We have met the enemy and they is us. Pogo’s famous maxim applies directly to the threat of trojans in 2021.
Although they are some of the oldest forms of malware, and, in their commodity forms, are seen less often these days, trojans have proved to be durable and adaptable. They avoid detection, embed and intertwine themselves into routine computer operations, and generally have evolved to evade cybersecurity defenses.
In short, trojans are surviving and thriving by becoming part of the cyber furniture.
But that doesn’t mean they don’t have some mean tricks up their sleeves. In fact, trojans have acquired a second life as the workhorses of larger, multi-staged cyberattack chains.
We observed this transformation of trojans in The modern cybersecurity landscape: Scaling for threats in motion, published in November 2020. In that report, we cited Emotet and Ursnif/Gozi as examples of trojans that have evolved on to bigger and badder things. Some of the reasons why attackers reuse malware include:
- Their “Swiss Army knife” abilities allow them to deploy follow-up malware in a Loader-as-a-Service model that does further damage down the cyberattack chain.
- Their highly distributed command-and-control (C2) infrastructure makes takedown much harder to implement.
But there are more tricks that make these the workhorses of unauthorized hackers.
1. Like any productive software, malicious actors are continuously updating trojans using C2 infrastructure
Our first example, Taidoor, is a RAT connected to Chinese government actors as assessed by the United States Federal Bureau of Investigation (FBI) with high confidence. This is one of the oldest trojans still circulating. It first appeared in 2008.
The new version of the RAT consists of two parts: a loader in a DLL form, and a main RAT module that comes as RC4-encrypted binary data. The loader first decrypts the encrypted main RAT module, and then executes its exported start function. Malicious actors are using malware variants in conjunction with proxy servers to maintain a presence on victim networks and to further network exploitation.
We know that this RAT module has variants that trace back to 2011. A blog post published in September 2020 from Reversing Labs documents this and notes:
“(M)alware families require a lot of maintenance and improvement to achieve long-term operability. Even though such continuous upgrading helps malware avoid detection mechanisms, it also results in related malware versions.”
The bottom line is that a great deal of time and investment goes into malicious tools like this and the owners will go to great lengths over time to keep the investment viable.
2. Trojans go to great lengths to hide their tracks and avoid detection.
As antivirus, EDR/XDR, and sandbox capabilities proliferate, attackers are using more sophisticated forms of obfuscation and evasion techniques to protect the tools of their trade. One example we’ve seen recently is a new take on another old RAT, CRAT.
CRAT is a remote access trojan which consists of multiple RAT capabilities, additional plugins, and a variety of detection-evasion techniques. In the past, CRAT has been attributed to the Lazarus Group, the malicious threat actors behind multiple cyber campaigns, including attacks against the entertainment sector.
Apart from the prebuilt RAT capabilities, the malware uses obfuscation and extensive evasion techniques to hide its malicious indicators and employs a highly modular plugin framework to selectively infect targeted endpoints.
Most importantly, it deploys RAT malware to ransack the endpoint, followed by deployment of ransomware to either extort money or burn infrastructure of targeted entities. Over time, CRAT has acquired extensive capabilities through the use of a modular framework. These include screen capture plugins, clipboard monitor plugins, keylogger plugins, and ransomware.
As we mentioned, the CRAT makers have gone to lengths to hide the trojan’s actions. The RAT is highly obfuscated in terms of:
- String Obfuscation: These are used to thwart string-based static malware detection signatures.
- API Resolution: This makes analysis cumbersome for an analyst by hiding API call sequences.
- Runtime Code Patching: This likely evades detection mechanisms that scan process memory to identify malicious strings and code.
Cisco Talos notes that: “The use of multiple obfuscations signifies the attacker’s confidence in selective obfuscation rather than the use of packers as a means of evasion. Many detection systems look for the presence of a packer using techniques such as entropy analysis, Import API analyses, etc. Selective obfuscation of code and strings prevents these systems from detecting the malware solely on the basis of the obfuscations.”
3. Trojans often make use of existing automation and standard internal processes to “blend into the wallpaper” and thereby persist undetected.
In The modern cybersecurity landscape: Scaling for threats in motion, we noted that fileless automation — Macros 4.0, VBA, or PowerShell, for instance — were often being used. Cyberattacks make use of legitimate software automation to hide and then reveal commands. We provided an example of a Macros 4.0 exploit that uses a Binary Interchangeable File Format (BIFF) to hide an embedded Microsoft Excel file.
Here is an example that has shown up recently using other existing automation, Valak, an information stealer and malware loader. Valak relies on scheduled tasks and Windows registry updates to remain persistent on an infected Windows host. The trojan uses Alternate Data Stream (ADS) as a technique to run follow-up malware. The configuration scripts used during the infection process are obfuscated in an attempt to evade detection.
The use of ADS, in particular, represents a serious ongoing threat, as it can easily hide follow-up malware. Furthermore, Valak will likely continue to find easy entry points because of its targeted nature, rich modular architecture and fast development cycles.
4. Finally, trojans are really ramping up their hide-and-go-seek game through the use of steganography (a technique that embeds malicious code into image files).
CardinalRAT is a remote access Trojan (RAT) that has been active since 2015. The latest instance of Cardinal RAT employs obfuscation in the form of steganography; the initial sample is compiled with .NET and contains an embedded bitmap (BMP) file. Upon execution, the malware will read this file, parse out pixel data from the image, and decrypt the result. Cardinal RAT is able to collect system information, act as a reverse proxy, steal passwords, download and execute new files, and capture keystrokes and screenshots.
For more information on how steganography can operate in plain sight, check out Shyam Sundar Ramaswami’s excellent blog post, “Using entropy to spot the malware hiding in plain sight.”
Trojans have adapted and evolved over decades now. The capabilities and TTPs they have acquired make them highly useful and, therefore, quite formidable for cyber defenders. They will undoubtedly continue to surprise and challenge us. Never underestimate a well-built trojan.
For more information about the various forms of trojans and how to stop them, check out The modern cybersecurity landscape: Scaling for threats in motion, and review our Interactive Intelligence capabilities.
