Gh0stCringe (Formerly CirenegRAT)

Since early December, 2018, I’ve been seeing a new type of Gh0stRAT-like malware being distributed over SMB.  This sample has been dubbed Gh0stCringe by @James_InThe_Box on twitter.  While the network communications of this new malware is very similar to that of Gh0stRAT, there are some key differences: Instead of the use of Zlib compression on the data, the sample typically uses an encryption algorithm consisting of Xor and Add, or Xor and subtract.  Additionally, the sample uses much less commands than Gh0stRAT and seems to serve as more of a stage 1. Features include:

• Encrypted traffic using its own protocol
• Ability to open a proxy
• Clear event logs
• Leverage iexplorer.exe to open Urls

Malware communicating its login packet to my server

Actors

Similar to Gh0stRAT, I believe that this sample is shared between many actors, as I’ve seen many different predominantly Chinese threat groups using it.  For example, the actor’s behind IndoneMiner have been seen using it.  Additionally, I’ve seen MadoMiner’s actors using this RAT, along with many different campaigns, which will be discussed more below.  

Campaigns

In December 2018, I began to see a new type of RAT distributed over SMB using ZombieBoy’s exploit tools.  On account of the use of reverse string encryption in order to drop the payload, I began calling this RAT CirenegRAT.  Based on the domain used for distribution, this will be the indexsinas campaign.

Indexsinas domains/C2s

Distribution: 114.31.36[.]202:8111, 1.indexsinas[.]me:8111 C2(old): dllhost[.]website:8093 Filename: x8.exe Service: serviecs Service Display Name: System Remote Deta Simulation Layer Mutex: dllhost.website:8093:serviecs Note:  It seems that this actor has since changed the RAT used in their stage one.

MadoMiner

The next campaign that I saw using this RAT occurred around Feburary 12th.  @James_InThe_Box had discovered a version of the RAT being distributed off t.honker[.]info.  If you’ve read my Madominer Analyses (part1, part2) on Alienvault, you’d recognize that that domain looks very familiar.  I’d written about malware being distributed from d.honker[.]info, so imagine my surprise when I found that the Madominer actors had shifted to using t.honker[.]info to distribute their new payloads.  While nothing else had really changed, Gh0stCringe was added as the new stage1/loader for MadoMiner. Additionally, they’d gained a new mining address of 42SgGCdjazjddK45L9AQGyXwZPh7VRRPW47iWG18uvFdQ7sXMAHgnDd1e8pHdu68AHbSaYo2a7x6QCSRjGeM14oZ1RSLVRi, mining on minexmr.  While this address has since been taken down, it should be noted that it was pulling in 219KH/S, or $3240/month. Distribution: t.honker[.]info:8/ C2:sky.hobuff[.]info:8008 Service:  ctfmon Service Display Name: System Remote Data Simulation Layer Mutex:sky.hobuff.info:8008:ctfmon

IndoneMiner

In January, the Tencent Yujian Security Research center wrote about a mining campaign that they’d nicknamed IndoneMiner.  A little bit after I discovered the MadoMiner Gh0stCringe, I began to see a VmProtected file dropped on my honeypot. Analyzing the file, I saw that it connected to http://indonesias[.]me:9998/cc64.exe in order to download and execute the file cc64.exe.  Upon closer examination of the file in question, I saw that this file was also a version of Gh0stCringe, however, it appeared to be a newer variant.  This variant appeared to have less functions than the original, but used stronger encryption on the base strings. Additionally, it was missing the functions that variant 1 would export for use.   Distribution: indonesias[.]me:9998 C2: http://indonesias[.]website:5814 Service:RpcEpt Service Display Name: Remote Access Routing Manager Mutex: indonesias.me:9998:RpcEpt

Office.exe

Recently (May 4th), @James_InThe_Box sent me a sample that he believed was Gh0stRAT.  Upon closer examination however, this sample appeared to be a variant of Gh0stCringe, similar to the variant used by the IndoneMiner gang.  This variant, like the Indexsinas campaign was distributed from an Http File Server, which seems to mainly be used by Chinese actors. Distribution: 106.13.96[.]196 C2: 106.13.96[.]196:8090 Service Name: EventSystem Service Display Name:  Com+ EventSystem Event Name: Null/:Ma Mutex: 106.13.96.196:8090:EventSystem

Functionality - indexsinas

This RAT’s functionality appears more focused on serving as a stage1 than taking control of a victim’s computer to perversely monitor them as Gh0stRAT has been known to do.  Instead, this RAT appears to install to services and then wait for commands to download and execute more malware. Additionally, with the exception of the indexsinas campaign, this malware appears to exhibit some fileless capabilities, as it loads its payload into memory to help avoid analysis.  With the indexsinas campaign, the malware would save its payload to %Windows%System32, which it would use to call the install function, from the functions exported below In the indexsinas campaign, the malware has 5 functions that it exports

• DllUpdate
• Install
• MainThread
• ServiceMain
• Uninstall

It would use all of these functions in its runthrough/command acceptance.  

Install

This function was the first function called during the payload’s runthrough.  As its name would suggest, it was designed to install the payload to the system.  This function behaved very similarly to the Shellex function (described below), in which it would push it’s variables to the stack, like the Service name/Display name. The main functionality of the Install function was to install the payload DLL as a service, using the svchost system process.  The Image Path was set to %SystemRoot%System32svchost.exe -k “serviecs”, while the Service DLL was set to the Malicious DLL. After installing the malware, this function ends and it hands off control to the ServiceMain function

ServiceMain

After confirming that the service is installed correctly, the malware obtains RunDll32.exe (which is by default stored in %SystemRoot%system32), copies it, and saves it as [service-name].exe(serviecs.exe).  Next, the malware grabs the SYSTEM user’s token and uses that to escalate privileges with “serviecs.exe serviecs MainThread”, in order to run the MainThread function.

MainThread

The MainThread function is, as its name describes, the main thread of the malware.  This function is in charge of connecting to the C2, along with executing any commands that the C2 sends back.   First, the dll creates a new mutex using the service name, which in this case is “serviecs”.  It then obtains the connection information from the mutex created in the loader, which it uses to attempt connection to the server.  Just like in Gh0stRAT, the malware doesn’t wait for verification that the server connected to is actually its C2. Instead, the malware instantly sends over computer information, like so: Some of the information stolen:

• Computer Name
• Malware Group ID (x8)
• Date Installed
• CPU Write Speed/Processor Count

Additionally, there is a proprietary protocol which has remained relatively unchanged, and will be described more in depth in the “Networking” section of this analysis. Commands(x8):

Opcode	Name	Description
0x00	Shutdown	Obtains SYSTEM tokens and privilege and then shuts down the machine
0x01	Uninstall	Uninstalls itself using the Uninstall export
0x02	RegWorkRemark	Sets a registry value in its service key called “Remark” to null
0x03	ObtainInfoAndSendToC2	Obtain Computer Info and resend to C2
0x04	ChangeGroup	Changes malware Group ID
0x05	CleanEvent	Locate and Delete Event logs
0x06	DownloadNewModule	Connects to C2 server and downloads and executes a new module
0x07	Update	Connects to C2 server and downloads, executes, and updates new module
0x08	OpenUrlShow	Leveraging iexplorer.exe, open a supplied URL, showing it to the victim
0x09	OpenUrlHide	Leveraging iexplorer.exe, open a supplied URL covertly.
0x0A	ExecuteNewWithCommands	Create a new file and then execute it with specific commands, which are supplied by the C2.
0x0B	PopupMessage	Use SendMessageBox to send a popup message to the user.
0x0C	ProcessEnum	Using createtoolhelp32snapshot to search for all open processes, which is then sent back to the C2 server
0x0D	EnumWindows	List open windows using EnumWindows
0x0E	OpenProxy	Loads a new dll that contains the export “OpenProxy” from memory into a new memory buffer.  Then, locate the function in the dll exports and call it.
0x0F	CloseProxy	Close the proxy, using the same dll used in OpenProxy.
0x10	Keylogger	Using the string “Load From Memory” and “Load From Memory --End” as text delimiters, Allocate memory and load a new dll from memory which contains the function “PluginMe”.
0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6C, 0x6D, 0x6E, 0x6F, 0x70	KeyloggerAsThread	Do the above, however, load the PluginMe function as a new thread.

With opcode 0x07, there is a command called Update, which uses InternetOpenFileA/InternetReadFile in order to download an exe(uses a check for the EXE magic number, 0x5A4D), which is then written to a buffer of memory.  The malware is then updated using the DllUpdate function.

DllUpdate

The DllUpdate function first creates a backup of the current malware version, before creating a new process of the file to be updated with the commandline “Gupdate [service-name]”.  This command replaces the current malware version with the malware downloaded in the Update function.

Uninstall

This function may be the reason that the actors behind Gh0stCringe have moved away from the multiple exports used in later variants.  When this function is called, there are no traps, instead, it completely uninstalls itself from the system. Coincidentally, since this was an export, and not a typical function which is located by the malware, you can call it at anytime using either the dropped and renamed Rundll32.exe, or just using normal Rundll32.exe.  If using Rundll32.exe, the format for the uninstall command is “Rundll32.exe [malicious dll].dll Uninstall”.  By running this command, x8.exe and the malware installed as a service will be uninstalled.  

Persistence

Additionally, for persistence, the malware leverages svchost and ServiceDll for service installations.  Instead of just installing itself as a normal service, it uses its dropped dll to install itself as a service group so that it is spawned by svchost using svchost.exe -k [service group].  This is different from normal service installations where you’ll see the malware running once executed. With this method, you’ll only see svchost running, as it loads the dll that is used into memory.

Functionality - current variants

With current versions of the malware, the only function that it exports is typically a function called “Shellex”, which basically combines Install, ServiceMain, and MainThread.  Additionally, the Uninstall function has become a function contained inside the malware instead of the export that it was in the indexsinas variant. Also, instead of dropping a dedicated malicious DLL, the malware loads the DLL into memory, and installs itself in such a way that the loader exe is opened on each service open.   Additionally, the commands used by the other variants have decreased, as seen below

Opcode	Name	Description
0x00	Shutdown	Obtains SYSTEM tokens and privilege and then shuts down the machine
0x01	SvcInstall	Install the malware as a service
0x02	DownloadAndExecute	Connects to C2 server and downloads and executes a new module
0x03	DownloadAndSvcInstall	Connects to C2 server and downloads and executes a new module, which is then installed as a new service.
0x04	UrlOpenShow	Leveraging iexplorer.exe, open a supplied URL, showing it to the victim
0x05	UrlOpenHide	Leveraging iexplorer.exe, open a supplied URL covertly.
0x06	CleanEvent	Locate and Delete Event logs
0x07	RegKeyRemark	Sets a registry value in its service key called “Remark” to null
0x08	RegKeyGroup	Changes malware Group ID
0x09	SendMessage	Use SendMessageBox to send a popup message to the user.
0x0A - 0x14	Keylog	Using the string “Load From Memory” and “Load From Memory --End” as text delimiters, Allocate memory and load a new dll from memory which contains the function “PluginMe”.

Persistence

For persistence, the newer variants will just install themselves as normal services, with none of the special service group techniques.

Networking

As mentioned above, the malware uses a custom proprietary protocol, similar to that used by Gh0stRAT, however, there are some key differences.  The protocol in Gh0stRAT uses zlib compression on the traffic, while Gh0stCringe is missing that. However, that doesn’t mean that Gh0stCringe just displays the information that it steals in clear text.  Gh0stCringe uses an Xor/Add or Xor/Subtract algorithm to encrypt all of its traffic. Interestingly, for several of the variants, while the actual Xor/Add and Xor/Subtract values were different, they all produced the same value.   Additionally, the protocol format is a bit different than Gh0stRAT’s, as shown in the below image: Currently, I’ve only seen 3 opcodes used for responses: Old Variant

Opcode	Use
0xC8	Login
0xD4	Process and Windows Response
0xD5	Configuration Response

New Variant

Opcode	Use
0xC8	Login
0xD5	Process and Windows Response
0xD6	Configuration Response

Mitigation

As Gh0stCringe is typically spread using EternalBlue, you’ll first want to make sure your systems are patched for MS17-010.  This will help you to avoid getting infected, which is the best form of mitigation. If you are hit by Gh0stCringe you’ll need to follow this guide in order to uninstall it.  First, you’ll want to disconnect the infected computer from your network in order to properly triage it and to prevent further infection.  Next, using the sysinternals tool WinObj, you’ll want to locate the mutex of the running malware. This mutex should be easily identifiable, as it’ll consist of [C2 URL]:[Port]:[service name].   Once the mutex is located, you’ll want to navigate HKLM/SYSTEM/CurrentControlSet/Services to look for the service obtained from the mutex.  For example, if my mutex was dllhost.website:8093:serviecs, I’d be looking for a service titled “serviecs”. For the older variant of the malware, you’ll need to locate the ServiceDll value, located in [Service Name]/Parameters.  This will tell you the location of the malicious DLL. For the newer variant of malware, you’ll want to look for the ImagePath value, stored in the [Service Name] key, as this will tell you the location of the malicious exe. For the newer variant, once this value is obtained and the malicious exe is deleted, you’ll want to delete the service registry key and close any open processes for the malware that you can find.  You’ll then want to restart the computer. For the older variant, unfortunately, your work is not done.  After deleting the malicious DLL, you’ll want to take a look at the ImagePath value in [Service Name].  This will tell you the service group that the malware has installed to. You’ll then need to navigate to HKLM/Software/Microsoft/Windows NT/Svchost/ key and delete the service group value that corresponds with the service group that you found found in ImagePath.  For example, if my ImagePath is %SystemRoot%System32svchost.exe -k “serviecs”, then the service group that I’ll want to delete will be “serviecs”. At this point, you’ll need to restart your computer, which will finalize any changes that you’ve made.

IOCs

Campaign	IP	Install Location	Mutex	Service Info
Indexsinas	Distro:14.31.36[.]202:8111, 1.indexsinas[.]me:8111 C2:dllhost[.]website:8093	%SystemRoot%/System32/	dllhost.website:8093:serviecs	Service: serviecs Service Display Name: System Remote Deta Simulation Layer Service Group: serviecs
MadoMiner	Distro:  t.honker[.]info:8/ C2: sky.hobuff[.]info:8008	C:usersPublicApplication DataDRM	sky.hobuff.info:8008:ctfmon	Service:  ctfmon Service Display Name: System Remote Data Simulation Layer Service Group: ctfmon
IndoneMine	Distro: indonesias[.]me:9998 C2: http://indonesias[.]website:5814	-	indonesias.me:9998:RpcEpt	Service:RpcEpt Service Display Name: Remote Access Routing Manager
Office.exe	Distro: 106.13.96[.]196 C2: 106.13.96[.]196:8090	-	106.13.96.196:8090:EventSystem	Service Name: EventSystem Service Display Name:  Com+ EventSystem