The ASEC analysis team previously uploaded a post about BitRAT that was distributed under the disguise of Windows OS license verification tool. The BitRAT is now being distributed as Office Installer with different files, preying upon potential victims.
The following image shows a post that contains the malware. It is titled, [New][Cheap]Office 2021 Installer + Permanent License Verification.
The downloaded file is a compressed file named ‘Program.zip’, just like the one introduced in the previous blog post (see Figure 3 and Figure 4). As per the post description, the password of this compressed file is ‘1234’. The compressed file contains Office installer named ‘OInstall.exe’.
The pop-up the victim gets is that of the Office downloader (see Figure 5), but the actual downloader installs it in the startup folder (see Figure 6). Normally, the first file that is installed is a downloader of the same kind, and the downloader run this way ultimately installs BitRAT into the path %TEMP% as ‘Software_Reporter_Tool.exe’.
The following lists features of BitRAT.
1. Network Communication Method
– Encrypted communication using TLS 1.2
– Communication using Tor
2. Basic Control
– Process manager
– Service manager
– File manager
– Windows manager
– Software manager
3. Information Theft
– Clipboard logging
– Webcam logging
– Audio logging
– Application (e.g. Web browsers) account credential theft
4. Remote Control
– Remote desktop
– hVNC (Hidden Desktop)
– SOCKS5 Proxy: port forwarding feature using UPnP
– Reverse Proxy: SOCKS4 Proxy
6. Coin Mining
– XMRig CoinMiner
– DDoS attack
– UAC Bypass
– Windows Defender deactivation
As shown in the examples above, the malware is being distributed actively via file-sharing websites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended for the users to download products from the official websites of developers.
AhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.
– Downloader/Win.BitRAT.C5018635 (2022.03.22.03)
– Downloader/Win.BitRAT.R479001 (2022.03.22.03)
– Backdoor/Win.BitRAT.C5023733 (2022.03.22.03)
Downloader malware MD5
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
[…] BitRAT Disguised as Officer Installer Being Distributed […]