From GhostNet to PseudoManuscrypt - The evolution of Gh0st RAT - Jorge Rodriguez; Souhail Hammou

thank you very much for

um thank you everyone and thank you for

the

opportunity to be here today we are

super excited this is our second podcast

of hopefully many more to come

and today we wanted to share some

research we have done on ghostrad and

save the manuscript withdrawal

first let us introduce ourselves my name

is Jorge Rodriguez I am the marble

research team lead in the malware

intelligence team at intel471

um we are mainly

tracking malware through automated

extraction of artifacts which then we

leverage for Bond net emulation

I'm a senior malware reverse engineer

with intel471 my main duties include a

reverse engineer malware writing

comprehensive reports coding extractors

and emulators to track malware and

botnet activities

so the agenda we have for today is

mainly focus on Save the manuscript we

are going to do a deep dive later in the

second part of the talk but before doing

so we are going to

set ourselves in a proper context on the

coast route the you know table variance

and so on history

on it

the

save the manuscript rat was spot by

Kaspersky in 2021 it was mainly

delivered by fake crack websites and

malware loaders

lately later in August 2022

bitside Telemetry from their sinkholes

so that this board net has around 50k

Bots

which is now being increased because

this operation is ongoing as we speak is

still relevant

today

we had to look deeper into it because we

noticed the operation was rather active

so that's when so he'll realize this

save the manuscript rat was actually one

of the latest Forks of the infamous

Crossroad

which dates back from 20 in 2008 so go

start is still hunting

it was open source that very same year

and was mainly operated by Chinese

actors

many

protector groups both financially

motivated and based in

Espionage were incorporating these

modified Forks into their Arsenal and

it's still relevant 15 years later

about the original developers of

coastrat the sea roofer security team

also known as Great Wall security team

or CRST it was mostly active between

2006 and 2009 they had around 12 plus

members and they had this romantic ideas

of themselves they pull the plane they

were passionate Security Professionals

they encourage pure technical

discussions and they wanted to keep the

internet

clean place

they actively developed construct

between 2007 and 2009 were multiple

variants were released some of them to

the general public if we put this

information on a timeline it would look

like something like this on January 2008

we had the first stable release March

2008 the first open source release for

the 2.5 percent

this releases have some internal

comments from the developer cool Dyer

and we could read some comments in the

fashion after internal discussion with

the team we have decided to make this

version open source or then later the

last known open source release from

ghostrad

version 3.6 beta

they claim I can't believe it 3.6 will

be open source

only one month later the inevitable

happens

costnet campaigns are fast spotted in

the wild

they were targeting government office in

more than 100 countries and these

attacks were attributed to Chinese

speaking threat actors later that year

December 2008

the last official release in a closed

Source format we have cost 1.0 the Alpha

version

so it goes to becoming a notorious

thread back in the day in forward

monitor release the investigation

reporting corporate in March 2009 and

the team behind closade was attracting

lots of attention

zero for security team activity Reduce

by that time but the development

possibly continued in private Beyond

this person 1.0 Alpha

um

actually there were comments in

subsequent variance from the same

developer mentioning the the chain block

basically and from here we move into

some features from the original ghostrad

thank you

so both the panel and the Bots and go

start were written in C plus plus uh

it's all right so it offers full-fledged

control over the infected host and

persists as a Windows service dll that

runs as part of the Network Services

Group its protocol is a custom TCP

communication protocol and the packet

header starts with a special flag and in

this case it's ghosts in other variants

it's can be another value and this is

followed by the packet size including

the header the size the uncompressed

packet so that the Bots can allocate the

necessary memory to decompress the

following deadlift compress data

so features are implemented in separate

components called managers each manager

would inherit from C manager class and

new instances would get a new socket

that is already connected to the command

control server so to code a manager

basically have to implement an abstract

on receive method Constructor of course

and this on received method will

generally Implement a switch case

statement to handle commands

so the main manager in ghostrad is

called the kernel manager so its mission

is to spawn new managers but also to

handle miscellaneous commands such as

installing the bot download and

executing uh follow-up malware but it

also has other managers that like the

file manager for example the shell

manager screen manager to spy on the

screen video on audio managers to spy on

the camera and microphone keyboard

manager access keylogger and others

so between the latest open source

release and the latest closed Source

release there are a couple major

differences so first of all the panel

user interface was overhauled to use a

more newish

xtp library for the user interface of

the panel some class names were also

changed probably for easier readability

for example the audio manager who tends

to be the voice manager and this is

actually a nice change because if we

look at a variant and we find a class

name that is a camera manager that would

probably indicate that it was based on

this newer Fork of ghost track audio and

video compression also were introduced

and the kernel manager's on receive

method was changed to handle commands

using a callback table instead of a

switch case statement

so these open source releases coming

from the ghost track team uh spawned

lots of variants in the Wilds like

hundreds of them so to investigate this

a little bit and familiarize ourselves

with ghost we collected 22 open source

forks from various sources and our main

goal was to link prominent traits of

these notable variants like sudo

manuscripts for example to these

available Forks that are open source so

this would allow us to gain insight into

the origins of each variant and its

developers motivations

but like any evolutionary story there

has to be missing links so

these open source variants in our

collection that share one or more new

traits with ghost 1.0 Alpha which is

cloud Source by the way they all retain

all trades from 3.6 beta for example the

old class names are still used and the

old kernel manager relying on switch

case statement is also there so this

could indicate that there were some

possible leaks that are unknown to us of

intermediate releases that happen

between 3.6 and 1.0 which we call

ghostax

so to get more insight into this and to

be more on the ground so we conducted

analysis of some closed Source variants

that are used by distinct uh terractor

groups and we try to establish and

understand connections with other

variants in our collection

so the first one was Ghost times which

was first documented by Japan cert in

2020 it was seen in attacks by blacktech

apt they Stripped Away most features of

ghost 3.6 beta only left a few managers

but they improved the communication

protocol added water notification

authentification rc4 encryption they

also implemented two new classes

a manager called the ultra Port map

manager which does port forwarding

basically turning the bot into a gateway

to connect to internal service and also

a port map manager which is a proxy

feature

so these broad map managers are

interesting because they have a similar

but not the same implementation of an

open source tool called Z export map

which is common among Chinese speaking

thread actors and apt groups so in this

case uh the transform one mode of this

tool which implements the port

forwarding maps to the ultraport map

manager in ghost times and the transfer

2 and transfer 3 mode which work in

tandem

they they correspond to the port map

manager proxy

so this same name is seen in other

variants of ghost for example in BBS rat

that is operated by the Roman tiger

group and also in sudo manuscript these

are all similar but distinct

implementations

so the second group we saw was gambling

puppet which is a sophisticated apt

uncovered by Trend Micro in 2022 they're

targeting online gambling businesses

operating plugx ghostrad and other uh

malware they use multiple modified Forks

of course thread that all seem to

originate from that ghost x variant we

talked about

so we analyzed these samples and we saw

that they actually share some traits

with forks in our collection

so the first trade was a unique chat

manager called ctex chat which we found

in only in one variant in our collection

which allows us like the the operator to

chat with the victim

second one is a couple of functions that

allow to play with the victim a little

bit like open the CD tray swap Mouse

buttons and this was found in a variant

called Terminator Platinum

in addition this malware hasn't had an

improved version of the ghost MBR killer

which is shared by two variants

Terminator Platinum mentioned in the

previous slide another variant called

fell VIP 3.0 and it's actually

interesting because the ghost 1.0 Alpha

version does not have

um an MBR killer

so the presence of code overlap with

multiple variants in this samp in this

uh in these samples used by the APT

indicates a complex origin we saw uh or

we saw code originated from multiple

variants and it's really difficult to

trace it back to a single source so we

think they probably cherry-picked

features from various projects as it's

super easy to do that just take the

manager class and you're good to go

and I'm going to hand it over to Jorge

so now that we have a proper context on

where this

latest variant set of manuscript is a

steaming from

we have the history of goshrad already

present now let's delve into these

latest form as we mentioned before it

was first spot by Kaspersky July 2021

they reported some similarities with the

manuscript malware operated by Lazarus

but since the malware wasn't really the

same and there were uncertain whether

the Developers

behind both projects were the same or

not they coined the moniker set of

manuscript

Worth to mention here we are not

attributing this one to Lazarus in any

way

it was brought to our attention in 2022

and later that year in October we

started tracking it and very soon after

we put our Tools in place we realized

this

thread was rather active with motivate

which motivated us to have a proper and

deeper look to improve our tracking

collection and

the data we were collecting from it and

that's where when to heal realized the

the gospel connection

leading to This research we are

presenting today

again this is an ongoing situation the

group is still active as we speak they

are trying to grow the botnet and for

doing so they are mainly using two

delivery methods the first one of them

is fake cracked rubber where you will

turn to your search engine of choice try

to look for some activator or some crack

tool to save a few bucks but in Turn You

Are running malware as a volunteer on

your own

and the other one is install Services

that's why we claim here they are

following us pray and pray approach for

distribution

we haven't observed any targeted

campaigns towards any business or sector

or country or region for that matter

since

they are using this spray and pray

approach the initably in the back end

and if I were certain bodies coming from

and that's why they have this campaign

identifier which is composed of four

numbers like 3003 and they are bright in

this value in the registry and the SEO

ID key

so this will allow them ideally in the

back end of track infections

moving on into the install Services when

we started tracking This Thread they

were only using one install service the

one which the actors from private loader

offer we are also certain they are not

targeting any specific region

when it comes to delivery because they

are using

the install service

of the business which allows them to

spread the binaries to any country in

the world for example some of these

install services offer installs to

worldwide locations or

only Europe or only the USA which are

more expensive than the worldwide and

this one issues in the worldwide option

we think they are also learning as they

continue their operation because when we

started tracking it they were only using

private loader for delivery

my guess here is that at some point they

realize that using the same install

service again again and again

will lead their payloads to be executed

on the very very same computers again

again and again

that's why in late 2022 they started

diversifying the install service they

use

they start a good one and nowadays they

are using at least four as far as we can

see and it's interesting because it

looks like they tried another install

service with another actor offers

through an amade botnet also they have a

test at another service which some other

actor offers through a smoke loader

botnet

perhaps it didn't pay off very well they

went back to their religions private

loader but then they they fund the key

to delivery and they started using a

different service every two days so

every two days they will switch from

amade to private loader to a smoke

loader to a Google loader to start again

the the very next week hopefully getting

a wider read and grow in their podnet as

much as they can

foreign

so the infection chain of

pseudomanuscript starts with the

download obviously of the downloader

component either from the soft software

delivery Network for fake cracks or from

a malware loader as we saw so the

downloader component first will restart

itself elevate it and then we download

two files so the first file is a PNG

image with a show called loader dll that

is encrypted in its overlay data so this

dll name db.dll will be dropped to the

user's temporary directory the second

file is a binary file with an HTML

extension with its name being set to the

campaign ID so this is saved in the

temporary directory as well as as a

db.dat file so the downloader component

would run the Run dll 32 executable with

the db.dlo and revoke a special export

called open and the db.dll would read

the encrypted shell codes from the

dp.dhp file

so this file stores 32-bit and 64-bit

shell codes each preceded with its

length with the

encoded by adding a simple value which

was always the same since the Inception

of sudo manuscript and at this stage

only the 32-bit shock code is used

so this shortcode is decrypted in two

rounds first round involving X or

um with the key depending on the index

of uh of the bytes in the in the file

and then the second round involver

involves the reverse xor algorithm where

the first byte is the last bytes key and

each bytes is then its previous key

until reaching the the beginning of the

file so this Shell Code itself being

decrypted will decrypt and load and

invoke the core module of sudo

manuscript which is embedded in the

Shell Code and encrypted with a one byte

X or key and is compressed with the LZ

nt1 algorithm

so at this stage the core module is

running inside the Run dll 32 instance

in its first execution and this time it

would process the appropriate Shell Code

uh for the system systems architecture

uh in the registry so it will read the

db.d DHE file encrypt the proper Shell

Code and then persist it and then it

would inject a remote thread into the

currently running SVC host instance for

the net Services Group

and this instance would read that

persisted showcode inject it via process

hollowing into a new SVC host SVC host

instance which will be the main instance

of sudo manuscript and this instance is

the one responsible for talking with the

command and control server so these two

instances would actually monitor each

other so if one of them is terminated

the other would start would start it

so persistence here is performed only

during system shutdown by registering a

callback using this control you can set

console control Handler API so this

function would be invoked

when a lot of events happen including

the system shutdown so this

automatically means that an unexpected

shutdown for example due to a blue

screen of death means that sudo

manuscript will not persist on the

system

so this persistence is done using a

service DLo that is embedded inside the

core module this dll is copied to the

system32 directory and then a new

service group is registered in the

register in the registry that is called

uh app service so this service would

start after the system reboot it will

read the persisted shock code from the

registry and then inject it into SVC

host.xz

the net Services Group instance and then

the infection would go on from there

like we saw on the previous slide

so the malware configuration is stored

in the data section of the core

component there are two configuration

buffers a primary one which is always

used and then a secondary one that is

only used when a special command is

received from the command and control

server to switch so when this command is

received so the manuscript would create

a new file extension Association in the

registry to

switch to this to this other

configuration so when it runs the next

time it will check if this Association

exists if it does it will use the

secondary configuration

so the configuration format starts with

the main and fallback protocols to use

the value one is for TCP and value 2 is

for UDP and in all cases we've seen that

UDP is used as the main protocol so

these two fields are followed by the

ports to use so Port 53 will be used for

the main protocol which is UDP and Port

443 for the fallback protocol TCP

so the next field is the primary command

and control server

followed by the DGA parameters in case

this server is unreached so the fallback

domain generation algorithm see string

follows it's equal to API key and then

domain generation algorithms top level

domain which is.com in this case and the

last field is an integer that determines

the maximum numbers of domains to

generate before trying again and

communicating with the main C2

so the dja works by taking a domain seed

and the string seed so the main seed at

first is the main C2 it will be

concatenated with the API key using a

comma md5 hashed and then 10 characters

in the middle would be taken uh

converted to uppercase and then they

would undergo a small transformation

that would yield a lowercase string that

will be concatenated with the top level

domain in this case.com that would give

the

domain that is to be conducted so if

communication fails with this domain the

the algorithm would use use it as a seed

for the next domain and so on until that

maximum number we talked about is

reached

so the communication protocol relies on

the open source HP socket C plus plus

framework developed by Chinese

developers it is a high performance TCP

UDP HTTP communication framework that's

offering clients and server capabilities

the framework uses the kcp protocol when

communicating with UDP uh when uh

automatic repeat request error control

is used so kcp is a custom protocol also

developed by a Chinese developer that is

described as being 30 percent to 40

percent faster than TCP so so the

manuscript as we saw uses UDP as its

main communication protocol uh which in

this case kcp and TCP as a fallback so

this use of kcp in sudo manuscript can

be attributed to the capabilities of the

library itself rather than being a

deliberate design Choice by the

Developers

so the packet header here starts with

the header magic which this time is only

one byte which is always ox43 it's

followed by a transformation type that

dictates the format of the packet data

so this transformation type can have

multiple values the data can be in plain

text sword sadly compressed

Etc but the most popular one we saw we

see in multiple commands is the zlip

plus xor algorithm and if you remember

ghostrad uses zlib for compression so

the other two fields are kind of similar

to what we saw in Gold Strat the packet

size including the header size and then

the size of the untransformed packet

so pseudom manuscript was directly based

on ghostrad or some variants that it's

directly linked to because it's misses

changes uh that we see in later variants

uh it also doesn't include any audio or

video compression and it only shares a

few attributes with open source variants

that are in our collection for example

it has a similar but uh more advanced

service manager to a variant uh called

Bobo remote control

so sudo manuscripts developers improved

on existing Managers from ghostrad but

also added new ones for example in the

second version I think they added the

hidden VNC manager which was a fork of

tiny nuke hidden VNC which they broke

down into multiple commands and then

they also added bi-directional clipboard

sharing between the operators machine

and the infected host there's also the

board map manager which implements the

TCP proxy a netstat manager allowing

exfiltration and to close UDP and TCP

connections services manager we talked

about and then uh a registry editor

basically

so so the manuscript also supports

plugins which are always requested after

the first check-in so the C2 will answer

with a list of entries from which

interesting fields are the plugin hash

in md5 the start type either if it wants

to start a Plugin or uninstall it and

the plugin type if it's an executable or

dll but we've only seen dll dlls up to

this point so the bot will follow up

with requests to only receive new

plugins that it doesn't have stored into

registry

so the first one is a clipper plugin