• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

Finding the RAT's Nest

Author avatar of Andrea KaiserAndrea Kaiser
Updated — July 24, 2020 • 4 minute read
View blog >

We’ve spotted a Remote Access Trojan(RAT) and are headed down into the unknown. In this blog post we’re going to examine some malicious infrastructure that we’ve found by pivoting through domains delivering and communicating with RATs.
A RAT is malware that creates a back door to gain access to the target and its connected resources in order to spy/steal information, drop additional malware such as ransomware, or to enlist the target into a botnet for DDoS purposes. A RAT can basically give all of the same access to a system that the attacker would have if they were physically accessing the target. A RAT has many functionalities: remote desktop control, webcam and microphone control, keylogger, remote shell, crypto miner, download and execute functionalities, screen capturing.

Purchase and Preparation

When deciding on which RAT to setup and spread, there is a choice between free or paid varieties. There are RATs that are free to use and RATs that require one to pay for a license. They vary in their ease of setup and stability. Since these RATs have been available for years and are detectable through signatures, a “crypter” is used on the malware before deployment. Crypters are tools that can use encryption and obfuscation on the malware in an effort to make them FUD (Fully UnDetectable) against known pattern based or behavior based signatures used in Anti-Virus or IDS/IPS systems. When a low detection rate is reached they have a better chance of infecting targets. The goal is to appear to be a harmless program. Once crypted, criminals run the file through underground scan services that will tell them their file’s achieved detection rate.
The ease of setup and availability of these RATs have helped them remain a threat. There are also rental services, offering to do all of the setup needed to build the infrastructure for RATs and bots, and then rent the use of them for a price.

Advertisement for RAT and Botnet Setup Services
Advertisement for RAT and Botnet Setup Services

LuminosityLink is widely considered by some cyber criminals to be one of the best RATs. When searching for only one AV signature from Malwarebytes, Backdoor.LuminosityLink, in Virustotal with a First Submission date of the last 30 days; there were 147 new submissions.
On our resolvers, we see active traffic to the Command and Control (C2) panels and infrastructure behind these RATs.

LuminosityLink
LuminosityLink

Let’s investigate some infrastructure around this paid RAT, LuminosityLink.

In The Wild

LuminosityLink is seen here dropped from this site, http://onsitepowersystems[.]com/invoice86291320[.]zip, which appears to be exploited with the C99 Shell. The delivery method is a bit.ly link leading to the zip file at onsitepowersystems[.]com. The C2 communications are at 191.101.22[.]47.

onsitepowersystems
LuminosityLink ZIP on compromised website

The bit.ly link as well as the onsitepowersystems[.]com zip file are still active at the time of this analysis.
As a side note, OpenDNS offers the optional filtering of the URL Shortener category on your network. While URL shorteners are not malicious by design, removing access to them can help protect your users from clicking on links that will redirect them to unexpected places.

Bit.ly redirect to LuminosityLink download
Bit.ly redirect to LuminosityLink download
LuminosityLink Executable
LuminosityLink Executable

Above sample 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0

On and On…

Here are a few more C2 panels and associated traffic we’ve recently seen coming through our resolvers.
thevm2[.]biz and blackhills[.]ddns[.]net
thevm2[.]biz– C2 panel for VM-ZeuS aka KINS (malware that was part of Avalanche) seen with traffic from a LuminosityLink sample and domains associated with Ramnit (a banking trojan).
This RAT is dropping additional malware; utilizing it’s download and execute functionality.
0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87
1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a
ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9

thevm2[.]biz
thevm2[.]biz
VM-ZeuS
VM-ZeuS
Traffic seen on OpenDNS resolvers
Traffic seen on OpenDNS resolvers

The email address nie0461@gmail[.]com is the registrant for thevm2[.]biz and the following domains.
marciaguthke[.]com
email-hosting[.]us
emailhostings[.]in
myvm2[.]biz
thevm2[.]biz
vm2online[.]biz
We’re blocking hackcom[.]org which has the nameservers that are hosting these panels currently, and hosted some in the past. Pivoting through these registrant’s domains, we find more malicious infrastructure.
vm2online[.]biz – more panel configs

vm2online[.]biz
vm2online[.]biz

marciaguthke[.]com – redirected to a fake Microsoft support page

Fake Support
Fake Support

This domain virus-os-77h7ft[.]pw is hosted on 192.111.155[.]6, which hosts tons of fake AV support domains. By blocking this IP address, we prevent access to all of these domains.

Known domains from 192.111.155[.]6 as seen on our resolvers

Known domains from 192.111.155[.]6 as seen on our resolvers

From RATs, to banking trojans, to fake support domains. Due to a RATs ability to drop additional malware and the criminals utilizing different delivery methods, we’ve found a wide range of infrastructure and traffic comingling. By fully understanding the traits of the attack, we can make the most effective counter to protect our customers.

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella