This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FirstWatch Threat Spotlight – Chaos RAT

SwethaDhalavari
Contributor Contributor
Contributor
‎2024-01-16 12:02 PM

 

Executive Summary

 

In a previous blog, we introduced and explored the Chaos C2 Framework but not the Remote Administration Tool (RAT). This research by the FirstWatch team delves into the RAT itself and its capabilities.  As we noted previously, “Chaos RAT supports agents for Windows, Mac, and Linux, however, the feature availability does differ depending on the platform the agent is deployed on…” This research focuses on the Windows variant compiled in Go.

 

The name “Chaos” is also used for a ransomware family, a remote access trojan (RAT) and a Distributed Denial of Service (DDoS) malware. As a result, sorting through all the various “Chaos” malware samples to find those Chaos related to our current course of research was difficult.  

 

As per the details provided on the GitHub repository by Tiago Rodrigo Lamper, a Brazilian programmer and owner of the repository for both Chaos RAT and its C2 Framework, this Chaos RAT enables users with the ability to perform a variety of tasks including the creation of malicious payloads, as well as the ability to establish and maintain control over compromised systems. Once Chaos RAT is downloaded and launched on victim system, it transmits detailed system metadata like hostname, username, IP and MAC address to a remote C2 server, while also coming with capabilities to carry out file operations (upload, download, delete), take screenshots, shutdown and restart the computer, and open arbitrary URLs. 

 

 A History of Chaos

 

In November 2022, Trend Micro found that The Chaos RAT was first incorporated by a cryptocurrency mining campaign which focused on involving Linux machines and specific cloud computing instances being targeted. Based on this campaign, where Chaos RAT was sighted, the operators of Chaos RAT strategically hosted their payloads across multiple locations, ensuring continuous and uninterrupted functionality.

 

Chaos RAT Features

 

SwethaDhalavari_0-1705399154034.png

                                                  

 Figure 1: Features of the Chaos RAT for Windows and LINUX Operating Systems

 

Analysing Chaos RAT with NetWitness

 

Payloads and C2

 

The delivery method of the payload is up to the attacker and not dictated by the tool. To carry out this research, we have created a server and client environments to experiment with this RAT functionalities on Windows machine.  We have generated multiple payloads to show that an attacker can generate executable multiple times. The list of example payloads is as follows:

 

 test_chaos.exe

03a1757d6a6d3f231dfc91961d12c3826ff415f83b26322ac8dc640fb6b5045b

 chaos_test2.exe

310a3d7dced847f30d9c1bde77b9c9e37fbd6e40103ec5971a7c0d2de86aa6a6

 chaos_test3.exe

d6ff402ec3892ba8413c6e7ba4e5e11ba0cbdd4dbc6710b627d7ae157906061e

 

These examples represent payloads generated using Chaos RAT that were delivered to the Windows victim machine by FirstWatch team. Similarly, the FirstWatch team employed generic commands and generated sample files throughout the research to test and demonstrate the functionalities of the RAT.

 

Once the payload is delivered and executed on victim machine, the C2 connection gets established and shows how detailed actions that can be performed on victim machine to the attacker as shown in the below, Figure 2.

 

SwethaDhalavari_0-1705399566533.png

 

                                                            Figure 2: Detailed view of victim data on attacker machine

 

Once the RAT payload has been successfully deployed, executed and its respective capabilities have been proven effective against the victim host, we can see following reflected events under endpoint-concentrator on Investigate page.

 

C2 Network events are logged for outgoing traffic on NetWitness originating from the Chaos-generated executable source file. This happens once the connection is established between client and the server.

 

SwethaDhalavari_1-1705399693757.png

                                                    Figure 3: Outgoing connection to the Chaos server.

 

Observing the traffic initiated from an executable, as illustrated in the picture, is consistently preferable for enhanced monitoring. It can also aid in preventing an attack at its early stages from progressing further.

 

File Explorer

 

The attacker can access the file explorer and there by upload, download, delete and manipulate files on the victim machine which results in continuous access to victim machine and can download additional files for execution on the victim’s machine.

 

In the below Figure 4, z.ps1 is the file uploaded by attacker which reflected as writeToExecutable event on NetWitness. Similar scripts are intended to establish persistence which when originating from an unknown executable can be a good indicator of malicious behaviour.

 

SwethaDhalavari_2-1705400241009.png

 

                                                             Figure 4: PowerShell file uploaded by attacker

 

 

Open URL

 

This functionality helps an attacker to remotely access any arbitrary URL on victim machine and download additional required data or an attacker may insert malicious scripts into websites trusted by the organization and frequently used on a daily basis to move laterally in the victim’s environment.

                                                      

SwethaDhalavari_0-1705408862600.png

                                                      Figure 5 :Attacker opened an URL

                                                      

In the above figure, a URL was launched through cmd.exe, initiated by an unfamiliar executable. This deviates from the typical process of opening a URL, where the meta param.src should typically reflect the executable of the web browser. This deviation can be regarded as a notable and potentially suspicious behaviour. This happens when attacker selected the action to open a URL and the createProcess event is generated by the Chaos executable on NetWitness.

 

Remote Shell

 

Remote Shell functionality helps an attacker to have a control over the machine using command line interpreter.

The commands populated under Target Parameter[param.dst] meta in the below Figure were executed using remote shell function.

 

The command "cat z.ps1" below indicates that the attacker attempted to view the previously uploaded script using the command prompt, initiated from an unidentified executable. This activity raises suspicions due to its unconventional behaviour. 

 

 

SwethaDhalavari_1-1705408989146.png

                                                   Figure 6: Remote shell commands

 

SwethaDhalavari_2-1705408999909.png

                                                       Figure 7: Remote shell commands

                                                      

The attacker can execute the commands as illustrated in the above figure, leading to a potential escalation of privileges and further advancements within the victim's environment. Likewise, various commands can be applied, including registry changes, policy modifications and more.

 

Screenshot

 

Upon the attacker clicking on the screenshot action, an image capturing the live state of the victim machine is downloaded to the attacker's system. This enables the adversary to gather any necessary data using these screenshots.

 

Detecting this step proves challenging for the agent, as the file is transmitted to the attacker without leaving any traces on the victim's machine.

 

In the below figure, we can see the LIVE state of victim machine gets downloaded to the attacker's machine where Chaos Server is hosted. This capability enables attackers to obtain real-time information about the current state of the victim's machine and may also result in the leakage of sensitive data.

 

SwethaDhalavari_3-1705409219098.png

                                 Figure 8: Screen capture of victim machine on attacker  machine

                                 

Lock

 

The attacker can easily lock the victim’s machine, this action is performed using suspicious rundll32 command to lock the workstation through command line. Though the practice of using user32.dll,LockWorkStation for workstation locking is prevalent, it cannot be combined with rundll32.exe. The presence of both simultaneously can be considered as good indicator of compromise. This behaviour is observed in other attack scenarios as well.

 

SwethaDhalavari_4-1705409290496.png

                                          Figure 9: Anomalous usage of locking workstation.

 

Sign Out

 

When the attacker clicks on "Sign Out," this action triggers a logoff of the current session, closing any associated applications. As indicated in the figure below, payload issued the command to log off the current session. The attacker may have made necessary changes through preceding actions and subsequently signed out.

 

SwethaDhalavari_5-1705409371454.png

                                             Figure 10 : Usage of command to sign out of victim machine

 

Restart and Shutdown

 

Selecting these capabilities by an attacker result in the victim machine being powered off and leaving no traces of commands or behaviour to detect unlike other functionalities. We can say attacker has successfully accomplished their nefarious activities and disconnected from the victim machine. Although, the attacker can still reconnect again as the payload remains active.

 

MITRE ATT&CK Information:

 

Resource Development

  • Develop Capabilities: Malware (T1587.001) – Adversaries develop custom malware for their operations.

Execution

  • Command and Scripting Interpreter(T1059) – Running commands on the command-line interface remotely.

Defense Evasion

  • System Binary Proxy Execution: Rundll32(T1218.011) - Used rundll32.exe to lock the workstation.

Command and Control

  • Ingress Tool Transfer(T1105) - Can download additional files for execution either from attacker machine or from web-based services on the victim’s machine.

Collection

  • Screen Capture(T1113) - It has the ability to capture screenshots of compromised hosts.

Impact

  • System Shutdown/Reboot(T1529) - Commands used to initiate a shutdown/reboot of a victim’s machine remotely.

Stay tuned for rules, and other threat intelligence logic that will be made available via NetWitness LIVE!

 

Conclusion:

 

In this blog, FirstWatch analyzed and identified malicious activities of Chaos RAT from the viewpoint of the RSA NetWitness. Also covered each step of it and found out how NetWitness helps in identifying key signatures and Co-relating the events discussed can be used to avoid an attack.

 

Given the actions described above that were carried out by the RAT, it is essential to utilize a platform capable of detecting anomalous behaviour. This proactive measure is crucial for preventing successful attacks from taking place.

 

References:

 

https://github.com/AndroVirus/CHAOS-RAT

https://www.hack4.net/2017/07/chaos-framework-generate-payloads-and.html

https://www.trendmicro.com/en_in/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html

https://en.anonyviet.com/chaos-rat-software-for-remote-computers-easily/

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

© 2022 RSA Security LLC or its affiliates. All rights reserved.