OBFUSCATED JAVASCRIPT BEING USED BY WSHRAT V2.0

October 7, 2019

SonicWall RTDMI engine has been detecting obfuscated JavaScript malware files since last two weeks. After analysis, we found that these files belong to WSHRAT malware family. Archive file carries the WSHRAT JavaScript file shown below:

Background:

WSHRAT was first spotted in the wild in year 2013, since then it has been periodically upgrading its Remote Access Trojan (RAT) capabilities. The current version is 2.0, this version information is present in the RAT itself. The programming language used by this malware separates it from other RATs because it has been completely written in JavaScript. The malware has been also written in VBScript.  

RAT Capabilities:

  • Installing, uninstalling and upgrading itself
  • Key logging and stealing passwords
  • Downloading, uploading and executing files
  • Remote desktop access
  • Executing various commands and sending data to the Command and Control (C&C) server.
  • Reversing proxy
  • Browser’s log stealing
  • Process enumeration and termination
  • USB drive infection

Persistence:

WSHRAT copies itself in the Startup folder and makes Run entry in the registry. It uses “%temp%\wshsdk\” directory to install its components.  

Network:

WSHRAT collects and sends system information to its Command and Control (C&C) server. It uses “|” as separator while sending information to the C&C server.  

C&C Communication:

WHSRAT supports large number of commands which are listed below.  

Command Action
disconnect Terminates itself
reboot Reboots the system
shutdown Turns the system off
execute Executes the command using “eval” function
install-sdk If %temp%\wshrat\python.exe file is present, malware sends status “SDK+Already+Installed” else downloads wshsk.zip from “hxxp://2813.noip.me:2813/moz-sdk”. Malware extracts downloaded file into %temp%\wshrat and sends SDK+Installed” message to the C&C server.
get-pass Retrieves and sends specified browser’s passwords to the C&C server.
get-pass-offline Retrieves and send all installed browser’s passwords to the C&C server.
Update Downloads and executes latest JavaScript file from the C&C server.
Uninstall Deletes all the registry entries, Startup entries and all file system traces related to WSHRAT and terminates the execution of malware.
up-n-exec Downloads and executes the specified executable file from the C&C server.
bring-log Sends specified log file to the C&C server.
down-n-exec Downloads and executes the specified executable file from the specified URL.
filemanager Downloads executable file from specified URL and saves it as “fm-plugin.exe”. The malware executes downloaded file with parameters “m-plugin.exe 2813.noip.me 2813 \{Gathered Information}”
rdp Drops rd-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “rd-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ true (is_offline_flag)”
rev-proxy Drops rprox.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “rprox.exe 2813.noip.me 2813 {filearg}”
exit-proxy Terminates rprox.exe process.
keylogger Drops kl-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “kl-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ false (is_offline_flag)”
offline-keylogger Drops kl-plugin.exe, which is present in base64 encoded form inside the WSHRAT JavaScript file. The malware executes dropped file with parameters “kl-plugin.exe 2813.noip.me 2813 \{Gathered Information}\ true (is_offline_flag)”
browse-logs Enumerates “wshlogs” directory and sends collected information to the C&C server.
cmd-shell Executes specified command on “Command Shell” and sends the output to the C&C server.
get-processes Enumerates running processes using WMI query (select * from win32_process) and sends process names, process ids and executable paths to the C&C server.
disable-uac Modifies values of EnableLUA, ConsentPromptBehaviorAdmin and DisableAntiSpyware registry keys. The malware acknowledges changes to the C&C server by sending “UAC+Disabled+(Reboot+Required)” message.
check-eligible If specified file present in the system, malware sends “Is+Eligible” message to the C&C server, otherwise it sends “Not+Eligible”.
force-eligible If specified file present in the system, malware executes the file with specified parameters and sends “SUCCESS” message to the C&C server, otherwise it sends “Component+Missing” message.
elevate If the malware is not elevated already, it restarts itself with elevated privileges and sends “Client+Elevated” message to the C&C server.
if-elevate If the malware is elevated, it sends “Client+Elevated” message to the C&C sever otherwise sends “Client+Not+Elevated” message.
kill-process Terminates process attached with specified process id.
sleep Performs sleep operation for the specified time.

  Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:  

Additional Remark:

Please note that the RTDMI engine analyzed and gave us a verdict for these samples as ‘Malicious’ on September 13, 2019 as visible in the report:

Whereas these samples (both the zipped and unzipped versions) were first seen on Virustotal 3 days later – on September 16, 2019 – as evident by the ‘First Submission’ date: