify any functions or instructions that reference it. To do this, we right-click on the field and select “Analyse” from the context menu (alternatively, we can select the field and use the Ctrl + Shift + R shortcut). <\/p>\n\n\n\n

In the resulting window, we are interested in where the value of this string is being read. We expand the “Read by” section and see that the string is being read in two methods: <\/p>\n\n\n\n

\"2
Figure 6: two x-refs to the string that we discovered <\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

We briefly inspect the first method but don’t see anything interesting here. It appears that this method is not specifically related to the virus configuration: <\/p>\n\n\n\n

\"LimeRAT
Figure 7: the first method seems useless<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Let’s move on to the second method. We immediately notice some interesting code where our string is being used with the method WebClient.DownloadString, which is used<\/a> to download a string from a remote resource. <\/p>\n\n\n\n

\"LimeRAT
Figure 8: the second x-ref is more interesting – looks like it uses our string in WebClient.DownloadString method<\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n

Before our string is passed to WebClient.DownloadString is passed through another method that clearly transforms it into something that DownloadString can consume.  <\/p>\n\n\n\n

Let’s take a closer look at this method and see what it does to our string. <\/p>\n\n\n\n

After a quick evaluation of the method, we see that it uses instances of the RijndaelManaged <\/strong>and MD5CryptoServiceProvider<\/strong> classes. <\/p>\n\n\n\n

It appears that we have found the function where our string is decrypted: <\/p>\n\n\n\n

\"LimeRAT's
Figure 9: it seems that we found a method responsible for string decryption<\/figcaption><\/figure>\n\n\n\n

<\/p>\n\n\n\n

<\/div>\n\n\n\n

LimeRAT decryption algorithm <\/h2>\n\n\n\n

Let’s break down how the decryption algorithm works in more detail: <\/p>\n\n\n\n

    \n
  1. Instances of the RijndaelManaged<\/strong> and MD5CryptoServiceProvider<\/strong> classes are created. If we search for the RijndaelManaged class on MSDN, we see that it is essentially an obsolete implementation of the AES encryption algorithm (MITRE T1027)<\/strong>. The MD5CryptoServiceProvider class, as the name implies, is used to compute an MD5 hash. <\/li>\n<\/ol>\n\n\n\n
      \n
    1. An array of 32 bytes is created and initialized with zeros. This array will be used to store the AES key. <\/li>\n<\/ol>\n\n\n\n
        \n
      1. To generate the key, the MD5 hash of another string <\/strong>from the configuration class is first computed (in our case, the string is “20[.]199.13.167”). <\/li>\n<\/ol>\n\n\n\n

        <\/p>\n\n\n\n

        \"LimeRAT
        Figure 10: another string from the configuration class is used to generate the AES key <\/figcaption><\/figure>\n\n\n\n

        <\/p>\n\n\n\n

        <\/div>\n\n\n\n
          \n
        1. Next, the first 15 bytes and then the first 16 bytes of the computed hash are copied to the previously created array. The last element of the array remains zero. <\/li>\n<\/ol>\n\n\n\n
            \n
          1. The generated key is set to the key property of the RijndaelManaged instance. The Mode property is set to CipherMode.ECB. <\/li>\n<\/ol>\n\n\n\n
              \n
            1. Finally, the original string is decoded using the Base64<\/strong> algorithm and decrypted using the AES256-ECB <\/strong>algorithm. <\/li>\n<\/ol>\n\n\n\n

              Let’s try to replicate this algorithm in CyberChef to confirm our findings. We will need 2 CyberChef tabs, one where we’ll use MD5 to generate the AES key, and another where we’ll attempt to decrypt the data. <\/p>\n\n\n\n

              First, we calculate the MD5 hash and take 15 bytes from it. Then copy them to the \u2018Key\u2019 field in the AES Decrypt section in another tab:\u00a0<\/p>\n\n\n\n

              \"taking
              Figure 11: taking first 15 bytes of MD5 hash
              <\/figcaption><\/figure>\n\n\n\n
              <\/div>\n\n\n\n
              \"copying
              Figure 12: copying 15 bytes to \u2018Key\u2019 in AES Decrypt section in the first tab<\/figcaption><\/figure>\n\n\n\n
              <\/div>\n\n\n\n

              Then, we take the first 16 bytes of MD5 hash:<\/p>\n\n\n\n

              \"taking
              Figure 13: taking first 16 bytes of MD5 hash
              <\/figcaption><\/figure>\n\n\n\n
              <\/div>\n\n\n\n

              Our next step is to append them to previous 15 bytes and add a zero byte at the end as a padding byte (to 32 bytes):<\/p>\n\n\n\n

              \"copying
              Figure 14: copying 16 bytes and appending zero to \u2018Key\u2019 in AES Decrypt section in first tab

              <\/figcaption><\/figure>\n\n\n\n
              <\/div>\n\n\n\n

              And now we can see the decrypted string in the output section.<\/p>\n\n\n\n

              You can try the same here<\/a> as well.<\/p>\n\n\n\n

              After decrypting the string, we get a link to a PasteBin note: https:\/\/pastebin[.]com\/raw\/sxNJt2ek. When we navigate to the link, we see the C2 address of the malware.\u00a0<\/p>\n\n\n\n

              \"we
              Figure 15: we found LimeRATs C2 using data that we decrypted 
              <\/figcaption><\/figure>\n\n\n\n
              <\/div>\n\n\n\n

              Wrapping Up <\/h2>\n\n\n\n

              In this article, we successfully analyzed LimeRAT and uncovered its configuration. We identified the use of the .NET language and examined the malware classes, which revealed that obfuscation had been implemented. By meticulously inspecting these classes, we determined the decryption algorithm employed to decode the string containing the C2 address. <\/p>\n\n\n\n

              IOCs <\/h2>\n\n\n\n

              Analyzed files: <\/h3>\n\n\n\n
              SHA1 <\/td>14836dd608efb4a0c552a4f370e5aafb340e2a5d <\/td><\/tr>
              SHA256 <\/td>6d08ed6acac230f41d9d6fe2a26245eeaf08c84bc7a66fddc764d82d6786d334 <\/td><\/tr>
              MD5 <\/td>d36f15bef276fd447e91af6ee9e38b28 <\/td><\/tr>
              SSDEEP <\/td>3072:DDiv2GSyn88sH888wQ2wmVgMk\/211h36vEcIyNTY4WZd\/w1UwIwEoTqPMinXHx+i:XOayy <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

              IPv4: <\/h3>\n\n\n\n
              IOC<\/strong> <\/td>Description<\/strong> <\/td><\/tr>
              20[.]199.13.167:8080 <\/td>LimeRAT\u2019s C2 server <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

              Domains: <\/h3>\n\n\n\n
              IOC<\/strong> <\/td>Description<\/strong> <\/td><\/tr>
              https:\/\/pastebin[.]com\/raw\/sxNJt2ek <\/td>PasteBin used by LimeRAT to hide its original C2 server <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

              MITRE (ARMATTACK): <\/h3>\n\n\n\n
              Tactic<\/strong> <\/td>Technique<\/strong> <\/td>Description<\/strong> <\/td><\/tr>
              TA0005: Defense Evasion <\/td>T1027: Obfuscated Files or Information <\/td>Malware is using obfuscator to strip its method names, class names, etc. <\/td><\/tr>
              TA0005: Defense Evasion <\/td>T1027: Obfuscated Files or Information <\/td>Malware uses Base64 algorithm to encode and decode data <\/td><\/tr>
              TA0005: Defense Evasion <\/td>T1027: Obfuscated Files or Information <\/td>Malware uses AES algorithm to encrypt and decrypt data <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

              Although effective, this manual process can be time-consuming. This is where interactive sandboxes, such as ANY.RUN<\/a>, prove to be invaluable. <\/p>\n\n\n\n

              ANY.RUN offers a powerful and user-friendly platform for automating malware sample analysis. By enabling users to safely execute malware within a secure environment, ANY.RUN efficiently extracts configurations for malware like LimeRAT, ultimately saving security researchers precious time and resources. <\/p>\n\n\n\n

              \n
              \n

              \n Free malware research<\/span> with ANY.RUN\n <\/p>\n

              \n \n Start Now!\n <\/a>\n <\/div>\n <\/div>\n <\/div>\n \n\n\n\n

              <\/p>\n\n\n\n

              Let us show you how our interactive sandbox can fit into your workflow \u2014 get a 14-day free trial<\/a> with our friendly sales team. <\/p>\n\n\n\n

              Interested in more content like this? <\/p>\n\n\n\n