Chasing Down RATs with Barncat

Threat actors provide valuable clues when they compromise a new environment. But a single clue, such as a malware sample, seldom sheds the necessary light on an attack. Sniffing out the tools and tactics of attackers requires that you (or someone you know) has seen them before. Historical attack data can serve as a valuable resource for analysts by helping to identify and contextualize the adversary and rank the risk of an attack.

Today, we are excited to make a new (and we think pretty interesting) database available to the security community at no cost. The Fidelis Barncat™ Intelligence Database (or just Barncat for short) includes more than 100,000 records with remote access tool (RAT) configuration settings that we have extracted from malware samples gathered during our incident response investigations and other intelligence gathering operations over the past decade. As many of you know, while file hashes are easy to change, attackers are much less likely to change the configuration settings in the Remote Access Tool (RATs) they use to create their malware. By creating IOCs that find malware with unique configuration settings, security teams can identify attackers with more accuracy and attribute multiple attacks to a common threat actor.

Consider Dark Comet, a commodity  RAT. It’s commonly used by novice threat actors and would-be internet stalkers. It’s also being used in high-profile attacks by attackers with more sophisticated motives. To deceive defenders, sophisticated attackers may use RATs in an attempt to appear unskilled or less threatening. Barncat enables analysts to review a current sample, compare its configuration to previous samples, and correlate specific uses of malware families and activities to a specific threat actor.

To illustrate, let’s look at a JSocket sample observed last year with a “NICKNAME” configuration setting of “August24rd Bombing”. The NICKNAME setting seems nefarious and a quick trip to Wikipedia shows August 24 as the anniversary of the bombing of two civilian airliners at Moscow’s Domodedovo Airport. Terrorists have an affinity for these anniversaries. In fact, many JSocket incidents were traced back to RATs used by terrorist actors and groups.

Given these indicators, it’s easy to jump to conclusions. Even seasoned security experts could succumb to the temptation to quickly label this malware campaign as terrorist-related and spin up their hype machine. But be careful not to jump too quickly.

The Barncat database lets you dig deeper to come to a more informed conclusion. For example, searching for any JSocket sample with “Bomb” in the NICKNAME yields several other similar values (September 3rd, 30th September, etc.). In all of these cases, the C2 points to nikresut015js.zapto.org which (at the time) resolved to a U.S. IP address. This common data point suggests a common attacker among all the configurations.

The NICKNAME filed in the JSocket builder is a free-form text field. The use of “bombing” is simply nomenclature used by this adversary to describe discrete builds he sends into the world. In this case, the attacker removes the month and date, and types over the setting for each new version as indicated by the “rd” in the Nickname field from “August24rd Bombing”. The previous setting appears to have been “August3rd Bombing.”

In this case, the historical data shows the threat actor is not as malevolent as it seemed at first glance. The data could also result in the opposite conclusion, linking seemingly simple attacks to sophisticated attackers or terrorists.

The intelligence we are sharing via Barncat is available to the security community via one of our Malware Information Sharing Platform (MISP) instances. With the API, the data can be loaded into an internal Splunk instance, CIF or any number of tools to cross-check various aspects of a currently observed attack and see if previous malware samples can be linked.

We are making the Barncat database available at no cost to the security community. It’s intended to be used by CERTs, research organizations, government entities, ISPs and other large commercial enterprises. To ensure proper use of this resource, organizations requesting access to the database must to provide some information about their organization, and how they plan to use the Barncat intelligence database. You can learn more and apply for access on the Fidelis website. As more people draw new insights from this data, we look forward to sharing and discussing them here on ThreatGeek.

Tags:
Browse our blog