Analysis of Pupy RAT Used in Attacks Against Linux Systems

Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. For example, it is known to have been used by APT35 (said to have ties to Iran) [1] and was also used in Operation Earth Berberoka [2] which targeted online gambling websites. Recently, a malware strain named Decoy Dog was discovered, which is an updated version of Pupy RAT. Decoy Dog was used in attacks against corporate networks in Russia and Eastern Europe. [3]

This post will provide a basic overview of Pupy RAT and cover attack cases identified during the analysis process. Major examples include attacks against Linux systems in South Korea and the Pupy RAT malware versions that have been distributed for several years to Asian countries.

1. PupyRAT

Published on GitHub, Pupy RAT was written based on C and Python. It supports Windows and Linux operating systems and can also support Mac OSX and Android, albeit to a limited degree.

Because it is a RAT malware type, it supports features such as command execution, handling files and processes, and uploading and downloading files. It also provides information theft features such as capturing screenshots and keylogging. Unlike ordinary RATs, Pupy RAT supports post-exploitation modules, which make follow-up attacks such as privilege escalation, account credential theft, and lateral movement possible.

Malware strains that target Linux systems generally have their process names changed to resemble normal processes to conceal themselves. One of the characteristics of Pupy RAT is that it changes the process name to “/usr/sbin/atd” at runtime by default. Of course, some threat actors may use different path names. The different names can be used as one of the factors for distinguishing threat actors alongside the first 8 digits of the Revision number that is saved when building Pupy RAT.

2. Cases of Attacks Against Asian Countries

The following are cases where the malware is believed to be created and distributed by the same threat actor. Based on the information on VirusTotal, the malware strains are distributed with the names being variants of “nptd” or “kworker”. They were mainly collected in Asian countries including not only Taiwan, Hong Kong, and Singapore, but also Japan and Thailand.

The attacks have been continuing from 2021 to recent times, and the malware strain is still available for download even as of right now. The threat actor used several addresses over many years to upload the malware and use them as C&C servers.

Note that Cobalt Strike is one of the malware strains that share the same download and C&C server URL. Thus, the threat actor probably targeted Linux systems as well as Windows systems using Cobalt Strike. Seeing from the malware icons and file names such as “ChromeSetup.exe” and “刘中盛—运维工程师-大型企业内网运维-个人简历.docx.exe”, they are believed to have been distributed via web pages disguised as download pages for legitimate software or through spear phishing attacks.

3. Analysis of Attacks Against South Korea

Pupy RAT is continuously being collected in South Korea as well. Based on the provided IoCs, there is a case where Pupy RAT was distributed alongside PlugX around 2019. PlugX is one of the major backdoors used by APT threat groups that are based in China. It is known to have been distributed from around 2008. Mustang Panda, Winnti, APT3, and APT41 are the main APT threat groups that have used PlugX in their attacks, most of them being known to be based in China.

There was also a case where Pupy RAT was uploaded on a currently closed Korean Windows utility-sharing website around 2023, although the specific infection route has not been ascertained.

4. Conclusion

Pupy RAT is a malware strain that can receive commands from the C&C server and control the infected system. It not only supports basic commands but also provides information extortion and proxy features among various others. Aside from these features provided by ordinary RAT malware, it also has various other features for follow-up attacks such as privilege escalation, account credential theft, and lateral movement.

Because the malware is an open-source program and supports various platforms, it is used by various threat actors including APT groups. While most of the known attacks target Windows systems, it is constantly used in attacks targeting Linux servers as well. Most of the recently identified malware variants that target Linux systems were collected in Asian countries, with cases also reported from Korea.

To prevent such security threats, users must check their vulnerable environment configuration or credentials and always update relevant systems to the latest versions to defend systems from threats. Also, V3 should be updated to the latest version so that malware infection can be prevented.

File Detection
– Malware/Win32.Generic.C3121812 (2019.03.24.09)
– Backdoor/Win.CobaltStrike.C5611386 (2024.04.11.03)
– Downloader/Win.CobaltStrike.C5611385 (2024.04.11.03)
– Backdoor/Linux.PupyRAT.3414160 (2024.04.08.02)
– Backdoor/Linux.PupyRAT.3700880 (2024.04.08.02)
– Backdoor/Linux.PupyRAT.3713536 (2021.07.09.02)
– Linux/Agent.2652544 (2019.08.04.00)

IoCs
MD5s
– 2f378559b835cbe9ec9874baec73a578: Pupy RAT – Korea (lvmetad)
– 64802dd9446be23d7188fb87426866cb: PlugX (adobe.dll)
– 504612eaebc2660c4ac00f5db1d24fca: Pupy RAT – Korea (newp4.so)
– 4eb6509cf46d480647556105b42b4bee: Pupy RAT (kworker0tj)
– ef7651bbbf3f05234f2b1d5e30103588: Pupy RAT (kworker54c8)
– f35f7a7fb6c4352510c4f7a448e6ba03: Pupy RAT (kworkerzn2x)
– 1358d7f17b0882a38a3cfa88df256fc1: Pupy RAT (kworkerzf4d)
– 4c1124695279dd41c0b789235dbabf08: Pupy RAT (kworkergo79)
– 73a6b6e84caf0f12782b70ece7bd60de: Pupy RAT (kworkers0id)
– 71ca0622043a7dec95bb4514ce14d627: Pupy RAT (kworkerqxnz)
– 6a0a68b75ad2f087c1a566a6e3de1a28: Pupy RAT (ntpd)
– 3eb3591c8c5d0a5a32dc24f91d6fe7fb: Pupy RAT (kworker)
– 9efdf13b1eee7b0c626d785b17cd5c95: Pupy RAT (kworker37yu)
– 2c802c1fac3b0035b2a79cbd56510caa: Pupy RAT (ntpd)
– 16b088b75442e247a8c53161a8a130b0: Pupy RAT (kworkert14r)
– 74199f5ca6421ade97cc511651fa2e4b: Pupy RAT (kworker)
– ef13037b082e9e1dfe39ae5cf9d101e3: Pupy RAT (ntpd)
– cd206fff363bb5543fc67ed9a9bbe496: Pupy RAT (kworker9t8b)
– 1738429d3737b22d52b442c4faef50a1: Pupy RAT (ntpd)
– f50d7a7bc104d87d6a4a9e2f4e1beedc: CobaltStrike downloader (ChromeSetup.exe)
– 5ab182b00e674cea319e2152e7c3558f: CobaltStrike (propsys.dll)

C&C Servers
– 45.32.16[.]248:443: Pupy RAT – Korea
– 45.32.8[.]143:443: PlugX
– safe.0xhu[.]com:443: Pupy RAT – Korea
– img.law.api-cloudflare[.]com:443: Pupy RAT
– gitall-api.microsoft-shop[.]com:443: Pupy RAT
– gitall14-api.microsoft-shop[.]com:443: Pupy RAT
– gitall18-api.microsoft-shop[.]com:443: Pupy RAT
– jvp21.api-cloudflare[.]com:443: Pupy RAT
– java.git.microsoft-shop[.]com:443: Pupy RAT
– jvp23.api-cloudflare[.]com:443: Pupy RAT
– hele.hkcdn.api-cloudflare[.]com:443: Pupy RAT
– imag.awscnd.api-alipay[.]com:443: Pupy RAT
– translate.cache01.mfath.ugliquarie[.]com:443: Pupy RAT
– cache.cacti.api-cloudflare[.]com:443: Pupy RAT
– lw.cdn-image.microsoft-shop[.]com:443: Pupy RAT
– lw.cdn-image.microsoft-shop.com.bk1233[.]com:443: Pupy RAT
– pyq-pro.update.microsoft-shop[.]com:443: Pupy RAT
– pyq-pro.update.microsoft-shop.com.bk1233[.]com:443: Pupy RAT
– 86.cdn-api.848820[.]com:443: Pupy RAT
– 86.cdn-api.848820.com.bk1233[.]com:443: Pupy RAT
– ue20.angc.blinktron[.]com:443: Pupy RAT
– ue20.angc.blinktron.com.bk1233[.]com:443: Pupy RAT
– api1-cdn[.]com/jquery-3.3.1.min.js:443: CobaltStrike

Download URLs
– hxxp://45.32.16[.]248/lvmetad: Pupy RAT – Korea
– hxxp://45.32.16[.]248/adobe.dll: PlugX
– hxxp://www.atfile[.]com/includephp/newp4.so: Pupy RAT – Korea
– hxxp://api.api-alipay[.]com/kworker0ytj: Pupy RAT
– hxxp://api.api-alipay[.]com/kworker54c8: Pupy RAT
– hxxp://api.api-alipay[.]com/kworkergo79: Pupy RAT
– hxxp://api.api-alipay[.]com/kworkers0id: Pupy RAT
– hxxp://api.api-alipay[.]com/kworkerqxnz: Pupy RAT
– hxxp://api.api-alipay[.]com/kworker37yu: Pupy RAT
– hxxp://api2-cdn[.]com/kworker9t8b: Pupy RAT
– hxxp://api.api2-cdn[.]com/kworker9t8b: Pupy RAT

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.