• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-SASE-madness_021721
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Threats

Finding the RAT's Nest

By Andrea Kaiser
Posted on January 18, 2017
Updated on July 24, 2020

Share

Facebook0Tweet0LinkedIn0

We’ve spotted a Remote Access Trojan(RAT) and are headed down into the unknown. In this blog post we’re going to examine some malicious infrastructure that we’ve found by pivoting through domains delivering and communicating with RATs.
A RAT is malware that creates a back door to gain access to the target and its connected resources in order to spy/steal information, drop additional malware such as ransomware, or to enlist the target into a botnet for DDoS purposes. A RAT can basically give all of the same access to a system that the attacker would have if they were physically accessing the target. A RAT has many functionalities: remote desktop control, webcam and microphone control, keylogger, remote shell, crypto miner, download and execute functionalities, screen capturing.

Purchase and Preparation

When deciding on which RAT to setup and spread, there is a choice between free or paid varieties. There are RATs that are free to use and RATs that require one to pay for a license. They vary in their ease of setup and stability. Since these RATs have been available for years and are detectable through signatures, a “crypter” is used on the malware before deployment. Crypters are tools that can use encryption and obfuscation on the malware in an effort to make them FUD (Fully UnDetectable) against known pattern based or behavior based signatures used in Anti-Virus or IDS/IPS systems. When a low detection rate is reached they have a better chance of infecting targets. The goal is to appear to be a harmless program. Once crypted, criminals run the file through underground scan services that will tell them their file’s achieved detection rate.
The ease of setup and availability of these RATs have helped them remain a threat. There are also rental services, offering to do all of the setup needed to build the infrastructure for RATs and bots, and then rent the use of them for a price.

Advertisement for RAT and Botnet Setup Services
Advertisement for RAT and Botnet Setup Services

LuminosityLink is widely considered by some cyber criminals to be one of the best RATs. When searching for only one AV signature from Malwarebytes, Backdoor.LuminosityLink, in Virustotal with a First Submission date of the last 30 days; there were 147 new submissions.
On our resolvers, we see active traffic to the Command and Control (C2) panels and infrastructure behind these RATs.

LuminosityLink
LuminosityLink

Let’s investigate some infrastructure around this paid RAT, LuminosityLink.

In The Wild

LuminosityLink is seen here dropped from this site, http://onsitepowersystems[.]com/invoice86291320[.]zip, which appears to be exploited with the C99 Shell. The delivery method is a bit.ly link leading to the zip file at onsitepowersystems[.]com. The C2 communications are at 191.101.22[.]47.

onsitepowersystems
LuminosityLink ZIP on compromised website

The bit.ly link as well as the onsitepowersystems[.]com zip file are still active at the time of this analysis.
As a side note, OpenDNS offers the optional filtering of the URL Shortener category on your network. While URL shorteners are not malicious by design, removing access to them can help protect your users from clicking on links that will redirect them to unexpected places.

Bit.ly redirect to LuminosityLink download
Bit.ly redirect to LuminosityLink download
LuminosityLink Executable
LuminosityLink Executable

Above sample 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0

On and On…

Here are a few more C2 panels and associated traffic we’ve recently seen coming through our resolvers.
thevm2[.]biz and blackhills[.]ddns[.]net
thevm2[.]biz– C2 panel for VM-ZeuS aka KINS (malware that was part of Avalanche) seen with traffic from a LuminosityLink sample and domains associated with Ramnit (a banking trojan).
This RAT is dropping additional malware; utilizing it’s download and execute functionality.
0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87
1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a
ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9

thevm2[.]biz
thevm2[.]biz
VM-ZeuS
VM-ZeuS
Traffic seen on OpenDNS resolvers
Traffic seen on OpenDNS resolvers

The email address nie0461@gmail[.]com is the registrant for thevm2[.]biz and the following domains.
marciaguthke[.]com
email-hosting[.]us
emailhostings[.]in
myvm2[.]biz
thevm2[.]biz
vm2online[.]biz
We’re blocking hackcom[.]org which has the nameservers that are hosting these panels currently, and hosted some in the past. Pivoting through these registrant’s domains, we find more malicious infrastructure.
vm2online[.]biz – more panel configs

vm2online[.]biz
vm2online[.]biz

marciaguthke[.]com – redirected to a fake Microsoft support page

Fake Support
Fake Support

This domain virus-os-77h7ft[.]pw is hosted on 192.111.155[.]6, which hosts tons of fake AV support domains. By blocking this IP address, we prevent access to all of these domains.

Known domains from 192.111.155[.]6 as seen on our resolvers

Known domains from 192.111.155[.]6 as seen on our resolvers

From RATs, to banking trojans, to fake support domains. Due to a RATs ability to drop additional malware and the criminals utilizing different delivery methods, we’ve found a wide range of infrastructure and traffic comingling. By fully understanding the traits of the attack, we can make the most effective counter to protect our customers.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella