Chinese waRAT give attackers full control of compromised machines

During LMNTRIX Hunt activities for one of our Telco clients, we discovered a Remote Access Trojan on its network which had completely bypassed the client’s traditional anti-virus solutions. 

This piece of malware, dubbed waRat, could have given the attacker complete remote access to client’s environment. We’ve found no evidence of spearphishing as the delivery mechanism, and instead believe this ended up on the client’s network via drive-by download.

Drive-by downloads are performed by redirecting users over a malicious site, or a compromised domain with injected malicious scripts, that download files without user consent. Unlike spearphishing campaigns, they don’t require the user to click on or download the malicious content. In this case, a malicious website (nesbbc[.]top) delivered waRAT after a user navigated to the site – most probably while meaning to reach newsbbc[.]com. 

After further analysing the malicious domain directories, we collected over 15 different variations of the malware.

We believe waRAT was designed specifically to target organisations in China and Taiwan as during the infection cycle, it seeks out and disables 360 Security AV – Chinese and Taiwanese businesses being the largest 360 Security customer base. 

The malware is also able to spread laterally through an environment by writing autorun files in all attached volumes. This means that anytime a removable device is attached, it is also infected and becomes the carrier, compromising other devices once inserted. 

Malware Analysis 

Static Analysis

Filename: waNewRat360.exe

Sha256: 4222660b39aff67a4a5712a800f26e481c9b8867e6d3b19761d8df283f7b14ed

Company Name: 360安全卫士主程序 (360 Security)

File Name: 360.cn

The file is a PE32 executable, written in C++. The executable contains many hidden functions, only accessible to the attacker by creating multiple threads. The resources are in Chinese Simplified language. Yara rules match with waRAT payloads from the attacker group, juewangzhe[.]net.

Dynamic Analysis

The malware tries to evade analysis by hiding active threads from debugger using “ZwSetInformationThread API” and calculates execution time using “GetTickCount”. The following is the malware’s execution flow as witnessed in our isolated environment.

Flow –



  • Create a mutex from current process, fail if mutex already exists

  • Open registry key HKLM\Software\rising and HKLM\Software\JiangMin, If succeeds:

    1. Creates a thread to show a window “360Inist” mimicking installation of 360 Security AV

    2. Finds 360 Security AV executables “360sd.exe” and “360rp.exe” running on system and terminates the processes

    3. Creates a thread to:

      1. Get hostname and IP address of system

      2. Connect to C2 and download an executable

      3. Downloaded executable is copied to all connected drives in the system as NewArea.exe in the root directory

      4. Get the system local time

      5. Execute the downloaded executable

      6. Sleep for 2 seconds before exit


    4. Sleeps for 0.5 seconds

    5. Creates a thread to:

      1. Enumerate partitions in system

      2. Create an autorun.inf file in each partition

        1. Sets [autorun]Open, shell\open\command and shell\explore\command as recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe

        2. Sets shell\open\Default to 1


      3. Copy dropped executable NewArea.exe to Recycler folder of that driver as recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe


    6. Open registry key “Stuvwx Aberer Jkl” in HKLM\SYSTEM\CurrentControlSet\Services

      1. If successful:

        1. Create a service with name “Stuvwx Aberer Jkl” as Shared process service and Start pending status

        2. Sleep for 0.5 seconds

        3. Set service status as running

        4. Create a mutex, if fails then exit process

        5. If mutex creation is successful, create a thread to:

          1. Open socket connection to C2

          2. Receive data from C2

          3. Accordingly execute shell commands, open URL and download files with Internet Explorer (Backdoor behaviour)

          4. Sleep for 0.3 seconds and repeat


        6. Start the service dispatcher


      2. If fails:

        1. Opens Service Control Manager for service “Stuvwx Aberer Jkl”

        2. If fails, then creates Service with Service name “Stuvwx Aberer Jkl” and Display name “Stuvwx Aberereh Jklmnopq Stuv”

        3. Starts the service

        4. Opens registry key “Stuvwx Aberer Jkl” in HKLM\SYSTEM\CurrentControlSet\Services and sets description as “Stuvwxya Cerererjk Mnopqrs Uvwxyabc Efg”

        5. Exits Process


        Protection

        The “MITRE ATT&CK” knowledge base extensively covers the techniques often employed by attackers and maps them to various stages in the lifecycle of an attack. With waRAT, it can be detected with the following MITRE techniques:

        1.    Discover Disabled Security Tools – Find activity where security tools, such as Windows Firewall, Antivirus, or EDR Agents, are being disabled.

        2.    File and Directory Discovery – Find activity where files/directories are being enumerated or where massive file write operations are occurring within a short time span.

        3.    New Service – Find activity where a new service is created. This should be baselined against legitimate administrative actions.

        4.    Query Registry – Find activity where registry query operations are occurring. Again, this should be baselined against legitimate administrative actions.

        5.    Modify Registry – Find activities where modify registry operations are occurring. This should also be baselined and whitelisted against legitimate administrative actions.

        6.    Suspicious Run Locations – Find executables that are being executed from suspicious or non-standard locations. 

        Alternatively, LMNTRIX Respond is a part of LMNTRIX’s Adaptative Threat Response service that provides complete endpoint security with detection techniques mapped to the “MITRE ATT&CK” framework. With advanced analytics, LMNTRIX Respond brings light to threats that have previously gone undetected along with detailed analysis to provide attack attribution. The LMNTRIX Respond Sensor includes an inbuilt offline capability which uses machine learning models to classify malicious files and quickly isolate the location and determine the extent of the executable. 

        Indicators of Compromise

        The table below lists the Indicators of Compromise which can help security professionals identify waRAT activity. The domains hosting c2 and payload are spread across China and Hong Kong. 


        IPv4 103.229.124.240 c2
        IPv4 103.232.215.132 payload site
        IPv4 103.243.25.243 c2
        IPv4 125.88.183.117  
        SHA256 196b6b19cc9cb9579c14ddcaf47d2c18df7e73e237387aa57851d42c618893c7  
        SHA256 2ddf392738b1066615b60a20827240cef69abaaa2595ea8dec9f0cd824c0e83b  
        SHA256 4222660b39aff67a4a5712a800f26e481c9b8867e6d3b19761d8df283f7b14ed  
        SHA256 55cfae18049799843b5fbb08aa457102d8421e0b11a4ed18c0ea27fbafc7ab54  
        SHA256 57c77705cec29f4063c56aa91577319206b0247fc3a2f7171166b0264290c94d  
        SHA256 6a478e9f8f6b7d678cccc30f2c10ad94f765f4388dce469dd20b3a9d98eefe29  
        SHA256 805726e7f96e5e99efd69e8d8021de8f18e92277bdda353d78f936cbe776bca6  
        SHA256 832aa1dd5c39d521658b306abd8bf0ba62900bd68171fad11304081e4ddea515  
        SHA256 8fb040f2ed45300a044f7e1f4a75670fd7390c7faa60846187f972148e9823f9  
        SHA256 94d46ccc43ef07f1e100bf893319ec9a925509daef36cec3279a91d13f1da186  
        SHA256 9fdfa599bbbbbdfb3952334054026dbc1fc2248c6b1943d62c19b3e95f6487d0  
        SHA256 b085cea75160db91b103f2b0570e18bb08d0c4e3d9e37327fb4564f6cba7a4cc  
        SHA256 b68aab65827b74a06d92c9f58a17d695a2127c2ed985e4d7ed7fa788ccb9145a  
        SHA256 b9f997dc30662d81d7b0f640be10943b2e713ec120d093dfd41487350719fb9e  
        SHA256 c8c786ca22e50635a6ba7ea7f32158c4a723371023dbcd5c5d8a77215580c3df  
        hostname kz[.]juewangzhe[.]net  
        hostname qqguanjia[.]3322[.]org c2
        hostname www[.]nesbbc[.]top payload site

        On 2019-01-23

Popular Posts

Privacy Statement | Terms of Use